From a051483c79229a1cbb64f6b0ba8c058d60c18aab Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 1 Apr 2024 14:43:16 -0400 Subject: [PATCH 01/26] linux configs: align with purism; remove TMPFS, add sysctl requirements Signed-off-by: Thierry Laurion --- config/linux-c216.config | 10 +++------- config/linux-kgpe-d16_server-whiptail.config | 10 ++++------ config/linux-kgpe-d16_server.config | 10 ++++------ config/linux-kgpe-d16_workstation.config | 10 ++++------ config/linux-librem_common-6.1.8.config | 3 ++- config/linux-librem_common.config | 3 ++- config/linux-linuxboot.config | 4 ++-- config/linux-nitropad-x.config | 17 +++++++---------- config/linux-qemu.config | 11 ++++------- config/linux-t440p.config | 10 +++------- config/linux-talos-2.config | 7 +------ config/linux-w541.config | 10 +++------- config/linux-x230-flash.config | 7 +------ config/linux-x230-legacy.config | 7 +------ config/linux-x230-maximized.config | 10 +++------- 15 files changed, 44 insertions(+), 85 deletions(-) diff --git a/config/linux-c216.config b/config/linux-c216.config index 252a7a65f..dbd963eac 100644 --- a/config/linux-c216.config +++ b/config/linux-c216.config @@ -157,6 +157,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2238,7 +2239,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2503,18 +2503,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m diff --git a/config/linux-kgpe-d16_server-whiptail.config b/config/linux-kgpe-d16_server-whiptail.config index 99e9b2716..18a7a2c0c 100644 --- a/config/linux-kgpe-d16_server-whiptail.config +++ b/config/linux-kgpe-d16_server-whiptail.config @@ -160,6 +160,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2545,18 +2546,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # end of Pseudo filesystems @@ -3185,6 +3182,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_BLACKHOLE_DEV is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set diff --git a/config/linux-kgpe-d16_server.config b/config/linux-kgpe-d16_server.config index 99e9b2716..18a7a2c0c 100644 --- a/config/linux-kgpe-d16_server.config +++ b/config/linux-kgpe-d16_server.config @@ -160,6 +160,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2545,18 +2546,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # end of Pseudo filesystems @@ -3185,6 +3182,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_BLACKHOLE_DEV is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set diff --git a/config/linux-kgpe-d16_workstation.config b/config/linux-kgpe-d16_workstation.config index 3d6a8c4f9..40edf7261 100644 --- a/config/linux-kgpe-d16_workstation.config +++ b/config/linux-kgpe-d16_workstation.config @@ -160,6 +160,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2793,18 +2794,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # end of Pseudo filesystems @@ -3433,6 +3430,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_BLACKHOLE_DEV is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set diff --git a/config/linux-librem_common-6.1.8.config b/config/linux-librem_common-6.1.8.config index 9e4752357..70590d5b1 100644 --- a/config/linux-librem_common-6.1.8.config +++ b/config/linux-librem_common-6.1.8.config @@ -182,6 +182,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_EXPERT=y @@ -2475,7 +2476,7 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y diff --git a/config/linux-librem_common.config b/config/linux-librem_common.config index a3edda0f4..e65f907d1 100644 --- a/config/linux-librem_common.config +++ b/config/linux-librem_common.config @@ -157,6 +157,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2598,7 +2599,7 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config index 0ff8541bb..25b9963a0 100644 --- a/config/linux-linuxboot.config +++ b/config/linux-linuxboot.config @@ -264,9 +264,9 @@ CONFIG_ISO9660_FS=y CONFIG_JOLIET=y CONFIG_MSDOS_FS=y CONFIG_VFAT_FS=y -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set -CONFIG_TMPFS=y +CONFIG_TMPFS=n CONFIG_HUGETLBFS=y CONFIG_EFIVAR_FS=y # CONFIG_MISC_FILESYSTEMS is not set diff --git a/config/linux-nitropad-x.config b/config/linux-nitropad-x.config index 8592d579d..40b35f73c 100644 --- a/config/linux-nitropad-x.config +++ b/config/linux-nitropad-x.config @@ -166,7 +166,7 @@ CONFIG_ARCH_SUPPORTS_INT128=y # CONFIG_CHECKPOINT_RESTORE is not set # CONFIG_SCHED_AUTOGROUP is not set # CONFIG_SYSFS_DEPRECATED is not set -CONFIG_RELAY=y +# CONFIG_RELAY is not set CONFIG_BLK_DEV_INITRD=y CONFIG_INITRAMFS_SOURCE="@BLOB_DIR@/dev.cpio" CONFIG_INITRAMFS_ROOT_UID=0 @@ -181,10 +181,11 @@ CONFIG_RD_XZ=y CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_INITRAMFS_COMPRESSION_NONE is not set # CONFIG_BOOT_CONFIG is not set -CONFIG_INITRAMFS_PRESERVE_MTIME=y +# CONFIG_INITRAMFS_PRESERVE_MTIME is not set # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_EXPERT=y @@ -2334,7 +2335,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_DEBUG is not set # CONFIG_DMABUF_SELFTESTS is not set @@ -2658,22 +2658,18 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set CONFIG_ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set -CONFIG_EFIVAR_FS=m +# CONFIG_EFIVAR_FS is not set # end of Pseudo filesystems # CONFIG_MISC_FILESYSTEMS is not set @@ -3375,6 +3371,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_BLACKHOLE_DEV is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set diff --git a/config/linux-qemu.config b/config/linux-qemu.config index a5145bb0c..113e0ae0a 100644 --- a/config/linux-qemu.config +++ b/config/linux-qemu.config @@ -177,6 +177,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2270,7 +2271,6 @@ CONFIG_RTC_DRV_CMOS=y # CONFIG_SYNC_FILE=y # CONFIG_SW_SYNC is not set -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2559,18 +2559,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y CONFIG_CONFIGFS_FS=y CONFIG_EFIVAR_FS=m @@ -3201,6 +3197,7 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_BLACKHOLE_DEV is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set # CONFIG_TEST_STATIC_KEYS is not set # CONFIG_TEST_KMOD is not set diff --git a/config/linux-t440p.config b/config/linux-t440p.config index 7e520b220..2ba0a56af 100644 --- a/config/linux-t440p.config +++ b/config/linux-t440p.config @@ -157,6 +157,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2252,7 +2253,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2517,18 +2517,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m diff --git a/config/linux-talos-2.config b/config/linux-talos-2.config index 735ac9339..0aa3ac5b1 100644 --- a/config/linux-talos-2.config +++ b/config/linux-talos-2.config @@ -2438,7 +2438,6 @@ CONFIG_RTC_DRV_OPAL=y # CONFIG_SYNC_FILE=y # CONFIG_SW_SYNC is not set -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_SELFTESTS is not set # end of DMABUF options @@ -2755,11 +2754,8 @@ CONFIG_PROC_PAGE_MONITOR=y # CONFIG_PROC_CHILDREN is not set CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -CONFIG_TMPFS_POSIX_ACL=y -CONFIG_TMPFS_XATTR=y +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # end of Pseudo filesystems @@ -2903,7 +2899,6 @@ CONFIG_IO_WQ=y CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set -# CONFIG_BIG_KEYS is not set # CONFIG_TRUSTED_KEYS is not set CONFIG_ENCRYPTED_KEYS=y # CONFIG_KEY_DH_OPERATIONS is not set diff --git a/config/linux-w541.config b/config/linux-w541.config index 7e520b220..2ba0a56af 100644 --- a/config/linux-w541.config +++ b/config/linux-w541.config @@ -157,6 +157,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2252,7 +2253,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2517,18 +2517,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m diff --git a/config/linux-x230-flash.config b/config/linux-x230-flash.config index 1e115d137..e5030ebc3 100644 --- a/config/linux-x230-flash.config +++ b/config/linux-x230-flash.config @@ -1864,7 +1864,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2135,12 +2134,8 @@ CONFIG_PROC_SYSCTL=y CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m diff --git a/config/linux-x230-legacy.config b/config/linux-x230-legacy.config index 84cbacca1..792edc792 100644 --- a/config/linux-x230-legacy.config +++ b/config/linux-x230-legacy.config @@ -1978,7 +1978,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2249,12 +2248,8 @@ CONFIG_PROC_SYSCTL=y CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m diff --git a/config/linux-x230-maximized.config b/config/linux-x230-maximized.config index b408cd0e5..2ebbc1781 100644 --- a/config/linux-x230-maximized.config +++ b/config/linux-x230-maximized.config @@ -157,6 +157,7 @@ CONFIG_INITRAMFS_COMPRESSION_XZ=y # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y @@ -2235,7 +2236,6 @@ CONFIG_RTC_DRV_CMOS=y # DMABUF options # CONFIG_SYNC_FILE=y -# CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_SELFTESTS is not set # CONFIG_DMABUF_HEAPS is not set @@ -2500,18 +2500,14 @@ CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_PROC_FS=y # CONFIG_PROC_KCORE is not set -# CONFIG_PROC_SYSCTL is not set +CONFIG_PROC_SYSCTL=y # CONFIG_PROC_PAGE_MONITOR is not set # CONFIG_PROC_CHILDREN is not set CONFIG_PROC_PID_ARCH_STATUS=y CONFIG_KERNFS=y CONFIG_SYSFS=y -CONFIG_TMPFS=y -# CONFIG_TMPFS_POSIX_ACL is not set -# CONFIG_TMPFS_XATTR is not set -# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS is not set # CONFIG_HUGETLBFS is not set -CONFIG_MEMFD_CREATE=y CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set CONFIG_EFIVAR_FS=m From c73687a2327416a64c39e3fb7623c5b9eb2c91e3 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 1 Apr 2024 15:20:49 -0400 Subject: [PATCH 02/26] init: Adding checks for sysfs and runtime panic_on_oom=1 Signed-off-by: Thierry Laurion --- initrd/init | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/initrd/init b/initrd/init index 44cde9fa9..67a179b76 100755 --- a/initrd/init +++ b/initrd/init @@ -24,7 +24,7 @@ if [ "$CONFIG_LINUXBOOT" = "y" ]; then mount /sys/firmware/efi/efivars fi -# Setup the pty psudeo filesystem +# Setup the pty pseudo filesystem mkdir /dev/pts mount /dev/pts 2>/dev/ttyprintk @@ -78,6 +78,23 @@ fi TRACE "Under init" +# make sure we have sysctl requirements +if [ ! -d /proc/sys ]; then + warn "BUG!!! The following requirements to apply runtime kernel tweaks are missing:" + warn "CONFIG_SYSCTL=y" + warn "CONFIG_PROC_SYSCTL=y" + warn "Please open an issue" +fi + +if [ ! -e /proc/sys/vm/panic_on_oom ]; then + warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)" + warn "Please open an issue" +else + DEBUG "Applying panic_on_oom setting to sysctl" + echo 1 > /proc/sys/vm/panic_on_oom +fi + + # set CONFIG_TPM dynamically before init if [ ! -e /dev/tpm0 ]; then CONFIG_TPM='n' From f525b9337d5b5a95287ed7bdca78cbf8b746dcd3 Mon Sep 17 00:00:00 2001 From: 0xF4CED <24809481+0xF4CED@users.noreply.github.com> Date: Thu, 4 Apr 2024 00:15:52 +0200 Subject: [PATCH 03/26] Update tails.key Key expired: 2024-01-04 Replace with clean export of updated [Tails](https://tails.net/tails-signing.key) signing key. Signed-off-by: 0xF4CED <24809481+0xF4CED@users.noreply.github.com> --- initrd/etc/distro/keys/tails.key | 645 ++++++++++++++----------------- 1 file changed, 288 insertions(+), 357 deletions(-) diff --git a/initrd/etc/distro/keys/tails.key b/initrd/etc/distro/keys/tails.key index 307a0d896..76d72d98c 100644 --- a/initrd/etc/distro/keys/tails.key +++ b/initrd/etc/distro/keys/tails.key @@ -11,361 +11,292 @@ zXSl42yg3EEsJlijBSR3wsIJ3+sWvQPMBdjgN0RjvoyI+zI7BeP8LC6ngz3GC8JS D5B8XNUYV32tlCs1ILdUPUF1BbxH2sWxysbpl9RvOG56JArSG2k+KlihXH5fmNiC NMWZ5vBShQ+bpBXh55fu3F7axequpWzocRfH+mfvBh5yvZnjDRGC3UZ06CFWN6JP 8wDFR+o8ZHSsq0Gx/2mIXVsJT6h0mF92Q1iqH2SQhFeRL3M+RcED6Bx33QARAQAB -tCFUYWlscyBkZXZlbG9wZXJzIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEF -CwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC -Y2zGDAUJENq7XgAKCRDbuAKyWKzYT2Z2D/0ccl30KGx55pfkEEkBnZ2FVAJu8oFL -ObMyuWxNgZg70aMCtBiZzDmpJUb5XC683aiHX5E11O7Oe3X2+uWJy2VAVTbAprBe -ZCE0cgT7WH08SQdWhiLD65ZBTspweQ4nJMXJn8LoVO/P4+nBuKjdW4DMmbxid7nU -3h439DKKpuZuYvbXOZpf6c7fkCpzG3Nu4MbQuvSCQTDGxb6LdacigFd4NU6bFWT4 -p4e4/Z/pK7Fgj++sKasi6NVr00uy/Zc31EV72+b5AceFEOlxd66ZzFTVSudIAXAQ -9nONxDgu/j+ua1Een4Jx08bhx2Kf0B3r2bJqN2bIzLgmwTM8gubkZjFmsBnSIBNs -wIUvFzOfwFl/vSMWzOMrVqe5oUDZt+ehpXP9K4B5XpG5elEQ/k1JASdeMSYjJBa4 -nrCUpjwD7zamsTwYaGxIXaieh0uBnBpfqS84Je7LX0fPOgC5MuuJ/H5qrAnRwDHu -Kx3oKhuaKLgFFDslY1kKSZAVD+gUCwNSE3YFKfjaFhAe2IsXoCnycU8BH35mV2oO -HugJaSuyZZlPBHPO01nCYfw/oOk38ou9bXf/uNFJWcjwCk/n7gYkU5rPGf9MKoDD -9BQ4HMeuzH4AgWFUsWHwPFXYMYHnY9x6bMO8x4VfiM+gPwtrqC+Z65m6W2F7UZxC -dd2l1+WPzkydXrRCVGFpbHMgZGV2ZWxvcGVycyAob2ZmbGluZSBsb25nLXRlcm0g -aWRlbnRpdHkga2V5KSA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD -BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAmNsxe0F -CRDau14ACgkQ27gCslis2E8LBw/+OKIM4+mZe4wPeA38iOF3DX/7WxUqITE3bHId -QzTfhOkNFXzJ3DfvgrZqnoqFm3HsaMnE1zFDhqMMQAZ0Ga+eFo789DSBNQUb0iYS -FHyYpkM17e2Hygmae6ofJGkHB9vAGQM4u7PxhOubeJPRoWiTUciBR2QPPH0Ttzi1 -81/t+nFTaHTdcDIVWOZ+PhvFB+xDq0Mvc73R+F0yzy1mDdwaSwrocmhWwyLUYpsj -S/wpCL7wDxhMYjQ3FwPq5rWLtSQ9Z9ClCz9ZogySQZ03kv5nZHnYAlXgRd19D2/p -guKFrEtj0M/k4KzQDbumMII2RyPTmDkOdwtIHKWpxhGM9J0ufbnH+oReUscWbodi -dTmj7VndBYAEQ5McqJdIlbTM1RSDeZzkpjHO+F4yyLP96iymfotMFaTisp90gXMl -cKrDrdmvQl9gsx/hoUeYuhiWb3JF1UCPSMSerysjYUYN16B2DzhvdYVQAbEaLQz9 -mUn9M1eWcNmOps1oQPyrA9oV3tJftTkn1Zym2C1/Xn+v1YAHLRlo3U44+l3bjXCC -EZtfFxzHjjnbAFOYZgIps2QfKZuszYVQOPObJRzL4YuF108OEMsHiWv2SnfWOe/X -5nz8Udj+DttvUoo9KhiTyo8C2flRkUMFNif+xSZjntF4MYPvBVe9Fxl00Kr6GBzY -C2/vkEm5Ag0EVLvR7AEQAN/E325mECH9+a8jCu0yHu5s5GOT9MOjyChyAFuont9Y -KiUj+1f3Eu65rHmuGDAjAz6NZS9ONENzIcDvrKvTcQbtfggtQJ5ExUPt6n2X7xdN -FW53KkonS+DjXwTQrr2vpnImb42XsNnZVBjaSzqpbxWF6rXWgTMeICWVuvkRfRab -8qNLh4ugPuC+dqVermt98uTf6eKa2sssBw4m36/sPXqoJ/TWahoCglob/uKbh3mr -2OxpDpzb4BSbTEwuRi5XP0VtkLroEYgCZxCCO6gH/S3zZFM/MEJSKqHcV8QdrR6l -6M3u2ILcAa16KtUMGiBH9JSXgBd/nRhDr4lpitstXJbwO6rZ1JCmIRkxUhMcnMdM -l9Kp5c1paoQv8uGOIgkji1BHf+/UN34ocvvS4XyiKbioOfWnAUYte6/IC2PC/6CT -yw9csvG3YgfvCPLLyXgaIzv236af7ZLVzca92hn/tjzZEKuvY0VokM3o3cEXkUZQ -mGXQ+vEVM4p98q0yrrgNGQjXXNulRmRXD0WTVO0HXWcfMtoOffkGlch1UDzTyl1r -g0LWNAC4l5aWaqbJiwXD2ahsMe9VcLLNbwPMl2v893veN3WPZPLCqDARHtRt7EQH -H3aV7jp/ngrdVZCBws0rz8AHAO5h69uyOqihdI6HNAgku2ie9d9WEMvBLYebeMZt -ABEBAAGJBEQEGAEKAA8CGwIFAlfFgOYFCQWbi3QCKcFdIAQZAQoABgUCVLvR7AAK -CRA8g9y1L2mcVlrKD/9vroqyOt3vh72V0Ae419Ll0fR67icPJYrg1R4+PcbERpr8 -rWf4RiVIaAxUzXkqBxjXiFUBXxz1vJ74+Zj8H7YyDHSsCZItjyQ1+VPv1EKTVgfr -mQQKE5oaTpqomaK2BGeZQGftiaCDPuohen83ZsEM+X09X+xr7WLrSyJRtgLLtKGa -dWuM1FzOiJyQCeCghBFjAUQKYWZJt4FdvMFPHVGba7YqRUSM9ZXM/hNhiu8rs8S7 -eoh8KWkms+E3rabBXZFnD+xKmSYCNPkQcAe324DXZhxQO9MpPPvpVZWEAVbhegK+ -B//EMUuP8Qpzv+shVYdVPotVZ4U1vM7WPALTz0TCSxkM9uCwE6eH7WAj1eqNHgJz -pjUPwxAb7EoDq4Q0yDCUQeqGqfiyYGPwI4RUL0nEjRJhOatcymlah+etdcvvEwbb -BJFFY60XmsQoagOG9za4oJpH+a/Y2DwL0b6AAumZ0LuT71EeqLRyUF0zvMQZf+3c -+dE+TjODhTNAwZ09F0sEPqSLnN8d6zvdyHu511sZYh9W45Msfx41Jh/7bpOsG/Cc -mWBAgP9kYAGwEseqoWJ/wpCouxSNrKvWQIiM653L41EUK3YbeCnaMwJsZOgHLzzl -c1Sezkbu7sdjpjz2HoVVO1SXI3CNsPfJxzxVQyr0AfdNnPuifCW2L9kfXg1fhQkQ -27gCslis2E9U/Q/+OMnllgXqDcA9T6mAPbptusxSd9p0dVeCgr8kq92ONej2b43d -/Fj9DtpXX57hWMq4COCv7aAlQzx8Zp2kZHNSczI/0TIzt6GHYq5zMTFwy91NxqfG -jip4yTL6/REhjtr1f/ye3ifX/SLAUNfbZDpMP8Xo3EP6gMy37RD9yCRmIZORfYJL -uHRlGpn9zKu1Laa50UlhvV7he4KDiYZTpiN4APbsRAIpjFCalRcd0rrxMkcBUPaE -cTzS2TP02wGS+60b49xoIZELKC+9nmK8JK90st5rTGUKOd/SguhkN3bVHlPlsFf9 -rWhLfjnI9+1qXPsWChRjJT5c1sh9oZl5NbTEje1q+vum5wSV4Mk7PqKlPjzwTlz/ -7QNJUP82M4rkEpK4tnOYmkNYpohOCRu6+suUgILG402PNIY2hJZf91F1guRlnE4J -G6ihe1Xwfi3GaBKDtzYaXO2ZRLRlQ0OYULvfUVxohUigEBs9pT2Dfe2l5k91N7tm -8EouyZ3UxSLDom16ZLjo3upCpSWzqgx8P/25Nr3B8pUkvhMm/Dxt0ehNIvjyjDAs -Ygnys3XgQ/J10OjbH4cUFUpmSprLp0gddODa21JHnHCq6cdPwpdNy21Uwe3B4ozn -I6WpU/9icw4zI7z3htVkSg8sSxjG4wFHNWh4Bb8OCdqpjoxAoGraSKGFNbm5Ag0E -VLvBMwEQAKnvGNhHuyGaraqMVpyM/0Upz3hoECl0vUPaXueHjeKkxnjBg9/UxUeI -ah7TjLMeoRYfqW0WGZRqIuKpxUl8KwkE06NqYutlu7v6w2WT8odHI4NcC/qFtGZ4 -07d4UIqPT9P+pEWYMn2rUL8dJnqoXm3ctUi6z4Y6fAs/k/S/Crd3uAhn1LmbUkEG -OMPsotyFLgkrWpDZCXISEjK1yH2Es3p8c0cQm30wjPimHYSCMTNTli/kWe9t9J02 -Q0j0lBbAVmWDmYf01kdeSEt0vPLuHRuuwvjDNPm7k3XbUVr6bV8vLhpIsXq2Fwr7 -XqOxpomEDQHdETwB8jgswwgOOiNkBU8d0+6IIdoN+ucueszQzE22FnAXC4o8Jill -KQrZGr7b0IJank2uuVMqpTigOqZQvEpHyccHgfRcsUZxm/G52/ctEKpGcPdwDOyk -PUXDfwBq4aryTqrNMOmtVISGNN1FndK1B7GAuGQN/nD9fyE3POhNiZ1l7dcoEzeF -Tjue+FN7LtzrmHb0TsonnrL+t36Fdf0kxwk2zCJKoIbJvRTESzWNCL5SpdYIg/NU -ZIVNZSpiKRtwNNVb3ykeqjoA/YC8mtp6sYkfVPtPMO8XaOWsSf9QvwO2rYTx/Jcr -W14k4vCOtpWW9QNa/6yTjhpt/RT9KxdQ1tQqT1HRrEj+/xd+PMYLABEBAAGJBEQE -GAEKAA8CGwIFAlfFgNYFCQWbnB0CKcFdIAQZAQoABgUCVLvBMwAKCRCY/sa8dSo9 -tuzWD/0fusAtGkL+TWD0SKqzVvMqwQ9asgVFjIz4cr/rugN6QdwWfvT1mNqAHrVA -7UwVkox5uZyVTJQZC3F7GuOPtbFDtmBMG5mlL8HPLdDufK1HmpXtYaDYsqRG6gjO -qvGjvlUHzqwjq1uRwBT2yDR9LwCO6DdZOsIdZBJbTccz7m5k9hZ861aZ0bifm7U0 -mgqN5MGvXcVzGYuDfgX8rfmC6TPaYY2QPc30QddUU0Hnk2VB0llvDHR9iR+g06K+ -FtpGbdS9rVFQ7itp9JJasQcfNVNJSKZU9oxZsvobyU47DmpDqWGrfGyn0dTdujoS -8wnasRjq6drDKMBa4IlRb21WVz7+2mAi0DOGJDlr/pGMWP7NKNLXAWpwsv5PreAF -BnV7FVAls5TIGC1vffwFNh4wdcqgfQj9Oi8uIYBvsuWYGLn4uX1l/H5Tl753pwrk -bB8NFVsdDM0dJXm6tpPJd3vCWcg9AFn7PJAVvNGd+n3uXPvycAHPkSIKYSGM69ms -o5iTgIJupJW8P/GR0vPAQkXR/pimFBxZYq0DFLqv6rsHmBPBd8iKHcO3QJwgnJwr -Fft9JIGx03byDPdGow6uxOh+0E9iYpleedmQxcz8Ids6QDywtv/uXGFUGdk1Ufhl -G8/Os3RYG83BP873O1HyyzyUp4fWWIb2P3Qd0tZXwVJYQvNoQAkQ27gCslis2E8d -YQ/+Jc+dxvw1zDPdjS5iZtQ9SOQi09SR91h1V/YEN+k/eWz8Ye/2hNVzoJ6wJIFv -W19VTUOZf1xUcf5i7Oe32+tWKG8WjO4P7OthLlKPSZJ56p1jbI9KjwjJgdfbOAz5 -ZWWvgoT/yrRuFaxwCqynVxBflAmkybqrPL262H1KSTJ1HhdNLvFmtipuPLkkEy57 -Au9Q5roLsvyhEPz9O4B1BujjYrTU5zdoueMIrCVXE8o8URNP0kVIICdETSKpA+Nh -AbtZQhZF4RxGG124vaIX2hNzBDPLI1f02/XW1ePVFABPbi74EyVc68iJdsJEk1nL -2Nx6pfr7t+rsIrN30pFqx1L9ayKZbKlFyej34KOS14mo/rBuMJk6scu4FcP1jcrN -DPTpblJ/NmDbQQSxyJHK1OpJk6NHakDZkNA0oqXSW3uco4I/v86D1WXbEb0V/hmD -bGs/LVcUR1ITnpADbPVxEMltadYSLU96Yx8TCfJJEbeEUk1XuAGZ3KozDLFPjpr9 -KqOpw+3X0YxCRRshRjh6Vi/4ewQyw9Hww+jJF0N3cmTwe4saGjgjPxC6mN39Ufv1 -+p962Phr/XHPb5rtUysnN8Uh5RSegqD1PCzru4fPpqOv42wxLvrmQ734oVARrrNX -9APa2vRdtnya0RzrB0EsQ53+e6LIJf5RDWFcF9mmPO3ULfW5Ag0EVLvBkgEQAMiv -p8Yhjdqpn5VHe6f/+JjvK3Wggp/O41Ud5c8M01gHEAqtwKa5/IJrCqX3vvmgL7rl -WNfrJzA9tkT+kz+IQBV5vGNU4zEgD6O3a8yWTCetw/N/+BM7TNsEVLEQsn8Lcyif -gZsQ2nBSbpEv/2IPzh0rAlOdnMPLIWDSxBKqu4i0EABrSmgnTEWGnFCx0pKTj+Wh -mst36SgxjGbgrkkpRq57ubhjNfGAHHYqaTpsCjEKh1DrfrBMnCjdvd43/GOZ6M02 -AVn2wB4sum++k6CTj6hE3eVTgS/BtdPQ4IqrhmwVCet0tXtarQK4Smsgszd/1+vK -slOF/uXGGtZWlTyNVTSF7NHUgw2EGmbnOzAcko3FjTDmo4NKxqhyPVXwp3Wg4Fug -45xgkyHIiLBz8hd+KwkxQRiPWcJPWwWeP/Wxzb8iY2r2MUNh6EtOsDMkMcj6lpX0 -L3IHXjnFRPDubBK3Hc7daDTQz4THoQ8M6m1RRqXCxL4lkcyZsimcZwsXMWuX70xf -4t7c5NWuH0EAWWCe0i/U6P+O5gq8nT5R39rnNFcocAPWtJ/F/cCJneeva/O6+/cV -GIGOBj3tQpXT5HPVxktXl5meCanWvkaccLTNWxnUECYa9td+IwFExiAWh9xKG5Q7 -uV3TlOIaaPQVgRd5t9h+85sIZQ2gmhT4cykvgj7RABEBAAGJAmUEKAEKAE8FAlYy -C+lIHQNUaGlzIHRlc3Qga2V5IHdhcyBuZXZlciBzdG9yZWQgb24gYW55IHBlcnNp -c3RlbnQgbWVkaWEgYW5kIGlzIG5vdyBsb3N0AAoJENu4ArJYrNhPi3YP/23Pk9WT -z13Q7v9vwtNJm9IVqUE3SOp3Os/W8I3alh6hrcYD5INwWml7lrk/GhcEU3plNdGu -yice5VeAVETJpEJBI4iHw6sdMWImVFG/2xhSH94X4Jj1VOdefUieGUizLcPz92cq -kZ6W5Tc/8tFDfg0qW2cxz2Jpl7iCJsy495G2WcxMV0e/XCCKlfyFd5T5hy3GmT7r -shOHmfiNsGgusoo/s1tBUYoRuHd2cI2yIj0g2iOiLOAbRABbUkRAed3g0D8KNdxX -+25fJV1ZcqJonyikP1QPnslIxUsMuB6srKz2nMSF8kRHy3RjSJr1BrA60SxDhoqJ -YAWcpc3OtR2PcB3qkYqLEAkiZLAo/F3L9PaeKLK6LbeTZlpXUqynZz3bYm/r6+Qw -gkqe2pxHG2l5epyinwEqWqaJEGZrYq8RWEHVHgpGvU8zhCb5MJgpaC4H677iicbJ -+bFGb7GHxAHzHJW4/xKT1+tWXKLij7bYVM9+GQHJtpfPLCZP09wZb+bp/58e8iDi -OCq6XMpdcWsIw2JPQAhHWcc2LwydhzgdNeC/pYog0T6KcUKs2tyBzWQYS+qezdaz -LNrD2IQhpED+zYSjzFMkzeaTaVBTfGIAfvvmbmPdmAO/4cjfN5d8cTLXCslvqOWf -tH0bQs5yuYJw1H0XL94Z4qqNkzGTB/AQMxMZiQREBBgBCgAPBQJUu8GSAhsCBQkB -1/kAAikJENu4ArJYrNhPwV0gBBkBCgAGBQJUu8GSAAoJEKqeAUZWmHplkY0P/0Mv -X2pgW6RvrcubCAAPjbQTl5uqkClWzUUHeFYFgQ3zjJsMkj8R2YN/FnwcPOI/7ioT -VMTVDu+aI/H0wgZeQl5HPptlBGjnB0crbifFTNC2Gi6IHompNNAvoCdTAzByy9KK -oPCFBcHMc1yLacGnPreBf23rDy3uWnLPtgInSPT8bPWUba4VjTb7pXIFw3Vf3jn+ -eg/yAaj7NyZ99g90/P2lXPc5tsvzoUvfJ6jGgXZzm/uD0q+9jp6BZ3LLmFotKF6j -MGeW23wJGtFxDKozhI/z/yIZghykOuQtcV8fe8pcMi75t43dZXo2mleIlU6ANexg -PZJBhKNTJMXQE4gnqmLevtSyc5kpSHqb8DS7zdhvS/FuDMSJpJraoB/gS/KMiaEJ -0JlG7lm8NRu4IOgzsonMmHzcxhZVAdhnPVpltz2GmdLf0CS1WPAfq6xT2r7CPEBV -cOGTJoCVDo5SLPyd5r+sPWZyPfcEtj7Ed3WrD1RKniRt7SenXnTsoGI1J9lTW/+U -Dg+igD1DPD7Bahl9mI4/npa9IyNScKIFSLnFqx9VG+Mg+d1+ZWJ9+7XhWw6C8pWE -/W/OYbshDT1ReAkJRZCyhhJgGuHqBdzpPBYSyZqM1ct3QJWGVljZ9dUDpYigEuXu -+q4vWZ+5FMoW7l74J++/HaEfsWnx0SkhiGL8aUZ43UMP/RTSPwl/74wT/SHaHQ7C -SMR5uNDEXrgt5VdXPcah6aQroXkNR44dwHzaF3tkJn9kzseMc9f4Sw66rrHLJCsm -TYgJRxVjAws4WaQuIaB+DRhdW7pqAURa1QsK9k9iYYbtC14qBoieuj4gV+Furaxm -TB/vx4HgJjeUy9Wld2Np8+7V3ihGXwxrL4evCXo9QDvs/QenVYF/MhPhRGE5+GqC -Dv93finBi9/RsM4bfiA406cWWOJwwjjxMrNm1VrLv1C6PHMb6JhsjDDIkjDfJ50a -WJdPmzSN25S9tllx1LVpdLWTQpc+LEyhvyyoJjveON1CC0Akn07cdI1ZsavBKhCG -f8gzO9c709I6cmXvkEPW05qgrKcU06NRHq+bFqJsgBeO/IhBid51uG2vREbc9WQT -nNYUOyYDpAxtriefn6442byCK5FlFc9P/VWFIR952GaFyGQuA+1kHckunzP9g5eB -w3FQbIvq02KittfdKwRRPw/8RzFVGyM/GLS+UM7UNzCHnWPQiR3w6rZ3xTe8IOgR -ORUJoiwJ/6HV1FXRdCfrKC9cUBniigOx9Cn1g201XHiua/yedfV00GWnOBDeqDFB -pCBrkccGqUA50KOiqBrDK7bwGnYBI1ZdVAQGQ2UVh5R5gi0fLDI19pDdeirOcNj4 -gyqH3EH3cSS/Snj+jmNoE2hriF4EEBYIAAYFAlpea4QACgkQG7icBgI2dEk8YwEA -hv0jnehPJEEVjLpmp//s4/B1kclyGIfocV0Xzg3q+YIA/jQR3PKFCLStRINId17i -Tk0HJQku7ymdUNg7Q7rZowgJuQINBFfFgTEBEAC2tjoU5TRY7vKa6CAjUt1TJwx8 -IExEuPkCHgSJG58w3RPuVOVEpDEjKf+fArpCEVDq1RpVogEmZXZ9BvJzaz5ZWXHX -A6kC1SJ3AScDTiDkR3jnwY6aRhFjJaKlrklfplsIO3nlAuK8UqulYQbHvIGTnXeO -pf1Ts14G6YXDk8dr9RB2DFDKRtTCJX3L4vR0Qj7NJDvn8Jcdg0btZeE98eboCBk0 -CPYEnRZKrAk+QD1zBlewMoueR6MJUWWFcwPnvUuEhmq02KYj+MKSnraa91oW9Fkh -8hZ/LeHPs9hSJ2i0XLQxawGbNNkL/zvibbZi3VoIlwEpKJ64rdN8Ug3ie1foW86I -nH6VsJus/GZ+Njlk1kMD3nuUzEJkTdMidbGh94pT19swQMFh63kBj98zrT6nlGjd -xuSiMz4mDdFHPaEYSeJOk3nEwSEJweh5cne/lG2rQPy6nXfEAJsAdkB24w2CJzlM -bYDwuhnRsaoxZb8NYjxZSSEH0senR9W9uor9HCbNio4QwiGAfb9ouMaAE8skLLe/ -gHDv75+trrHxA+/9QUb8KrWFxDMA6OjYOi5uu8AuF+jHtYW5ykwcPyDU2F8A52Mg -9d5ej2kKKq4rIIe/uu7WeEusK1DFUTYmoAG8kQ3009E7QXfJXBJBvUOjuhWTMA5f -kkXx4O0x3gLiWQSEnwARAQABiQREBBgBCgAPBQJXxYExAhsCBQkCkdyAAikJENu4 -ArJYrNhPwV0gBBkBCgAGBQJXxYExAAoJEK8pK0Sg7apB7x0P/jyToiSDmz73z1PC -vD+T+xxSYTpxv4QX6SK8Z9Y+ZZbJOkKw1YFkzbz0pSXbDyRhX9Bv0/DO6kbtHmmo -2Kd6IydZtabIdrrz2Zd8Z+FqvdeTEoTHmR9ihJooFRSVXzxpLq6nrpKvtiJAOTb+ -GPe9JQsaMJYJmLXcZX+YtdbURYV3+S0spvRLsLsp9NuI2ralYOsSu7jKvoKDinop -1Li6AOWQrDGTy0w0Rh3yVorFoI85iiVcBKVn1L8KMsf+VPPlsJEDUU3AK3YjuFsh -D0wtGszsRqK5KYsTPX70NTQaxoXmFhqfT6CPiE3SiITAeCVaVqzre5N0OG7V8aPl -NdaitAJf4OK4oibg+Zk5xAB3kXqfvV04DpVz4kkPyQI6WFY3AnmA4TYFFzEKFSAO -eVn6jKKY7DvzeL/aPLkekNFqOv4QOfY1LdtrGKbW7L472Z7rp5IRqwI9YW0lRILU -ZS5YfGMJSwUJPAVjKns1MuASk2nppqCpPl+t7WFK2EqBs74qa4Q3dsRN9CyUn5N9 -wtZ9s7or5RivQJP0q5tZezPaLHA2xTi5Mrn6tgSZb0I8VRPyW+Ez1sic+L6VuxEk -7AqjKj4F/4GpELv+qrENJJc17D2b0vPpSfTBkzLglJVjVLoh+bZhymc2R1NlvDmn -jcmrn9Ua8F2QJ09NFCzR+l0HkBtz4ikP/1LJ4LPllXdvg3PydCLgv067dGK/QtQ3 -Aur3vlOO1obREC7XD4TnvfbWSG9WblKpvMoHDwFvk18niP9ZKSHsImm862ZETiVy -EnY9BLmhtaRUdcpa8YtbQzq84Fk0NhDY9Mj75BX49Zk5cPDTI3pN9vUfl5kbEC+I -8wMhJTvpWJCoqSOlJcYOjCDjLK/ERM7iMGxVHjrWqd/8PgbTb9B/BsDw/eAJjdzd -/kqVvQMW7jdpQxEwt6BYtzmUEkNz65oXROhHz5lbN0r+2pE8MGR/3dbDqnprpuHd -nH2irUssnEIZ2hrnXnD7SdfT+3bF4TGrrLHSgs4HD0fwSPmeTYDiQoCH0yHwKQG+ -cyrfngzznAFy5taJM8Sxt47PG74qd2SJuRqNlt5cJPSiA7tmI7x90IRAOfk4JY8D -AtyahYOU76dfWEi7Wjh2ZUUiYYBO1Cj64HclqNtJ9qvMmV40+59XgO4d5eSExGfm -0S2LuqCGePJ2B0aG1kXFgaj3ypUcVBMb4BdHNq208HX4ijuOWXD5gXhuPHU+u4eC -9KDAF8IubxNJOuj04NpaMngeB1CABQxRMg5Of+E5cIkvcRlrJPIvULEk8KAWYmCA -g9jEHrkrnWjy92xe6vyvJnEMftn1BwWaRnN8OYCABlw6y1zOMF0FcfUd00EBKzfb -CWHu4i7QXqHDuQINBFmkPJYBEADNvkjLcOjIVaOKoy8X5QuNurriz54O5jpTWAFh -SgxUo//FHEqlFYCRUDdDuMD/fPAiQXk6TNAGzN+R1guZtj9ekCI5x4N2wj0wxUN2 -Jsq+P+zTLkRQcajbTemOsboI/w0+9BlvktBFV0E9yrJW4qbOV/w/DHWUq3JIggDV -aVa00bvEAdJR0/uPJoGip4ex2Yh170jg2GbtsFvm1ue8lwzSRbXsDI9RNsVa7hoJ -t4TfkLTYkKTd0oOQvP/LDgcmp5T6scDOdPx5zYvwF37DuC15Y9WYai+s6KLDwMy2 -COBexE1pLwqE3OV439BDVsFG41zxmWUYUX65PXtJkD1NMJdnyiPf1KFEpzD0T7d+ -lnSPLJYx4Te5ahaZ1e8Slwa/q67ti75kMutR5IV0EPEg/vY4bmEutoST9Y94ocAr -Z+0fex3DsVwXMdyMS78zfnm21bMpsgfJx7YZI1gFQXAKtVlEWPHajyjd2tCysYHy -1AnbehkHRIsYVqXV1AwF2bSN2rKf+nCTjvNgt5VNAiJGy4N+QuXFy5X4NdgMdYq7 -vYT66IeZwlT9HV0wEB1jsX1y+50faxfn2YOPFpKXzNd7VOQDDx19J1IsNw2Q7gnr -4woqqJw+bLG7ClRuNfN861Dlxc52sH6rjdceiFsLKBj7T1mQFAUZB7TCMIvK2rry -lc5iXQARAQABiQRyBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAmNs -3isFCQvyV5UCQMF0IAQZAQoAHRYhBAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyW -AAoJENIdrTivKBwLz48P/jgM5REXNkh4oW2GHC2ZfPMiupF11zTBKWuIrsjLzUhO -IqMypbKDBAQfqV+TSal6RTvvZHQxYUxak4OK/TtjDL47XzHGQmzZbFndH42XVOua -kD5dT2Sv+5oWNSZDz+Yk/1tg4aRCD1MqATPD7N2O8Y7+NFU2dtQLV2MPa/70K/Fm -LiXmQgGfhKxuqWBFdpx2xNlpIpCPEnkNgxfxUDW4Gar3f1eHAOuCt5HtturaiHID -mnuKz68epX2PVrA8ztjN564vldboN7ff5F0pUbS/Jj4ccozOGdEg3gt15LY2eD4f -D1oX1HSwfqFvB54gSlCSYX4nkfXkjid13CjAYAfaIbhCZ4cunivMD9og5sK0ZGTU -0fGP6TTTeZdge7wjzdZJj9EoBgclc5H7McIkuGYTaTqowe6134s6W2bDJ4AsGkjR -ghRuv6XsgjUz137gNkT2P+PNOBV19sTV3haz4i6gBr180xvvtOArwP1vTxnAa+Pm -s9bJt6W60PO6kjWmDXnPykwq7fpmI7qgJ2svlqRcLN3GRLX3bc0jCpspUEWAiq2J -QP3ejT2QmNF8GFCITQSB64Vb+aOBE3aifBjt82k+KSvy/P8gkPCc3fsxdYSgnesr -k6EngA7vOM/x9unm3yPMctpT2kKav/xh0IYQdsyF6QX/ScKl3kvuRt3LTkx7nd/L -CRDbuAKyWKzYTxmZD/9XRg2sgq1M/ZEpIv+rGH3eZnqyPDM0oh56upTvRIG1y70k -8SoxFxHUMd5b+Jj16pXhKIwpdH3lybOmiJVw9HF101YLHBV/kOhRcG3sAg69mEtw -HH38PH+3tClwH7FOwuhDJsjff1GKqaPb4ZrnHACvTIZy92hF06RSgLj4/4J1TeeY -sVVfy4GC3tTPheHXWVGBV8vQIJTg2SRBiwl9rtxKfN0cNR2vOiHhypsWO7D6mnZ4 -aZPvOB76BUXjw86egEsxbMDcdo5DMmqLWjWnEilDQn4UH+uK2fCxHTufI4lD2K76 -QZmT8cGAKMUrf4wXw9W7ysn9Pk4pnOJo/rzsyaz+plIx6o+5AB8EJ+LAapFUgsF4 -lXKw633asG9ecdUROMXF/F3fInTkQjE/nxBSzHmcMeVBlYPZIUs5rcdT66hOSaip -50/39bVctMTeCxMnXycCrPqPVGriSpJdjEE9khrJ5ifFT6CYMkyBtL5eVzg3JY0/ -touOkKPTiywVOWiCWm8vgraGjxPHAJHNl3joBfWUQMdqcrjf93kR8z+Dd4hX/uOh -eutIgWqfoWF9RWtRfwXdsl9BP+ngVUdAlbagNE2/R8lif7/F8Bmqa6kToNI34wEa -9uf5zE4v243vqrSaynkIZAGAxCmK6mv2B5/ua3ltEtTSto9ktaIod449MIgInbkC -DQRZpDyvARAAtfnSrtM7lNxN5FPfT0V8cUpXW5D3jhM6mC6NUSvKSDAeITNdQ5Rv -o+k2GaN2dORrFSTRlBnGlF2DDpXY128zcvJakG3jadgGvAMflrpTDbFN52591u/+ -JGbZ3rhTSKb0a+Vmo4MxDPKWF6ic69Ktk2NMze8pgJMpaqBSOqjWGnVpQw/eE/aO -PIqz4NMLLFDR+UdARmNOHoopeEG0Gvktvphq+P/6i1nedVCgAmSyiBujtHauAxCC -jXfiSyTSieWENS93Kufk7SD+bJJ/kvlwVgd5zV6kGmqk/CSQLaKE/oKzJmuvGZpU -79Cz9XKfeKHdi5jxJSq1S85OkcBrL3G+Dgh4Ahm+IrUKZDjMb/5HHr1+WkXwOz18 -gbvI/aUD50luHLrFJcsoJCrCT4oyUrpcLUjcVzIrQ5cndahansrJox5414iIeptE -ef7D52q8Kt+DyfLSBjudGV0g7mRXEGDpJxBPhbkGJMwCoXTWlV5mPafpNIk1HR6i -gC8ndBGxNk/yENfSGQpAHmVR9LzfXwFBdoDgUL1CzAu0iGfiRO62rGMlx0ZkUADL -REpeLqZexYmQ3DJ1G/czh9f6aA1CDbD37kZ83St8GcDSFI+jvud5Dn7/zfOp+B61 -Ykn3Zm5dHQ8BO07LbbqyAH+312aBlCWdsj8sIGF4KcxQSzuj1tuCLUUAEQEAAYkE -cgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJdnIcPBQkF2X3fAkDB -dCAEGQEKAB0WIQQvr5ug1luzcfC8LUYwIKepwrcnMwUCWaQ8rwAKCRAwIKepwrcn -MxWKEACjpk4elL0hsOygwHaWilUwGIWnM/s8J/COeZ4aPJYL0uBRd4duvewHEf7c -Ws9N/69HRY1m5o1wI/lBOKB32QXMaaLVXDuMkuXrZaNkT9D4WdCJ719izhkBQ45d -OWJvoq8aJv/Q21ZiQF4KqMpbgoIf/LMr9NTR64pc3j0W7QKltgtMwzK+mT8dMS+x -pbsas4T7SMmzPuSKcGHFgY9yCnPUp5OBKXsegPmgcrbL2MkQWTyziUizy+3Mnr4E -rKvqF2HKPZzepShrS2dnyokRhFULfS7gV5pRlHMUfar+SvUZHxSEScmaE9ANTDfG -Lvg07g/JA9p8+6lBlmMUkC7p4zihcUIoNXehfFsumReFea5qzQn7VWOQEYTNwtv/ -/rmYiXtSCGGS3Jt7ZU7gviOkmnmOfkpC3haxJAYTQrTxoIVoDqALXEU2Pg1jNiWl -FKV7kRBGctnHuOYgjmgKxIwmUO6ufA5grrE16peYhkRLeN4+m+pOG9swUwtvVdzS -7zY0Qq0qP5zWrh9P13znHb8zexd9DafgIGbP7lJqPP1Lh2/Kc676/SpyT+2A8teg -sFdlc7yU0fHAOcbhOpMccXkYNGjqzAUnqY3K17Pi4JHHKM0xHYmRlZYWJ2fZb5IN -54EM0sGPZsOcIa1qg79qzjrY8ep0XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E+5 -hA/9FQDQu1N2EZl7FrrAdP9xO7y1ZUs33gys9eA7bY8ETMlDqchnEbnbqP25W2yO -bzrKtshVn44fWUGOwSmIDfVm0ATkuJgMReMTo3APfOHlV4HKlMZYMF7NufJs4f+0 -/DYCq2FN1ZscQmph8YKAsTFKxXWNw60ilfQoY/KxLbQ6YTw8rfd2FM0ZwjV1PbsF -7HR0FkZjbaJKry1vqtOS+cjs360t1rclm1KRMV9/yJJMow2VV+9FIhbZMowrfZI7 -Qx/Sx1pYNT07D9dBNeGSRnLWEubO/mb8s1Hzgty6CEf6qlEwdRMVELXaVJcf53CK -EqZe6uhVmTq7wrmbpnb/I0Wer6igL+aUvtkM46O8zVCT6T/mnsXyoCV6zmCPYM9R -ECEyRACx4Ik+ExjLnRLezYhOkl7uN3qTS5rxR2otbESgWNx9L85Iz75ahU0zas4F -R1cZ+YC2fCRAqmPveAidJbJ0ZJrx/JH09udX5LafUQIVkY6xmoE/9T8bIVSbDFwi -fig9OdP/OtaDJBS0BOfQ9QdlpIWe2owVZa9Aa54U2jjiupCGY0XB/LoNWe02WGUN -amnXegG+pHGGGt/atMAFAtsAJeXpLIddO3mQdbR25QgJ58fHtkX9y/FMT4bb3FII -Vfd4PMmQibGXEwi641+MtwlJ52QVZRmL+2XahXoqCx3hpPyJAjYEKAEKACAWIQSk -kND00xGkFT4rt8rbuAKyWKzYTwUCXtE6mgIdAwAKCRDbuAKyWKzYT4YwD/4+b6U2 -Xx3aBnP77ZhS4wP50MmXRn6LAvN+RIcq1FAzwsXRe0zwP0ew1YP8743nOjoFVOZG -6iRHNOzvBOBwQ3wvlN7cqa8kFWpFtNdN1yFFIjO8bDFtPkXgeFmgAJ2fS9gj5ze7 -5H1/bRqf3NO9NVWvX0C1sVJ2jLJI+LSys+kuv9YpPOZeGvg5qgaG8K10q/Ic8wGB -XNi2j4Wf1jBzDDlFfRVb7doUrEQ6BeNJDhaOnnvVWBZ9E/iwHT+GElvtVHhztuKo -qp10KFwudGm/Z4a5uLX8RZxtn3OqDdyQ+BX+tjy04dcKV4fJHnh5Lsfz2AMrHO0Z -8mipu6AOxCMHhKlZJGka06YkeE3y6cOC6yWoL/tzMCpJUczLB9JA6+gu0sUSXTpi -tsNhY6+56XPHSV/3mBcjY4o4udnDPcWF/Eji1tIqRo7B5gX3gk2n+WTWXRdosGb7 -PCSoK/YppOHrR4RWyxek9w+0d6Ud2SMupvTu9zn55zcqbTX+66yfpd4dXw8qIVTb -9yLcIq3A2wiegZXUJqJYpbgC9cAMmL19S340zxOJLsEeg69XDOKilZ5OsSUcoczt -la554wAE7rYd7x9UIWwaVq1r9jle1T1yFlznOjx2iES13VMfpFIq7uBOvt1GiY3n -mGG+F0Eu6APcj8x8WP0bB2+UfxO9LjgBhY+1fbgzBFmkJ7YWCSsGAQQB2kcPAQEH -QO2oCCt4hgIeuO+NiUF0w66A1RCFb4TSSjjKfBJSLXSXiQKzBBgBCgAmAhsCFiEE -pJDQ9NMRpBU+K7fK27gCslis2E8FAmNs3iwFCQvybHUAgXYgBBkWCgAdFiEEzU1D -Ua+mkz9XSpr7kLK0vXrtI18FAlmkJ7YACgkQkLK0vXrtI18sxwD+IfLH3BZ+A4Ae -VGt/uVamTk4XkEc1KtOolrL46IA4kbYA/08D6g8aZ2vdZml/o5xZz9S/O7tXMRjh -SitE+m3SwQoGCRDbuAKyWKzYT5vfD/wJeT4jWqiPAhc3TF86fCUmPLztxSij1djg -CFZ8VpAWNBtE5d4uostK4t+z9R4fAjvtSIfZhLXyqTLobc/nMvv2ur76IpkQGQDS -jMTkP/yKD7KBzcjAmmxFRlNeRHNKNL/mVpkALbETkeITwUMzW4d9EPRfV0q6Tddg -YyzbJQEQ71R55g6PQZ03fAQe1nIUjiSqZUJONM4mTfRYueuQoMBnb2Rbib2j2Ff5 -4UBfVnM5hgrR3PJMV5hfPmBPoC5TEvgHnnqLa2EhZreQTxGZDieSwOR6dxRXgH0c -cL1q38M+r4i7FSgAasgnV6QweHHgzZntR3M6ucr6mGomPZvmLqnx9Ad2Ta3g/Yza -beP0ERo+pksOp8VxZ7VNTQItIzU1Mvb5RLnn1MQJn3ZPiBcygC4Zetqiv4jKnyZX -e+AYDBwxWZtdhzdUBl+TWXbxR00qw3ucpvQa3W1TZHJGU1my4USak7w909wh+mIG -TSXFCBJAUq12tIauC5SUZwUsjJacID3W4JZvzIgcIV113LyQKBLmicwOwItzNLyK -cCm9x5sRDyqGuWFVCWK8s85HXUdtxMGTAxzpkcHueHyQZCwV2+Vv0TAjND3tsbSh -qRY1go4s0px+nP5j4uPBydZo36vdhaar2eQq+XTNOzFtNAtL0RB1zERwSPQ/aYCq -QVXC9dSPnbkCDQRbh/c7ARAAv2qQAXsiacvxtqSapDrjSGqyHhIuOMUThclv9XNd -mZgkZtMMEOY2FBSm6nKfZbq8nsdHNb9wI4pngikfEXeqgFiIsxDJuNJxIRlxu/EF -2GDHFZw9lex0KearvT5reZRrWo4NiNHyICHKJsNdmh0+SlVI4JrVZK2iknjwSilq -FQE6RjBrcr+4z9KcIa8xXyIVudU98oDRWUmtuL/SNLaVus5VIlMrFogPBZt+XI+R -shLpDnGAoOCkJVP+f8anaAP03RDj129iOZPlpNNd8SXP2YpgDYqas9HBZWhjR2rc -dLRYf8ELhH2hPh64P/vXvu3yYukKQU6JM/KfXpx+DK5t1EHptckyI1b/tAq5iMm2 -iPzFnyZPMZAQXpEWWax1sJRyi8yL/0GATF3yYFhimo3Uvjo2LId7Vw/sk8TlHtzD -o4LFvoqMur69pBEXGDIWFnJv+oN7CrSNJ8bwCMSsrsBVT2smD3NNIsWOrW8xQ19x -5md9HW0t1QR0puC94ixHhV029WoGHClG/MRNrtqexOH2J909chXkLL5DlQlqC4MZ -wdQYgT5BsYTnZaq7uz0xaI73Th3hVS3pq8mkXuDwqG9/5/pxyW0ipLfNAT4Tl/vh -aZayMSMaWlKk+j2um1gga0JXXWrJR+sRvWhgYLCfXLxOOoITqgKQRoz2ft0IKV9g -S/8AEQEAAYkEcgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJe0ToK -BQkGYEbPAkDBdCAEGQEKAB0WIQT+Apy0qtR4jh14KOiosPTkWxtQ4gUCW4f3OwAK -CRCosPTkWxtQ4j5bD/90lveXhTpp3vgzWETrRsz22p9zQmNiJGDGmWYG9j77Z4UR -U3pAmov1tInprnjrqT2zVXWqZBwA1PpDtkZpybIcPmoClf6g7FsZXSGmkyIkSCr+ -cgg1d7zTBWmfyXMUwO2i1PplmDZli9HYiFlRakutv9TU5qbtgNJsATZzVQoTh/kf -AAIDiHOW3NXFWl+hkyJ2yTHLgRUd7qc4jtKOKkhBMjOp0FTczPBI24tJNTlbU6Bf -N6CfJ+0nGlcafCRnh2F8SwUP7c4SGjPCoiEKNwLu+YZlcCk7dqANbMMmeLgb7bZp -PA83bsqGgsJlowueenBgIbqw6wdnuUbOAq8zW6kAWljKSP/vduu/Zf2YOSMNZjlO -qm4nXIi4u9GZGc22FFe0V2VOl1Cg6OeFqBDkd45hqZuUE2O10mOWRT5wF7fEqPmC -/zK0Qt53MJSkdi0S2t9qcrU8d2vwJmvB1msknZ0e3VUGJYzGbjZ4g9RUYwYiV7v3 -b0SjMiUL9plNeZvv8AIsLihu9EOAs5MUWRb/2NfOFOexlce8okeZuToP1VkYndrp -6NUPvF615Mn+cmEhF2gNAVJZpbUaorjJeJxGsio+5Lz/QFFVJL+TW4hTrhe1UTIt -oWn4lHyKMDPX08lfrQgcZPv58eDvaTOtE0saPE0UGKTSd40zd1m5THzifLytsgkQ -27gCslis2E8buhAAlL3yC6lTN6l+QYnvjnns1PtBYXMCZ8VZ30ShlKC3XqfFq1gP -ZY8NgYjePn8w9TF1Pz9IvnORHueGsCGGcVP/HCwc1R9IX0QY40DmicP/65/Cnr9B -ArmZDTszlRDvzbJDXXHWI1709KY+5SptR4RfLX6I1Ps589pvxYZEvhpPJk1WPYIK -0TdUtOeyYAcKtKAd4LiM9KttNsUAxQwTn+WHOf+1GNqRlCXExnYFclAB+Py6DUHA -9IY9vILN2b7Im/+Lq1dHQP7xFvMms3uxcwzfTf28hDRP6avaWe4/uhAhO7eojL0X -8nrYFy3C6bVqzw06sWSU+XST+fYqv8s/SbubMOhRDuRoE3Ue/mptG700bV3KZ4rY -awfNSSzp5lndbd5WvjlASMb6frWdYq0f4SvlGYPkr7duvJb2vkvhDyFfXO/3Qvzh -OmTxGrC+FQHZtngNohCe0NzC3+HMKS7bpuo106f3+20UXXUTh/EqT0UcYMR2GCtH -7L5PGy/jcL46xK8mvpXUQUYOrfBViR557BGJrxNpkpxHstuAH0yTWN5sG4OImKzR -3wQUJep46o7hfxNLmBwe169oZ6C2n3SNQFYE7QgwOlu69JbQZ+KrdFi8oZng/lJB -FwcCe3gesly6MPJ1M3NQDCz+b/8UNQbBWF+okwobdl869P06GZtOgG0eh8+JAjYE -KAEKACAWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUCYWhRgQIdAwAKCRDbuAKyWKzY -TwX5D/9ashfmjOrB+U8HHKMGDY34NXzHVKwh29Zcvs50z9TZipnFsxZdEggHjvb3 -Re4p91Yy0D/9ZttrXek0Nt+4TXQf0MdzfO44pLhS+eLefg1F074/zVhk35q/mVgr -cveQ4oYQ8qC85Y4cY8zjOYTZih7oty3gREJOKJnjPkxfKFi3cDaAwUMgdpAnSiv0 -j+p/1K0G26xm8SoCHvaVkcaK670/v6P9PxESo5JH/W/suIEwEbdEMINAdz6iVODX -FZxcTHsh6rWzRYvZAYCnjIDfVM6mMRvycaZrQBzeKZmkQvZYi0OxM9RetJhBWwPX -1rmIEDCW7m343D/0SmbztJjMonyLNfOMRu4u7Xg+6z6JzH23CHyItLbMAajx8uKw -RqqaZdlFsO7HZbSUvWiq6U04UbJNbuhalDfMxWKL1pHFQQTNTjDCdMOI3AWrkDBj -SvJko32zqnqYs3T41gyVaO3jqSeSuCxk+q/tlIZBYkb1ehHSDC8UVMw0QObfCLQq -Fb9yEmlQLbNLFVb/O+fp1mOwmCnsp9EoNxyA884deT82PwIBLZNgYd435ZxHJc5p -rBoCyOJQqntDVXksk68Ziex1ygJctJ7KhYWI2Nftva5p2hH7YtowbVd9pQFX4Lee -O7iAh6gNFOoKUW+LfIIp8aGOqQxz8QgEOvnvRPWzu9sWd8OJZ7kCDQRhaFH4ARAA -1YVRGK45ANlN6p2phi9wfgxlu6zh4x+gYC1ccTIwPpx753zEB4HceBYdBE4hhAx8 -K6HD3RYjtchN2gzRAf05M1loFTKi8x5LiSGqtNYKNy0EDQN8WRxKa857ogoGtJUC -2SYmvkjYFqKZryXG4WGzQnNn66sbu1x2UfjdMXB47SHIpVWTlmGl+66kYk8U9e0N -Q4hqT6rRYCxv/ZRuyJCkCvFE20jsbDv3W36PDuK9cJKyGAArWAjYgrioY3XLFMN5 -RSw4P+Rjy3Jl+Lfd/AdA0ZGTzOvbr251Fp1JLji8LCLplfREUo45nRy7rSKiLdkD -cgDV7X9iLbEQSsie9wo9+NcoPIO855ju/5HC3mw52AkAj4sRusC8uKFo8d+gLH7m -ahf+K1NS2DRXiYFp7pDks1U/zd1DNhoOCXJvT3vW3Giso+qGqvpYVm9iV9SJcxJB -PTRF5/uAa59k9E9dmM6YaUcCZLExH4Xnh2SYlrD1kfJuNdUIbMVQbFUzIQKhhS+l -LW8/3JGnyOOYSYmXG2/4eLCrQ1/Zn/29cHFgliUmx40WYLCQLaBmLhYuUzSaMyXV -zJAy8H2EkzXUgpxjQGDmZYm2LaFD3mPr68N107/EQ94//LmMTvCv1qt1J3HuWwLr -w89JWKYMkqE5qZQ9MPm/03Oxl3hGMCsqYFzdmtSd8F0AEQEAAYkEcgQYAQoAJgIb -AhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJjbMZlBQkELiptAkDBdCAEGQEKAB0W -IQR1P5ATd6MJ8nMfoz97+9K5Au4T0AUCYWhR+AAKCRB7+9K5Au4T0CI+EACyAcBp -5P+BjWxQ3shUHWXY2hnyQwTB2hNY0uT70f4Ss63i3Yn1R5Ms76gMS6RuAq3+k/CH -d+FqXhj3STR0XQC/l9yP2tDNQ1LfNTS82OLuIPrg/Rwa3NOWaQ8sjVDtQPCpFjmx -8QkRNZ856QZapmvs7V5n5xQFbidY/JFL89R8xysZC7psXt3EM0hE3kzGLfVvRcn6 -iKxtJGWT6oyazxAiml+AYxeSmNH9wwpjhbWBh1tqgcT0MS3wmIwv3bLvyaHfxe8y -5r7gb69/nng+Sn+PFY6v3JLGIjICxUjIYMqUeaC37sVfJQT9tcptWKYmgcZTcikx -2m/VE96gamAJ1sNVpHN2s87pfDD/19vx0rwKiN+vVD5cNIRVSvcgPQ3DKH+aqKMP -Tev5g0U1Z9l/o7gKMdT+SqQesfvZClBTwzQbGkpCFympo/xzMr75jOQjBjefW2RO -QL6p4e4vH89QgHwjv3FP6xyxeIWmLrj3TCiuS9oHEXqJmxw67TQeYbd6fwmh15GT -7453yiJZvkAsvsOxW4NZxDYd5+c5Krm1CD5FgY+yDB38tKEUqUA86LTPcvGWvpxM -FlgnvtlKa6dibbDSPJhrmfLBUztvoGbsaT3othmODgHucsZ1EBypUElW7vX6Jz0B -KXEKXdQCvyWxqVAjpwzblVISG7S3/fW7bv1fYwkQ27gCslis2E8IyA//XUHxgoy+ -FccaYOFp5lrTjo1q5gGvAd5q2TbkQrhrciWnXnyPQ9+9XIZWp2hxX+QPO5YrPod+ -iSUUvIKIjLKYwhm14mGLfibgexXbI3oegaEjrd2F3a//75Phy3yk14w3AZ3fveL0 -/6HGNoCASgZSuajbakJ2WutY3wt73vd7HMBJQdKANZd3TPwtr0YtMknGPNxV0WB3 -34A1oQ0EGKvbV/6vu8kiHQC+M9LbTHg9DYXGDCzmzBaG14hqCZuBIwKxH7gfk4Cn -VeOjILxS3c3Gf+GJoyJr2FzgeTi9M5M0D3puWudbBTqj083xzvQe5/M0ONrvvvL2 -9hsPpzjexk0rh+a8chlmIRI22VMAun/XFr9VGn6wlMLJGHzFROmCMEqQhauuGKG7 -UoQxDDApslDqztBrg9gKE0KbWzc4/EstwytiI0+3J72V+D+6UeXO/5mdog/mgDW2 -swPalWeOLcEtDdkbu/6vtSpELKn+dW+h8Ii7Ki41GXNQOEaq/n6qHTsy4azSEyYS -dMQ1qRMmjtkWMATFX2UAFcoPr778XUZlTNGEhcg2sC/m8vxvig9cN9mWwc/Fzzp+ -bOTl/9audGSI+56o1Dmpp9T3j8REcXXamkU86vgpdRjeDx9x9QxA0ZNhiJ8Z9HMQ -QPn+ypcBYzrC6b9iXTuSsya/9ISpMgCMSrU= -=Y2Aj +tEJUYWlscyBkZXZlbG9wZXJzIChvZmZsaW5lIGxvbmctdGVybSBpZGVudGl0eSBr +ZXkpIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUCZRvd6gUJEtjtVwAKCRDb +uAKyWKzYT9ZzD/44UItTNsb67wbag45lsMd+9gnr4xto+Hjj6M7ndVclT81c/tP4 +afJOZFSj3PcfIqRyJncE1VUsSftsUu0gc4cegA28FNz3J+e6CWF3VIfI6J4ApSuT +QN0Sf3ta5i04JB9Omv4Ttj5O8LCIQInt0RsZiH+ZqxZ7G2baUwHcqCuSROka+l33 +7bgvMluzvv51xZijAga+J8wbjS/wg9X5zJUtJrOJj/cHg0dSs10xbCyVrLLSdOa/ +CwRouSQ6z6ENNyHAhLv+xgqNCGAJRn9zXMB8oepZ6lSnSxhnhFAAt4Kstxg0LG6R +sNHV/Daxk2pzKzZUro6OSLxBp/MTgHcQW2OxTGlCz9zpi/sxMhr/EDYqLFC8OSxQ +qm+4kbIjHlajEw2KAyYvOXFQzaWzJB9vBvN5f+OK6QZEhC+LNhIZ4pZ9+DDbJS7z +SZ2x83viBeSnqO9A2so5+fcR+xixnpoyDnah/6YJ9Wl7oBa+qKqY+PDVeXUEl8Y6 +FxZ2FELPaYHo0lyRX2M1eD910unn6WUAIb/cT7q4t1xvxaDTOV6OfMbqcwc8e1G4 +gI4kY7JoqlUydOAFKpsEzZBq7Bz7Ojw9wEQen7viEajg8namfCFJtC3a3P7obGcG +KTlKcl7vdjDXo+JiPtclaq3xewqADbiDoqdrFWljop5sm0IAPzNdauzW97QhVGFp +bHMgZGV2ZWxvcGVycyA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAmUb3eYF +CRLY7VcACgkQ27gCslis2E/KEBAAiBwOFJBdDtmVmRBiUGEKBu/ripja7LeNC6ny +xmqX7F2Tda7mTcLXQTjcY7TDzNbtkf7iYrb9ZQimLrpYVZD+wrjHUO2332xkRb8Y +gObxQQFFUrfBaDAGtOFLfnw3C7ZCA5DgKDchhbtlenEtG7KZkvJyva6AoIoLgnuf +IpCKDwYRKV5F2OahNpPmWI2iRuvqxCgLehbJOIgiQ+QpdeoPcNnMSgg1gNq6DTrQ +PjQgmBdu/6lAgnscQqvv4//aLpQQPebfafpjnHDzlmEZ9Ax4gQ2eUD6rLNnuHc7g +7QfyhxI7nL1rN7VTA3lS5r1R0pEDIiUXH563nHYFsLQHpM98TWqkb3gvJFQO5zKq +tFZkgRcO+7PKtJFEZbMbLHgol9jTIVUe/sMzH0RbVCfuzJRpRwNmxs5isP1F3yET +NdA6UQOHbXsSnHYwmEQofvCF8lPTR2I2YHCxRKhoXnrhjPHAB2CdEK/QXA4EQuZr +5rUS3GVDbIY+4l/VGUT+6XlT53YX8BM5c4l4sSkwWVdelnKOXc0AWxHf9BK8zdya +FnLWL1OnQaCGxPXUzhcjw+j18r4Gwo6yrYzlW+SfUlVTAxFNapXyOgZkWxc9UyRO +7Z3o8IYsXflK1+9RmMNz7OJWJN1rLjhz66hl/PQw5QxlGlQgaI8TzQFsN8WbQUSZ +35q7WEm5Ag0EVLvBkgEQAMivp8Yhjdqpn5VHe6f/+JjvK3Wggp/O41Ud5c8M01gH +EAqtwKa5/IJrCqX3vvmgL7rlWNfrJzA9tkT+kz+IQBV5vGNU4zEgD6O3a8yWTCet +w/N/+BM7TNsEVLEQsn8LcyifgZsQ2nBSbpEv/2IPzh0rAlOdnMPLIWDSxBKqu4i0 +EABrSmgnTEWGnFCx0pKTj+Whmst36SgxjGbgrkkpRq57ubhjNfGAHHYqaTpsCjEK +h1DrfrBMnCjdvd43/GOZ6M02AVn2wB4sum++k6CTj6hE3eVTgS/BtdPQ4IqrhmwV +Cet0tXtarQK4Smsgszd/1+vKslOF/uXGGtZWlTyNVTSF7NHUgw2EGmbnOzAcko3F +jTDmo4NKxqhyPVXwp3Wg4Fug45xgkyHIiLBz8hd+KwkxQRiPWcJPWwWeP/Wxzb8i +Y2r2MUNh6EtOsDMkMcj6lpX0L3IHXjnFRPDubBK3Hc7daDTQz4THoQ8M6m1RRqXC +xL4lkcyZsimcZwsXMWuX70xf4t7c5NWuH0EAWWCe0i/U6P+O5gq8nT5R39rnNFco +cAPWtJ/F/cCJneeva/O6+/cVGIGOBj3tQpXT5HPVxktXl5meCanWvkaccLTNWxnU +ECYa9td+IwFExiAWh9xKG5Q7uV3TlOIaaPQVgRd5t9h+85sIZQ2gmhT4cykvgj7R +ABEBAAGJAmUEKAEKAE8FAlYyC+lIHQNUaGlzIHRlc3Qga2V5IHdhcyBuZXZlciBz +dG9yZWQgb24gYW55IHBlcnNpc3RlbnQgbWVkaWEgYW5kIGlzIG5vdyBsb3N0AAoJ +ENu4ArJYrNhPi3YP/23Pk9WTz13Q7v9vwtNJm9IVqUE3SOp3Os/W8I3alh6hrcYD +5INwWml7lrk/GhcEU3plNdGuyice5VeAVETJpEJBI4iHw6sdMWImVFG/2xhSH94X +4Jj1VOdefUieGUizLcPz92cqkZ6W5Tc/8tFDfg0qW2cxz2Jpl7iCJsy495G2WcxM +V0e/XCCKlfyFd5T5hy3GmT7rshOHmfiNsGgusoo/s1tBUYoRuHd2cI2yIj0g2iOi +LOAbRABbUkRAed3g0D8KNdxX+25fJV1ZcqJonyikP1QPnslIxUsMuB6srKz2nMSF +8kRHy3RjSJr1BrA60SxDhoqJYAWcpc3OtR2PcB3qkYqLEAkiZLAo/F3L9PaeKLK6 +LbeTZlpXUqynZz3bYm/r6+Qwgkqe2pxHG2l5epyinwEqWqaJEGZrYq8RWEHVHgpG +vU8zhCb5MJgpaC4H677iicbJ+bFGb7GHxAHzHJW4/xKT1+tWXKLij7bYVM9+GQHJ +tpfPLCZP09wZb+bp/58e8iDiOCq6XMpdcWsIw2JPQAhHWcc2LwydhzgdNeC/pYog +0T6KcUKs2tyBzWQYS+qezdazLNrD2IQhpED+zYSjzFMkzeaTaVBTfGIAfvvmbmPd +mAO/4cjfN5d8cTLXCslvqOWftH0bQs5yuYJw1H0XL94Z4qqNkzGTB/AQMxMZiQRE +BBgBCgAPBQJUu8GSAhsCBQkB1/kAAikJENu4ArJYrNhPwV0gBBkBCgAGBQJUu8GS +AAoJEKqeAUZWmHplkY0P/0MvX2pgW6RvrcubCAAPjbQTl5uqkClWzUUHeFYFgQ3z +jJsMkj8R2YN/FnwcPOI/7ioTVMTVDu+aI/H0wgZeQl5HPptlBGjnB0crbifFTNC2 +Gi6IHompNNAvoCdTAzByy9KKoPCFBcHMc1yLacGnPreBf23rDy3uWnLPtgInSPT8 +bPWUba4VjTb7pXIFw3Vf3jn+eg/yAaj7NyZ99g90/P2lXPc5tsvzoUvfJ6jGgXZz +m/uD0q+9jp6BZ3LLmFotKF6jMGeW23wJGtFxDKozhI/z/yIZghykOuQtcV8fe8pc +Mi75t43dZXo2mleIlU6ANexgPZJBhKNTJMXQE4gnqmLevtSyc5kpSHqb8DS7zdhv +S/FuDMSJpJraoB/gS/KMiaEJ0JlG7lm8NRu4IOgzsonMmHzcxhZVAdhnPVpltz2G +mdLf0CS1WPAfq6xT2r7CPEBVcOGTJoCVDo5SLPyd5r+sPWZyPfcEtj7Ed3WrD1RK +niRt7SenXnTsoGI1J9lTW/+UDg+igD1DPD7Bahl9mI4/npa9IyNScKIFSLnFqx9V +G+Mg+d1+ZWJ9+7XhWw6C8pWE/W/OYbshDT1ReAkJRZCyhhJgGuHqBdzpPBYSyZqM +1ct3QJWGVljZ9dUDpYigEuXu+q4vWZ+5FMoW7l74J++/HaEfsWnx0SkhiGL8aUZ4 +3UMP/RTSPwl/74wT/SHaHQ7CSMR5uNDEXrgt5VdXPcah6aQroXkNR44dwHzaF3tk +Jn9kzseMc9f4Sw66rrHLJCsmTYgJRxVjAws4WaQuIaB+DRhdW7pqAURa1QsK9k9i +YYbtC14qBoieuj4gV+FuraxmTB/vx4HgJjeUy9Wld2Np8+7V3ihGXwxrL4evCXo9 +QDvs/QenVYF/MhPhRGE5+GqCDv93finBi9/RsM4bfiA406cWWOJwwjjxMrNm1VrL +v1C6PHMb6JhsjDDIkjDfJ50aWJdPmzSN25S9tllx1LVpdLWTQpc+LEyhvyyoJjve +ON1CC0Akn07cdI1ZsavBKhCGf8gzO9c709I6cmXvkEPW05qgrKcU06NRHq+bFqJs +gBeO/IhBid51uG2vREbc9WQTnNYUOyYDpAxtriefn6442byCK5FlFc9P/VWFIR95 +2GaFyGQuA+1kHckunzP9g5eBw3FQbIvq02KittfdKwRRPw/8RzFVGyM/GLS+UM7U +NzCHnWPQiR3w6rZ3xTe8IOgRORUJoiwJ/6HV1FXRdCfrKC9cUBniigOx9Cn1g201 +XHiua/yedfV00GWnOBDeqDFBpCBrkccGqUA50KOiqBrDK7bwGnYBI1ZdVAQGQ2UV +h5R5gi0fLDI19pDdeirOcNj4gyqH3EH3cSS/Snj+jmNoE2hruQINBFmkPJYBEADN +vkjLcOjIVaOKoy8X5QuNurriz54O5jpTWAFhSgxUo//FHEqlFYCRUDdDuMD/fPAi +QXk6TNAGzN+R1guZtj9ekCI5x4N2wj0wxUN2Jsq+P+zTLkRQcajbTemOsboI/w0+ +9BlvktBFV0E9yrJW4qbOV/w/DHWUq3JIggDVaVa00bvEAdJR0/uPJoGip4ex2Yh1 +70jg2GbtsFvm1ue8lwzSRbXsDI9RNsVa7hoJt4TfkLTYkKTd0oOQvP/LDgcmp5T6 +scDOdPx5zYvwF37DuC15Y9WYai+s6KLDwMy2COBexE1pLwqE3OV439BDVsFG41zx +mWUYUX65PXtJkD1NMJdnyiPf1KFEpzD0T7d+lnSPLJYx4Te5ahaZ1e8Slwa/q67t +i75kMutR5IV0EPEg/vY4bmEutoST9Y94ocArZ+0fex3DsVwXMdyMS78zfnm21bMp +sgfJx7YZI1gFQXAKtVlEWPHajyjd2tCysYHy1AnbehkHRIsYVqXV1AwF2bSN2rKf ++nCTjvNgt5VNAiJGy4N+QuXFy5X4NdgMdYq7vYT66IeZwlT9HV0wEB1jsX1y+50f +axfn2YOPFpKXzNd7VOQDDx19J1IsNw2Q7gnr4woqqJw+bLG7ClRuNfN861Dlxc52 +sH6rjdceiFsLKBj7T1mQFAUZB7TCMIvK2rrylc5iXQARAQABiQRyBBgBCgAmAhsC +FiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAmUb3loFCQ3wccQCQMF0IAQZAQoAHRYh +BAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyWAAoJENIdrTivKBwLz48P/jgM5REX +Nkh4oW2GHC2ZfPMiupF11zTBKWuIrsjLzUhOIqMypbKDBAQfqV+TSal6RTvvZHQx +YUxak4OK/TtjDL47XzHGQmzZbFndH42XVOuakD5dT2Sv+5oWNSZDz+Yk/1tg4aRC +D1MqATPD7N2O8Y7+NFU2dtQLV2MPa/70K/FmLiXmQgGfhKxuqWBFdpx2xNlpIpCP +EnkNgxfxUDW4Gar3f1eHAOuCt5HtturaiHIDmnuKz68epX2PVrA8ztjN564vldbo +N7ff5F0pUbS/Jj4ccozOGdEg3gt15LY2eD4fD1oX1HSwfqFvB54gSlCSYX4nkfXk +jid13CjAYAfaIbhCZ4cunivMD9og5sK0ZGTU0fGP6TTTeZdge7wjzdZJj9EoBgcl +c5H7McIkuGYTaTqowe6134s6W2bDJ4AsGkjRghRuv6XsgjUz137gNkT2P+PNOBV1 +9sTV3haz4i6gBr180xvvtOArwP1vTxnAa+Pms9bJt6W60PO6kjWmDXnPykwq7fpm +I7qgJ2svlqRcLN3GRLX3bc0jCpspUEWAiq2JQP3ejT2QmNF8GFCITQSB64Vb+aOB +E3aifBjt82k+KSvy/P8gkPCc3fsxdYSgnesrk6EngA7vOM/x9unm3yPMctpT2kKa +v/xh0IYQdsyF6QX/ScKl3kvuRt3LTkx7nd/LCRDbuAKyWKzYT9OtD/4kSvS6RMfO +XE2MD1wD9yxPC34H6y1KAwYWe77fzBdL247vv3k9tvEqa4qbHWNt0flzTZoHiJbx +q+Bu5FYAIwwbNYrAZb3u4l4adgzd627XuLg8i6P4Ff+JOW1zyb44N/sC9aQHg1EJ +o0NDYmrh+oPOpfe7Xb7pupa+s0JHajmtQAq8E1JhqXRJq08J7ta4sVMyfHw/Upem +QaXp9S8J4b3EPFtttrOF1FJlbOoJGt54foOCGdFIA+R2fMe0hW3IGqzYmVEI4H6y +E5RkBt+rEgv05UUOUwmGM0hjpR049j7YXHppF+jusHfDLEh+9j/6C2fxaF3EY7bv +/S7od6vRvq57/hVuUzDcmxRYA8HQI0nO2hHXRCwB1adgwVj76HuSjCkQTDN4nzP/ +WsmhlO83N9Vf4/CEBVcl3Hurglk1sSId1xH7wPUsla6uZC5OJKMMHcagaamtAJ5e +tEDGeNzQ2SxZ+bgBXXAQM+uqmAWWdY9i0KIemv6SRm+ALOA+jZ2/8VwpXu2IIDZl +ZqQqD35mx4uvXuvsMNU+Ms6ynTga6E3wXTI022aggATiufXtyyGkuj/I0LRB4wiv +XoxKeL8+d7Jqptwoq/3a8G4Q3ruyHYFGRDSOuePskEOUsYIaI5HCdYNLBjYssxBY +joAUn0zOB8dip05qQ0pVDl6BpA9Q7dtZErkCDQRZpDyvARAAtfnSrtM7lNxN5FPf +T0V8cUpXW5D3jhM6mC6NUSvKSDAeITNdQ5Rvo+k2GaN2dORrFSTRlBnGlF2DDpXY +128zcvJakG3jadgGvAMflrpTDbFN52591u/+JGbZ3rhTSKb0a+Vmo4MxDPKWF6ic +69Ktk2NMze8pgJMpaqBSOqjWGnVpQw/eE/aOPIqz4NMLLFDR+UdARmNOHoopeEG0 +Gvktvphq+P/6i1nedVCgAmSyiBujtHauAxCCjXfiSyTSieWENS93Kufk7SD+bJJ/ +kvlwVgd5zV6kGmqk/CSQLaKE/oKzJmuvGZpU79Cz9XKfeKHdi5jxJSq1S85OkcBr +L3G+Dgh4Ahm+IrUKZDjMb/5HHr1+WkXwOz18gbvI/aUD50luHLrFJcsoJCrCT4oy +UrpcLUjcVzIrQ5cndahansrJox5414iIeptEef7D52q8Kt+DyfLSBjudGV0g7mRX +EGDpJxBPhbkGJMwCoXTWlV5mPafpNIk1HR6igC8ndBGxNk/yENfSGQpAHmVR9Lzf +XwFBdoDgUL1CzAu0iGfiRO62rGMlx0ZkUADLREpeLqZexYmQ3DJ1G/czh9f6aA1C +DbD37kZ83St8GcDSFI+jvud5Dn7/zfOp+B61Ykn3Zm5dHQ8BO07LbbqyAH+312aB +lCWdsj8sIGF4KcxQSzuj1tuCLUUAEQEAAYkEcgQYAQoAJgIbAhYhBKSQ0PTTEaQV +Piu3ytu4ArJYrNhPBQJdnIcPBQkF2X3fAkDBdCAEGQEKAB0WIQQvr5ug1luzcfC8 +LUYwIKepwrcnMwUCWaQ8rwAKCRAwIKepwrcnMxWKEACjpk4elL0hsOygwHaWilUw +GIWnM/s8J/COeZ4aPJYL0uBRd4duvewHEf7cWs9N/69HRY1m5o1wI/lBOKB32QXM +aaLVXDuMkuXrZaNkT9D4WdCJ719izhkBQ45dOWJvoq8aJv/Q21ZiQF4KqMpbgoIf +/LMr9NTR64pc3j0W7QKltgtMwzK+mT8dMS+xpbsas4T7SMmzPuSKcGHFgY9yCnPU +p5OBKXsegPmgcrbL2MkQWTyziUizy+3Mnr4ErKvqF2HKPZzepShrS2dnyokRhFUL +fS7gV5pRlHMUfar+SvUZHxSEScmaE9ANTDfGLvg07g/JA9p8+6lBlmMUkC7p4zih +cUIoNXehfFsumReFea5qzQn7VWOQEYTNwtv//rmYiXtSCGGS3Jt7ZU7gviOkmnmO +fkpC3haxJAYTQrTxoIVoDqALXEU2Pg1jNiWlFKV7kRBGctnHuOYgjmgKxIwmUO6u +fA5grrE16peYhkRLeN4+m+pOG9swUwtvVdzS7zY0Qq0qP5zWrh9P13znHb8zexd9 +DafgIGbP7lJqPP1Lh2/Kc676/SpyT+2A8tegsFdlc7yU0fHAOcbhOpMccXkYNGjq +zAUnqY3K17Pi4JHHKM0xHYmRlZYWJ2fZb5IN54EM0sGPZsOcIa1qg79qzjrY8ep0 +XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E+5hA/9FQDQu1N2EZl7FrrAdP9xO7y1 +ZUs33gys9eA7bY8ETMlDqchnEbnbqP25W2yObzrKtshVn44fWUGOwSmIDfVm0ATk +uJgMReMTo3APfOHlV4HKlMZYMF7NufJs4f+0/DYCq2FN1ZscQmph8YKAsTFKxXWN +w60ilfQoY/KxLbQ6YTw8rfd2FM0ZwjV1PbsF7HR0FkZjbaJKry1vqtOS+cjs360t +1rclm1KRMV9/yJJMow2VV+9FIhbZMowrfZI7Qx/Sx1pYNT07D9dBNeGSRnLWEubO +/mb8s1Hzgty6CEf6qlEwdRMVELXaVJcf53CKEqZe6uhVmTq7wrmbpnb/I0Wer6ig +L+aUvtkM46O8zVCT6T/mnsXyoCV6zmCPYM9RECEyRACx4Ik+ExjLnRLezYhOkl7u +N3qTS5rxR2otbESgWNx9L85Iz75ahU0zas4FR1cZ+YC2fCRAqmPveAidJbJ0ZJrx +/JH09udX5LafUQIVkY6xmoE/9T8bIVSbDFwifig9OdP/OtaDJBS0BOfQ9QdlpIWe +2owVZa9Aa54U2jjiupCGY0XB/LoNWe02WGUNamnXegG+pHGGGt/atMAFAtsAJeXp +LIddO3mQdbR25QgJ58fHtkX9y/FMT4bb3FIIVfd4PMmQibGXEwi641+MtwlJ52QV +ZRmL+2XahXoqCx3hpPyJAjYEKAEKACAWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC +XtE6mgIdAwAKCRDbuAKyWKzYT4YwD/4+b6U2Xx3aBnP77ZhS4wP50MmXRn6LAvN+ +RIcq1FAzwsXRe0zwP0ew1YP8743nOjoFVOZG6iRHNOzvBOBwQ3wvlN7cqa8kFWpF +tNdN1yFFIjO8bDFtPkXgeFmgAJ2fS9gj5ze75H1/bRqf3NO9NVWvX0C1sVJ2jLJI ++LSys+kuv9YpPOZeGvg5qgaG8K10q/Ic8wGBXNi2j4Wf1jBzDDlFfRVb7doUrEQ6 +BeNJDhaOnnvVWBZ9E/iwHT+GElvtVHhztuKoqp10KFwudGm/Z4a5uLX8RZxtn3Oq +DdyQ+BX+tjy04dcKV4fJHnh5Lsfz2AMrHO0Z8mipu6AOxCMHhKlZJGka06YkeE3y +6cOC6yWoL/tzMCpJUczLB9JA6+gu0sUSXTpitsNhY6+56XPHSV/3mBcjY4o4udnD +PcWF/Eji1tIqRo7B5gX3gk2n+WTWXRdosGb7PCSoK/YppOHrR4RWyxek9w+0d6Ud +2SMupvTu9zn55zcqbTX+66yfpd4dXw8qIVTb9yLcIq3A2wiegZXUJqJYpbgC9cAM +mL19S340zxOJLsEeg69XDOKilZ5OsSUcocztla554wAE7rYd7x9UIWwaVq1r9jle +1T1yFlznOjx2iES13VMfpFIq7uBOvt1GiY3nmGG+F0Eu6APcj8x8WP0bB2+UfxO9 +LjgBhY+1fbgzBFmkJ7YWCSsGAQQB2kcPAQEHQO2oCCt4hgIeuO+NiUF0w66A1RCF +b4TSSjjKfBJSLXSXiQKzBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8F +AmUb3lsFCQ3whqQAgXYgBBkWCgAdFiEEzU1DUa+mkz9XSpr7kLK0vXrtI18FAlmk +J7YACgkQkLK0vXrtI18sxwD+IfLH3BZ+A4AeVGt/uVamTk4XkEc1KtOolrL46IA4 +kbYA/08D6g8aZ2vdZml/o5xZz9S/O7tXMRjhSitE+m3SwQoGCRDbuAKyWKzYTzl8 +D/9kZMliItAia0gGWnNAvc1jRaLE+6hvo4RsmP6S8PjitcOF7XZW912ek6PaU1QE +LSlgL/nyqctUAoV4XSdze4H23Wwuf+0nX895UUstsfhNyNamonQYQN7Csz6CYnwQ +poZm2n7frPKYgLfA7HJoXEbBhktbsQTSNY8BG/XgGZh+1IiyCCW200bLv8j/UHNf +1uR0O36TwdC85ax5Sh5bwp6RAhNC7q/hIAU62DeZN5rxiLvnRMnPwrSr2Mijxi4s +jHRKiA6vGzIdwrU8tAPoce6eWTlYgkCh4hxPDDsM8RtwgF7TuRK+WBejw9y+Uyc6 +oskBHPylUcHNSE1/Jm8HFZY+BnM2b/dqj4xAMZwcA1uqR19zPaygRiFEVtrF5GBy +xS8AE6am+Y1Qd3Rc9OwWkV0Kvaa7ew71GfB8vxkyDW/ifrVHBnZGwJW5kFxhjZRo +EK7p+cdcfdchojYw/AB+Al52TRtNt5o7IeNrndKF/wBhcBkFMGWjGGhI7jf9p99S +DTiqXepXsE6Qfu1OSTIO8TwEOg2ECshCnsaYKXODLcVUOLH3qCY0czotmir/c+5/ +GaXsAgY9JkNQ8afhCHiiBu361Y38iJ6XHJICs14sycAZg9hnjdxa2tHhGhKAEprD +nNT5cuEhnFAQotGGgQZTbQoTrMgo1j3j7kmfn6RAfPY0JLkCDQRbh/c7ARAAv2qQ +AXsiacvxtqSapDrjSGqyHhIuOMUThclv9XNdmZgkZtMMEOY2FBSm6nKfZbq8nsdH +Nb9wI4pngikfEXeqgFiIsxDJuNJxIRlxu/EF2GDHFZw9lex0KearvT5reZRrWo4N +iNHyICHKJsNdmh0+SlVI4JrVZK2iknjwSilqFQE6RjBrcr+4z9KcIa8xXyIVudU9 +8oDRWUmtuL/SNLaVus5VIlMrFogPBZt+XI+RshLpDnGAoOCkJVP+f8anaAP03RDj +129iOZPlpNNd8SXP2YpgDYqas9HBZWhjR2rcdLRYf8ELhH2hPh64P/vXvu3yYukK +QU6JM/KfXpx+DK5t1EHptckyI1b/tAq5iMm2iPzFnyZPMZAQXpEWWax1sJRyi8yL +/0GATF3yYFhimo3Uvjo2LId7Vw/sk8TlHtzDo4LFvoqMur69pBEXGDIWFnJv+oN7 +CrSNJ8bwCMSsrsBVT2smD3NNIsWOrW8xQ19x5md9HW0t1QR0puC94ixHhV029WoG +HClG/MRNrtqexOH2J909chXkLL5DlQlqC4MZwdQYgT5BsYTnZaq7uz0xaI73Th3h +VS3pq8mkXuDwqG9/5/pxyW0ipLfNAT4Tl/vhaZayMSMaWlKk+j2um1gga0JXXWrJ +R+sRvWhgYLCfXLxOOoITqgKQRoz2ft0IKV9gS/8AEQEAAYkEcgQYAQoAJgIbAhYh +BKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJe0ToKBQkGYEbPAkDBdCAEGQEKAB0WIQT+ +Apy0qtR4jh14KOiosPTkWxtQ4gUCW4f3OwAKCRCosPTkWxtQ4j5bD/90lveXhTpp +3vgzWETrRsz22p9zQmNiJGDGmWYG9j77Z4URU3pAmov1tInprnjrqT2zVXWqZBwA +1PpDtkZpybIcPmoClf6g7FsZXSGmkyIkSCr+cgg1d7zTBWmfyXMUwO2i1PplmDZl +i9HYiFlRakutv9TU5qbtgNJsATZzVQoTh/kfAAIDiHOW3NXFWl+hkyJ2yTHLgRUd +7qc4jtKOKkhBMjOp0FTczPBI24tJNTlbU6BfN6CfJ+0nGlcafCRnh2F8SwUP7c4S +GjPCoiEKNwLu+YZlcCk7dqANbMMmeLgb7bZpPA83bsqGgsJlowueenBgIbqw6wdn +uUbOAq8zW6kAWljKSP/vduu/Zf2YOSMNZjlOqm4nXIi4u9GZGc22FFe0V2VOl1Cg +6OeFqBDkd45hqZuUE2O10mOWRT5wF7fEqPmC/zK0Qt53MJSkdi0S2t9qcrU8d2vw +JmvB1msknZ0e3VUGJYzGbjZ4g9RUYwYiV7v3b0SjMiUL9plNeZvv8AIsLihu9EOA +s5MUWRb/2NfOFOexlce8okeZuToP1VkYndrp6NUPvF615Mn+cmEhF2gNAVJZpbUa +orjJeJxGsio+5Lz/QFFVJL+TW4hTrhe1UTItoWn4lHyKMDPX08lfrQgcZPv58eDv +aTOtE0saPE0UGKTSd40zd1m5THzifLytsgkQ27gCslis2E8buhAAlL3yC6lTN6l+ +QYnvjnns1PtBYXMCZ8VZ30ShlKC3XqfFq1gPZY8NgYjePn8w9TF1Pz9IvnORHueG +sCGGcVP/HCwc1R9IX0QY40DmicP/65/Cnr9BArmZDTszlRDvzbJDXXHWI1709KY+ +5SptR4RfLX6I1Ps589pvxYZEvhpPJk1WPYIK0TdUtOeyYAcKtKAd4LiM9KttNsUA +xQwTn+WHOf+1GNqRlCXExnYFclAB+Py6DUHA9IY9vILN2b7Im/+Lq1dHQP7xFvMm +s3uxcwzfTf28hDRP6avaWe4/uhAhO7eojL0X8nrYFy3C6bVqzw06sWSU+XST+fYq +v8s/SbubMOhRDuRoE3Ue/mptG700bV3KZ4rYawfNSSzp5lndbd5WvjlASMb6frWd +Yq0f4SvlGYPkr7duvJb2vkvhDyFfXO/3QvzhOmTxGrC+FQHZtngNohCe0NzC3+HM +KS7bpuo106f3+20UXXUTh/EqT0UcYMR2GCtH7L5PGy/jcL46xK8mvpXUQUYOrfBV +iR557BGJrxNpkpxHstuAH0yTWN5sG4OImKzR3wQUJep46o7hfxNLmBwe169oZ6C2 +n3SNQFYE7QgwOlu69JbQZ+KrdFi8oZng/lJBFwcCe3gesly6MPJ1M3NQDCz+b/8U +NQbBWF+okwobdl869P06GZtOgG0eh8+JAjYEKAEKACAWIQSkkND00xGkFT4rt8rb +uAKyWKzYTwUCYWhRgQIdAwAKCRDbuAKyWKzYTwX5D/9ashfmjOrB+U8HHKMGDY34 +NXzHVKwh29Zcvs50z9TZipnFsxZdEggHjvb3Re4p91Yy0D/9ZttrXek0Nt+4TXQf +0MdzfO44pLhS+eLefg1F074/zVhk35q/mVgrcveQ4oYQ8qC85Y4cY8zjOYTZih7o +ty3gREJOKJnjPkxfKFi3cDaAwUMgdpAnSiv0j+p/1K0G26xm8SoCHvaVkcaK670/ +v6P9PxESo5JH/W/suIEwEbdEMINAdz6iVODXFZxcTHsh6rWzRYvZAYCnjIDfVM6m +MRvycaZrQBzeKZmkQvZYi0OxM9RetJhBWwPX1rmIEDCW7m343D/0SmbztJjMonyL +NfOMRu4u7Xg+6z6JzH23CHyItLbMAajx8uKwRqqaZdlFsO7HZbSUvWiq6U04UbJN +buhalDfMxWKL1pHFQQTNTjDCdMOI3AWrkDBjSvJko32zqnqYs3T41gyVaO3jqSeS +uCxk+q/tlIZBYkb1ehHSDC8UVMw0QObfCLQqFb9yEmlQLbNLFVb/O+fp1mOwmCns +p9EoNxyA884deT82PwIBLZNgYd435ZxHJc5prBoCyOJQqntDVXksk68Ziex1ygJc +tJ7KhYWI2Nftva5p2hH7YtowbVd9pQFX4LeeO7iAh6gNFOoKUW+LfIIp8aGOqQxz +8QgEOvnvRPWzu9sWd8OJZ7kCDQRhaFH4ARAA1YVRGK45ANlN6p2phi9wfgxlu6zh +4x+gYC1ccTIwPpx753zEB4HceBYdBE4hhAx8K6HD3RYjtchN2gzRAf05M1loFTKi +8x5LiSGqtNYKNy0EDQN8WRxKa857ogoGtJUC2SYmvkjYFqKZryXG4WGzQnNn66sb +u1x2UfjdMXB47SHIpVWTlmGl+66kYk8U9e0NQ4hqT6rRYCxv/ZRuyJCkCvFE20js +bDv3W36PDuK9cJKyGAArWAjYgrioY3XLFMN5RSw4P+Rjy3Jl+Lfd/AdA0ZGTzOvb +r251Fp1JLji8LCLplfREUo45nRy7rSKiLdkDcgDV7X9iLbEQSsie9wo9+NcoPIO8 +55ju/5HC3mw52AkAj4sRusC8uKFo8d+gLH7mahf+K1NS2DRXiYFp7pDks1U/zd1D +NhoOCXJvT3vW3Giso+qGqvpYVm9iV9SJcxJBPTRF5/uAa59k9E9dmM6YaUcCZLEx +H4Xnh2SYlrD1kfJuNdUIbMVQbFUzIQKhhS+lLW8/3JGnyOOYSYmXG2/4eLCrQ1/Z +n/29cHFgliUmx40WYLCQLaBmLhYuUzSaMyXVzJAy8H2EkzXUgpxjQGDmZYm2LaFD +3mPr68N107/EQ94//LmMTvCv1qt1J3HuWwLrw89JWKYMkqE5qZQ9MPm/03Oxl3hG +MCsqYFzdmtSd8F0AEQEAAYkEcgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJY +rNhPBQJlG95bBQkGLFxiAkDBdCAEGQEKAB0WIQR1P5ATd6MJ8nMfoz97+9K5Au4T +0AUCYWhR+AAKCRB7+9K5Au4T0CI+EACyAcBp5P+BjWxQ3shUHWXY2hnyQwTB2hNY +0uT70f4Ss63i3Yn1R5Ms76gMS6RuAq3+k/CHd+FqXhj3STR0XQC/l9yP2tDNQ1Lf +NTS82OLuIPrg/Rwa3NOWaQ8sjVDtQPCpFjmx8QkRNZ856QZapmvs7V5n5xQFbidY +/JFL89R8xysZC7psXt3EM0hE3kzGLfVvRcn6iKxtJGWT6oyazxAiml+AYxeSmNH9 +wwpjhbWBh1tqgcT0MS3wmIwv3bLvyaHfxe8y5r7gb69/nng+Sn+PFY6v3JLGIjIC +xUjIYMqUeaC37sVfJQT9tcptWKYmgcZTcikx2m/VE96gamAJ1sNVpHN2s87pfDD/ +19vx0rwKiN+vVD5cNIRVSvcgPQ3DKH+aqKMPTev5g0U1Z9l/o7gKMdT+SqQesfvZ +ClBTwzQbGkpCFympo/xzMr75jOQjBjefW2ROQL6p4e4vH89QgHwjv3FP6xyxeIWm +Lrj3TCiuS9oHEXqJmxw67TQeYbd6fwmh15GT7453yiJZvkAsvsOxW4NZxDYd5+c5 +Krm1CD5FgY+yDB38tKEUqUA86LTPcvGWvpxMFlgnvtlKa6dibbDSPJhrmfLBUztv +oGbsaT3othmODgHucsZ1EBypUElW7vX6Jz0BKXEKXdQCvyWxqVAjpwzblVISG7S3 +/fW7bv1fYwkQ27gCslis2E+rgw/+K7PrQMhOk/kv484N7mYujOIYpSwSx9wQPuQx +k/EGUjWqw5uDijNLRYZz0uEkUlF7vyHPpFK8fHFEeEzvpgzrsd9Op/SGZYwCxxVG +18O4RZk56kzRIiEzmewRY/BZEccRrqam3xQ2jcvZTiJBLWDnMpjsC/UbW8APuE5F +KmGuk+A4xyDDJrqQpl2bBUXRqLu6xO8ywMFCh4JEtz1QEPZ6KKnmLPRHNmTZStpD +8pnMdm5TpYseT4pw5wYbYGBNtr147B2XYGk/WAsXpFBocpWj3/ebWjHWI9h7uL9Q +1+NCZR4qdo5D5Llw/RXu//G45dcV6hRKy53tmaEKZO2mXEOg32r7m8mqBWLT8YwB +SGPH7n9n9ow2h+zUHl3esWnQvwVbdzJTXvPCRQQf4FrLuIq6l0t2l4FLCliclkTn +2VQTrwPFEg5hbSJwKz+UDqDMolsg+25vHxf1XMmI36fka+SxUa+tlQY14bl08xap +tnXRkFlxZpdKNFQOtAQ+jp1KYcHP4MLvnS207FgKTAwusYgiRiBH7pDA2duUswjf +zY7Da6+mffLUPmEQSH1L9CV8zl68qOTsr42SMpKgLzNvlVRw40EV+i5j1WoM91fd +uVY95MTXjUIrIV6l2SsYyCE625KK+NE7Yqc/jrUa9FOoj9kpjEynKbstySxt/GZk +GFcEMh+5Ag0EZRvetAEQAM7526JIrsPY/zxitpYaPVipySXoDeE9kVA2ZSFvPf4q +7wbJifP9uvOgj9eXpbuCroWpICLhHhvwgjeqzE2wzP7Vre78Y5ZZBCqUPJ4DKh/I +UIbqI0Ac5lcI857GFvqT2HUsmEwMQxBTUxLK4AgoSFpzup6FM94HhUE3bpuPlgZN +ftnbnQ0GTLZOBW4qpJu876hnB4hIwcMdzulHsy983tTVuKIUal47o4EjSLJ1B8zD +WDIsCqw3sb/zMhnFM/WhzkVtof4V/QNGnHKipl3eDM9s++0Ne9aaU/FNCXf74r8v +RhQ1qYVJV/yzki0r2lagrQClM3Spqia4EPh5YFhSE0UcH0lmgOiX9GZ6spcD3x2v +mAuedZd+zIUww13tE8tTaMSdiPISvEifIq4IcA8Og0wn2pjy+48udINQfJLsz1zx +jjYWHdbxtaaluy1fXBTSczRgJErKnh4M3XoOZBvdme9VVwKBd/wLrScqYx1B0X6w +qqANmGCyuIow6obyQJIE0kcu3Tzcz9MYJJ75aG1155u24Kxoo9/NeF1csSwSahoh +b8NygwympmS0l2o51g82Lgbu4uWPBz4WMui5BNnkuG3j5LF6vzwvacwEBy2VK8h9 +kKGhB868LtiPZ3sStXQOVg0LRgg4sfwKWqqN/jUvr9uiW3EsyOY94nh9hJ1PFC4P +ABEBAAGJBHIEGAEKACYWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUCZRvetAIbAgUJ +AnjQAAJACRDbuAKyWKzYT8F0IAQZAQoAHRYhBOFpOx2rUl8qrWcC3OXbouGG1br8 +BQJlG960AAoJEOXbouGG1br83QUP/RQjSYpdMHgHVDVRdCHO/KW6/uTCRjv+UaUG +CkvtllvdxK1Hx1QP4QchS0MbsoDDcRFR7y9OLZlzNzHwpWGfwlNXrwZYN2rc3x56 +Y4+Wv8cjGdIGkyUpv1daaHq1ytG3UCT+hioLHFmX32dugsv/UG6PiOJ5K7vNjgTs +SY5U0wS/udbZG5kP4QIjE4Tok2o4Tw6crgrTYWSMqTdRjGjSNaXNTeBEBLB0glD6 +7zLB8NWMyzOvfwKICiPNW9uyiFjlA1u7Zq8ZoNRJH7DtmFnc7k1xf1yCaC7qWh6K +lt9gP5w+ltVjdnS3H2Ft6i1jTyHllvH9gQzjEFIF/CcAeXh/jR7DVEZqi48UEtAb +Kh5lhJrsgP1c4nmv7llDgFgSjTjsFXocE2BSEHthQ/vzz94SxgbIM3w59ktMPz1a +96u+GiIVWFLlNwiToTIqRtwRbz0aQx0GJr8v/BayRLNe+hLiAtCG7f6LD2Wrzi+i +hi5j9WdByqqBv+gVmdICxP9uog+JKHcpxeXze+zh29bEygNuhfhUv/vq+N8xZeai +WfVjJvTuyKaZ/jrT/mRBqUb4857Ua3XXduUmJOSmySDaqmsqaHcyo69Ps/f4Zq4V +4JGSsqMKelqOHQ2XkVhd/UfLBVJ1kRHNbtzZzdLhAcC5ejlDe9hcES6Islhbt8Ry +hs61nlwN9CMP/3ain9uHZ5FmdlKFnE7DXfhUe0b/N5r6GYAP4mL9RWiQ/HT7DGOO ++y4JbnunneY+AxDfT3fQFjcgi8JPdn4GNO41zzKvq8jq2qzqhF2sn7vMVg0B6h35 +TPxn8vmxcSUWRTqrw5+m5fFR3Su8i6f71oNDtO8pB6M8nw0LYnaoDcclCXLPO2Nx +UuqKXcDCu5QEWb2YctgyAOYBDnITAr67zdfJfPoE26Q0yvzn9Pvdcdxk3dxyOTi3 +sOtcHr6N10fKYPOdf9dcLCgOY1XzNZjjbzzFCRnlhz0bxQ/TK50a+GDSg35L/cbb +yE9cLO2uNGFnk1hw3N67M0gHZEE5ptPO7WqK7DqxwP6yelfHrXn8AGjHlM2pzzL9 +BvAuynXmKHEn3y80M57OcHmM1dIlBIXZOiKIJnhFYle2tU2FxYcGWqtOBhdI66tx +PvTVlN+4h0973T02UF++SK687LcVGLSmPyoRqMOyrwueTn7yyfgB31gTNpFBIjl9 +UpmE6UDFsKXldv9VI4/kSKkWTpGlnMgvldWOdrlV6i92oMPd74bAoL41D+Xs6Bzk +GneYBtrZEG/FKSAIp51g61pkHv5p+aEJbUFMX/ShcwYnmPtACpDJHDPIVcMB6lGo ++iSKJxa8LUOEypsbVWezwU2PP57D+9TovcMIRuc4phcBzSePlPaAvN6C +=8z3k -----END PGP PUBLIC KEY BLOCK----- From 8fcf1ddba8d1dd56332a5b156591574e69b6d3ab Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 2 Apr 2024 17:06:12 -0400 Subject: [PATCH 04/26] Makefile: add real.gitclean target which calls 'git clean -fxd' Ease cleaning up everything. IMOH better then real.clean target Signed-off-by: Thierry Laurion --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index a64d4b09f..4f113d9c9 100644 --- a/Makefile +++ b/Makefile @@ -793,3 +793,5 @@ real.clean: fi; \ done cd install && rm -rf -- * +real.gitclean: + git clean -fxd From adda59c6752719bb4cbbbfcd5268bff00df5bbdf Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 26 Mar 2024 14:20:48 -0400 Subject: [PATCH 05/26] LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key. Fixes linuxboot#1092. Supersedes linuxboot#1093 - Cherry-picks ed1c23a (credit to @hardened-vault) thank you!) - Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!) - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed. (linuxboot#1093 (comment)) - kexec-seal-key: Identical as in ed1c23a - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options) - Here, we cancel the diff output shown on screen linuxboot#1093 (comment) - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." Signed-off-by: Thierry Laurion --- initrd/bin/kexec-insert-key | 3 +++ initrd/bin/kexec-unseal-key | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index f06c54833..674aab4e6 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -57,6 +57,9 @@ tpmr extend -ix 4 -ic generic || # Check to continue if [ "$unseal_failed" = "y" ]; then confirm_boot="n" + if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then + echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." + fi read \ -n 1 \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 3f18c4358..6f5cbd9f2 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -40,6 +40,14 @@ for tries in 1 2 3; do DEBUG $(pcrs) warn "Unable to unseal disk encryption key" + if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then + if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then + warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate." + fi + else + warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt" + warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu." + fi done die "Retry count exceeded..." From f6232aa70f7d16fd637e8974228451b61b2cd45e Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 27 Mar 2024 10:04:10 -0400 Subject: [PATCH 06/26] Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key TODO: - $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header) - Notes added for TPM2 simplification over TPM1 in code as TODO Signed-off-by: Thierry Laurion --- FAQ.md | 4 ++-- initrd/bin/kexec-insert-key | 14 +++++++------- initrd/bin/kexec-save-default | 2 +- initrd/bin/kexec-select-boot | 4 +++- initrd/bin/kexec-unseal-key | 13 ++++++------- initrd/bin/oem-factory-reset | 2 +- initrd/init | 2 +- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/FAQ.md b/FAQ.md index e3909b1d6..1e2c1c609 100644 --- a/FAQ.md +++ b/FAQ.md @@ -112,8 +112,8 @@ your disk password, which is perhaps an improvement. Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase? --- -Depends on your threat model. With the disk key in the TPM an attacker -would need to have the entire machine (or a backdoor in the TPM) +Depends on your threat model. With the Disk Unlock Key in the TPM an +attacker would need to have the entire machine (or a backdoor in the TPM) to get the key and their attempts to unlock it can be rate limited by the TPM hardware. diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 674aab4e6..9a48c2584 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -1,5 +1,5 @@ #!/bin/bash -# Unseal a disk key from TPM and add to a new initramfs +# Unseal a LUKS Disk Unlock Key from TPM and add to a new initramfs set -e -o pipefail . /etc/functions @@ -28,7 +28,7 @@ if [ -r "$TMP_KEY_LVM" ]; then die "$VOLUME_GROUP: unable to activate volume group" fi -# Measure the LUKS headers before we unseal the disk key +# Measure the LUKS headers before we unseal the LUKS Disk Unlock Key from TPM cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks || die "LUKS measure failed" @@ -40,13 +40,13 @@ SECRET_CPIO=/tmp/secret/initrd.cpio bootdir=$(dirname "$INITRD") mkdir -p "$INITRD_DIR/etc" -# Attempt to unseal the disk key from the TPM +# Attempt to unseal the Disk Unlok Key from the TPM # should we give this some number of tries? unseal_failed="n" if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then unseal_failed="y" echo - echo "!!! Failed to unseal the TPM LUKS disk key" + echo "!!! Failed to unseal the TPM LUKS Disk Unlock Key" fi # Override PCR 4 so that user can't read the key @@ -57,8 +57,8 @@ tpmr extend -ix 4 -ic generic || # Check to continue if [ "$unseal_failed" = "y" ]; then confirm_boot="n" - if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then - echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." + if cmp -s "$bootdir/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then + echo "Encrypted disk keys(s) have not been changed since sealed in TPM Disk Unlock Key" fi read \ -n 1 \ @@ -69,7 +69,7 @@ if [ "$unseal_failed" = "y" ]; then -a "$confirm_boot" != 'Y' \ -a -n "$confirm_boot" ] \ ; then - die "!!! Aborting boot due to failure to unseal TPM disk key" + die "!!! Aborting boot due to failure to unseal TPM Disk Unlock Key" fi fi diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index 1e5fcd810..c7a4f04fa 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -195,7 +195,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES" read \ -n 1 \ - -p "Do you want to reseal a disk key to the TPM [y/N]: " \ + -p "Do you want to reseal a Disk Unlock Key in the TPM [y/N]: " \ change_key_confirm echo diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 4161af4ae..54ce4064b 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -70,6 +70,8 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then else warn "Hash of TPM2 primary key handle does not exist" warn "Please rebuild the boot hash tree" + warn "Select Options-> Update checksums and sign all files in /boot" + #TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot default_failed="y" DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE" fi @@ -340,7 +342,7 @@ do_boot() { fi kexec-insert-key $INITRD || - die "!!! Failed to insert disk key into a new initrd" + die "!!! Failed to prepare TPM Disk Unlock Key for boot" kexec-boot -b "$bootdir" -e "$option" \ -a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" || diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 6f5cbd9f2..77597b4ea 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -38,15 +38,14 @@ for tries in 1 2 3; do exit 0 fi - DEBUG $(pcrs) - warn "Unable to unseal disk encryption key" - if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then - if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then - warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate." + warn "Unable to unseal LUKS Disk Unlock Key from TPM" + if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then + if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then + warn "Encrypted disk keys(s) have changed since sealed in TPM Disk Unlock Key. You might want to investigate." fi else - warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt" - warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu." + warn "Could not check for tampering of Encrypted disk keys(s)" + warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)." fi done diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index ff0889f66..2380bf763 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -893,7 +893,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo "Each prompt requires a single letter answer: eg. (Y/n)." echo -e "If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above.\n" - # Re-ownership of encrypted disk key, content and passphrase + # Re-ownership of LUKS encrypted Disk: key, content and passphrase echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: " read -n 1 prompt_output echo diff --git a/initrd/init b/initrd/init index 67a179b76..cea537b8d 100755 --- a/initrd/init +++ b/initrd/init @@ -12,7 +12,7 @@ export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin # running out of the ram disk. There are no fileysstems mounted. # It is important to have a way to invoke a recovery shell in case # the boot scripts are messed up, but also important to modify the -# PCRs if this happens to prevent the TPM disk keys from being revealed. +# PCRs if this happens to prevent the TPM Disk Unlock Keys from being revealed. # First thing it is vital to mount the /dev and other system directories mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&- From fb5cbf41a13c900072e88e9c7a9f24842c8d5fde Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 8 Apr 2024 16:22:57 -0400 Subject: [PATCH 07/26] kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes Signed-off-by: Thierry Laurion --- initrd/bin/kexec-insert-key | 20 ++++++++++++++++---- initrd/bin/kexec-unseal-key | 8 -------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 9a48c2584..4d52f73a6 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -40,7 +40,22 @@ SECRET_CPIO=/tmp/secret/initrd.cpio bootdir=$(dirname "$INITRD") mkdir -p "$INITRD_DIR/etc" -# Attempt to unseal the Disk Unlok Key from the TPM +if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then + if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt >/dev/null 2>&1; then + #LUKS header hash part of detached signed hash digest under boot doesn't match qubes-measure-luks tmp file + warn "Encrypted disk keys have changed since the TPM Disk Unlock Key was sealed. If you did not make this change, the disk may be compromised" + exit 1 + else + #LUKS header hash part of detached signed hash digest matches + echo "+++ Encrypted disk keys have not been changed since sealed in TPM Disk Unlock Key" + #TODO: remove "+++" with boot info helper when added, same with "!!!" currently for info. + fi +else + warn "Could not check for tampering of Encrypted disk keys" + warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)." +fi + +# Attempt to unseal the Disk Unlock Key from the TPM # should we give this some number of tries? unseal_failed="n" if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then @@ -57,9 +72,6 @@ tpmr extend -ix 4 -ic generic || # Check to continue if [ "$unseal_failed" = "y" ]; then confirm_boot="n" - if cmp -s "$bootdir/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then - echo "Encrypted disk keys(s) have not been changed since sealed in TPM Disk Unlock Key" - fi read \ -n 1 \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 77597b4ea..346eda9b8 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -39,14 +39,6 @@ for tries in 1 2 3; do fi warn "Unable to unseal LUKS Disk Unlock Key from TPM" - if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then - if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then - warn "Encrypted disk keys(s) have changed since sealed in TPM Disk Unlock Key. You might want to investigate." - fi - else - warn "Could not check for tampering of Encrypted disk keys(s)" - warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)." - fi done die "Retry count exceeded..." From 67f1dae840446b32d323248c614ac84ee90c880f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 12 Apr 2024 13:56:41 -0400 Subject: [PATCH 08/26] ash_functions: move sleep 2 after all usb modules being loaded Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset Fixes https://github.com/Nitrokey/heads/issues/48 Signed-off-by: Thierry Laurion --- initrd/etc/ash_functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 8b52ab6a4..9ee01a70d 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -324,11 +324,11 @@ enable_usb() insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed" insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed" insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed" - sleep 2 fi insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed" insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed" insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed" + sleep 2 # For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather # than having it imply CONFIG_USER_USB_KEYBOARD at build time. From ae5f9c5416dda4493c8196ff8eedd969b6b1d41c Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 18 Apr 2024 12:21:27 -0400 Subject: [PATCH 09/26] Improve DEBUG and DO_WITH_DEBUG output handling to also keep output of kexec -l when BOARD is in DEBUG+TRACE mode (configuration settings menu + flash) Signed-off-by: Thierry Laurion --- initrd/bin/kexec-boot | 2 +- initrd/bin/kexec-insert-key | 3 ++- initrd/etc/ash_functions | 5 +++-- initrd/etc/functions | 30 ++++++++++++++++++++---------- 4 files changed, 26 insertions(+), 14 deletions(-) diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index bb39dbb05..6eede6ea6 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -151,7 +151,7 @@ if [ "$dryrun" = "y" ]; then exit 0; fi echo "Loading the new kernel:" echo "$kexeccmd" -eval "$kexeccmd" \ +DO_WITH_DEBUG "$kexeccmd" \ || die "Failed to load the new kernel" if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index f06c54833..29aa852cb 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -61,7 +61,8 @@ if [ "$unseal_failed" = "y" ]; then -n 1 \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ confirm_boot - + echo + if [ "$confirm_boot" != 'y' \ -a "$confirm_boot" != 'Y' \ -a -n "$confirm_boot" ] \ diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 9ee01a70d..627f93d6a 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -23,8 +23,9 @@ warn() { } DEBUG() { - if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then - echo "DEBUG: $*" | while read line; do + if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then + # fold -s -w 960 will wrap lines at 960 characters on the last space before the limit + echo "DEBUG: $*" | fold -s -w 960 | while read line; do echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null done fi diff --git a/initrd/etc/functions b/initrd/etc/functions index f5df01695..dc4163e95 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -19,18 +19,28 @@ mask_param() { # N=0 is the name of the command to be executed, N=1 is its first parameter, # etc. DO_WITH_DEBUG() { - if [ "$1" == "--mask-position" ]; then - mask_position="$2" + local exit_status + local cmd_output + DEBUG "PATH: $PATH" + local cmd=("$@") + if [[ "$1" == "--mask-position" ]]; then + local mask_position="$2" shift shift - DEBUG_ARGS=("$@") - - DEBUG_ARGS[$mask_position]="$(mask_param "${DEBUG_ARGS[$mask_position]}")" - DEBUG "${DEBUG_ARGS[@]}" - else - DEBUG "$@" + cmd=("$@") + cmd[$mask_position]="$(mask_param "${cmd[$mask_position]}")" + fi + if [[ ${#cmd[@]} -eq 1 ]]; then + # If there's only one argument, try to split it into multiple arguments + read -a cmd <<< "${cmd[0]}" fi - "$@" + DEBUG "Executing command with cmd: ${cmd[*]}" + # Sanitize the command output by removing special characters + cmd_output=$("${cmd[@]}" 2>&1 | sed 's/[&;|`$(){}<>]//g') + exit_status=$? + DEBUG "Command output: $cmd_output" + DEBUG "Command exited with status: $exit_status" + return $exit_status } # Trace the current script and function. @@ -682,7 +692,7 @@ scan_boot_options() { if [ -r $option_file ]; then rm $option_file; fi for i in $(find $bootdir -name "$config"); do - DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >>$option_file + kexec-parse-boot "$bootdir" "$i" >>$option_file done # FC29/30+ may use BLS format grub config files # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault From 015af7e6c7befe9835dfa542e73f05bb5ca538db Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Fri, 19 Apr 2024 09:45:39 -0400 Subject: [PATCH 10/26] functions: Add visibility to DO_WITH_DEBUG without affecting command DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if not empty), and PATH (if command was not found). The caller still observes the exit status, and stdout/stderr still go to the caller as well. This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in the logs and without affecting the script. Signed-off-by: Jonathon Hall --- initrd/etc/functions | 107 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 89 insertions(+), 18 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index dc4163e95..6224a2b00 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -12,35 +12,106 @@ mask_param() { fi } -# Trace a command with DEBUG, then execute it. +# Pipe input to this to sink it to the debug log, with a name prefix. +# If the input is empty, no output is produced, so actual output is +# readily visible in logs. +# +# For example: +# ls /boot/vmlinux* | SINK_DEBUG "/boot kernels" +SINK_DEBUG() { + local name="$1" + local line haveblank + # If the input doesn't end with a line break, read won't give us the + # last (unterminated) line. Add a line break with echo to ensure we + # don't lose any input. Buffer up to one blank line so we can avoid + # emitting a final (or only) blank line. + (cat; echo) | while IFS= read -r line; do + [[ -n "$haveblank" ]] && DEBUG "$name: " # Emit buffered blank line + if [[ -z "$line" ]]; then + haveblank=y + else + haveblank= + DEBUG "$name: $line" + fi + done +} + +# Trace a command with DEBUG, then execute it. Trace failed exit status, stdout +# and stderr, etc. +# +# DO_WITH_DEBUG is designed so it can be dropped in to most command invocations +# without side effects - it adds visibility without actually affecting the +# execution of the script. Exit statuses, stdout, and stderr are traced, but +# they are still returned/written to the caller. +# # A password parameter can be masked by passing --mask-position N before the # command to execute, the debug trace will just indicate whether the password # was empty or nonempty (which is important when use of a password is optional). # N=0 is the name of the command to be executed, N=1 is its first parameter, # etc. +# +# DO_WITH_DEBUG() can be added in most places where a command is executed to +# add visibility in the debug log. For example: +# +# [DO_WITH_DEBUG] mount "$BLOCK" "$MOUNTPOINT" +# ^-- adding DO_WITH_DEBUG will show the block device, mountpoint, and whether +# the mount fails +# +# [DO_WITH_DEBUG --mask-position 7] tpmr seal "$KEY" "$IDX" "$pcrs" "$pcrf" "$size" "$PASSWORD" +# ^-- trace the resulting invocation, but mask the password in the log +# +# if ! [DO_WITH_DEBUG] umount "$MOUNTPOINT"; then [...] +# ^-- it can be used when the exit status is checked, like the condition of `if` +# +# hotp_token_info="$([DO_WITH_DEBUG] hotp_verification info)" +# ^-- output of hotp_verification info becomes visible in debug log while +# still being captured by script +# +# [DO_WITH_DEBUG] umount "$MOUNTPOINT" &>/dev/null || true +# ^-- if the command's stdout/stderr/failure are ignored, this still works the +# same way with DO_WITH_DEBUG DO_WITH_DEBUG() { - local exit_status + local exit_status=0 local cmd_output - DEBUG "PATH: $PATH" - local cmd=("$@") if [[ "$1" == "--mask-position" ]]; then local mask_position="$2" shift shift - cmd=("$@") - cmd[$mask_position]="$(mask_param "${cmd[$mask_position]}")" - fi - if [[ ${#cmd[@]} -eq 1 ]]; then - # If there's only one argument, try to split it into multiple arguments - read -a cmd <<< "${cmd[0]}" - fi - DEBUG "Executing command with cmd: ${cmd[*]}" - # Sanitize the command output by removing special characters - cmd_output=$("${cmd[@]}" 2>&1 | sed 's/[&;|`$(){}<>]//g') - exit_status=$? - DEBUG "Command output: $cmd_output" - DEBUG "Command exited with status: $exit_status" - return $exit_status + local show_args=("$@") + show_args[$mask_position]="$(mask_param "${show_args[$mask_position]}")" + DEBUG "${show_args[@]}" + else + DEBUG "$@" + fi + + # Execute the command and capture the exit status. Tee stdout/stderr to + # debug sinks, so they're visible but still can be used by the caller + # + # This is tricky when set -e / set -o pipefail may or may not be in + # effect. + # - Putting the command in an `if` ensures set -e won't terminate us, + # and also does not overwrite $? (like `|| true` would). + # - We capture PIPESTATUS[0] whether the command succeeds or fails, + # since we don't know whether the pipeline status will be that of the + # command or 'tee' (depends on set -o pipefail). + if ! "$@" 2> >(tee /dev/stderr | SINK_DEBUG "$1 err") | tee >(SINK_DEBUG "$1 out"); then + exit_status="${PIPESTATUS[0]}" + else + exit_status="${PIPESTATUS[0]}" + fi + if [[ "$exit_status" -ne 0 ]]; then + # Trace unsuccessful exit status, but only at DEBUG because this + # may be expected. Include the command name in case the command + # also invoked a DO_WITH_DEBUG (it could be a script). + DEBUG "$1: exited with status $exit_status" + fi + # If the command was (probably) not found, trace PATH in case it + # prevented the command from being found + if [[ "$exit_status" -eq 127 ]]; then + DEBUG "$1: PATH=$PATH" + fi + + return "$exit_status" } # Trace the current script and function. From d8810b7032d4803c9eda2af509032e569868721c Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Fri, 19 Apr 2024 13:31:29 -0400 Subject: [PATCH 11/26] functions: DO_WITH_DEBUG: Label stderr/stdout more clearly "$1 err:" looked like an error, but often there's output on stderr that's diagnostic (like kexec -d). "$1 stderr:" is clearer. Signed-off-by: Jonathon Hall --- initrd/etc/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index 6224a2b00..e817aea04 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -94,7 +94,7 @@ DO_WITH_DEBUG() { # - We capture PIPESTATUS[0] whether the command succeeds or fails, # since we don't know whether the pipeline status will be that of the # command or 'tee' (depends on set -o pipefail). - if ! "$@" 2> >(tee /dev/stderr | SINK_DEBUG "$1 err") | tee >(SINK_DEBUG "$1 out"); then + if ! "$@" 2> >(tee /dev/stderr | SINK_DEBUG "$1 stderr") | tee >(SINK_DEBUG "$1 stdout"); then exit_status="${PIPESTATUS[0]}" else exit_status="${PIPESTATUS[0]}" From d3656bbe65c4ac71a0d6ac205cedce071b768788 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Fri, 19 Apr 2024 13:35:17 -0400 Subject: [PATCH 12/26] kexec-boot, functions: Restore eval and DO_WITH_DEBUG that were deleted `eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when adding DO_WITH_DEBUG, command invocation is still the same, still needs eval. Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been removed. Signed-off-by: Jonathon Hall --- initrd/bin/kexec-boot | 2 +- initrd/etc/functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index 6eede6ea6..ccc59a01b 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -151,7 +151,7 @@ if [ "$dryrun" = "y" ]; then exit 0; fi echo "Loading the new kernel:" echo "$kexeccmd" -DO_WITH_DEBUG "$kexeccmd" \ +DO_WITH_DEBUG eval "$kexeccmd" \ || die "Failed to load the new kernel" if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then diff --git a/initrd/etc/functions b/initrd/etc/functions index e817aea04..7ad0d794d 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -763,7 +763,7 @@ scan_boot_options() { if [ -r $option_file ]; then rm $option_file; fi for i in $(find $bootdir -name "$config"); do - kexec-parse-boot "$bootdir" "$i" >>$option_file + DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >>$option_file done # FC29/30+ may use BLS format grub config files # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault From a767347afd77771697cbccdbed7d32e567ac0d65 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Fri, 19 Apr 2024 14:14:54 -0400 Subject: [PATCH 13/26] kexec-boot: Only capture kexec -d output to log, not console/kmsg LOG() is added to log to the log only (not kmsg, more verbose than TRACE). DO_WITH_DEBUG only captures stdout/stderr to the log with LOG(). kexec-boot silences stderr from kexec, we don't want it on the console. No need to repeat the kexec command when asking in debug to continue boot, it's no longer hidden behind verbose output from kexec. Signed-off-by: Jonathon Hall --- initrd/bin/kexec-boot | 7 +++---- initrd/etc/ash_functions | 5 +++++ initrd/etc/functions | 8 ++++---- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index ccc59a01b..144788791 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -151,13 +151,12 @@ if [ "$dryrun" = "y" ]; then exit 0; fi echo "Loading the new kernel:" echo "$kexeccmd" -DO_WITH_DEBUG eval "$kexeccmd" \ +# DO_WITH_DEBUG captures the debug output from stderr to the log, we don't need +# it on the console as well +DO_WITH_DEBUG eval "$kexeccmd" 2>/dev/null \ || die "Failed to load the new kernel" if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then - #Repeat kexec command that will be executed since in debug - DEBUG "kexeccmd= $kexeccmd" - #Ask user if they want to continue booting without echoing back the input (-s) read -s -n 1 -p "[DEBUG] Continue booting? [Y/n]: " debug_boot_confirm echo diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 627f93d6a..db591a55d 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -37,6 +37,11 @@ TRACE() { fi } +# Write directly to the debug log (but not kmsg), never appears on console +LOG() { + echo "LOG: $*" >>/tmp/debug.log +} + preserve_rom() { TRACE "Under /etc/ash_functions:preserve_rom" new_rom="$1" diff --git a/initrd/etc/functions b/initrd/etc/functions index 7ad0d794d..94f77d3e2 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -17,8 +17,8 @@ mask_param() { # readily visible in logs. # # For example: -# ls /boot/vmlinux* | SINK_DEBUG "/boot kernels" -SINK_DEBUG() { +# ls /boot/vmlinux* | SINK_LOG "/boot kernels" +SINK_LOG() { local name="$1" local line haveblank # If the input doesn't end with a line break, read won't give us the @@ -31,7 +31,7 @@ SINK_DEBUG() { haveblank=y else haveblank= - DEBUG "$name: $line" + LOG "$name: $line" fi done } @@ -94,7 +94,7 @@ DO_WITH_DEBUG() { # - We capture PIPESTATUS[0] whether the command succeeds or fails, # since we don't know whether the pipeline status will be that of the # command or 'tee' (depends on set -o pipefail). - if ! "$@" 2> >(tee /dev/stderr | SINK_DEBUG "$1 stderr") | tee >(SINK_DEBUG "$1 stdout"); then + if ! "$@" 2> >(tee /dev/stderr | SINK_LOG "$1 stderr") | tee >(SINK_LOG "$1 stdout"); then exit_status="${PIPESTATUS[0]}" else exit_status="${PIPESTATUS[0]}" From 00ce2f4d1c1b378c4125c4efd84b096929aebaca Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Fri, 19 Apr 2024 14:16:41 -0400 Subject: [PATCH 14/26] ash_functions: Log board and version when entering recovery shell Log the board and version when entering the recovery shell. Extract the firmware version logic from init. Currently this is the only way to get the debug log. If we add a way from the GUI, we may want to log the board and version somewhere else too. Signed-off-by: Jonathon Hall --- initrd/etc/ash_functions | 8 ++++++++ initrd/init | 4 +--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index db591a55d..54b721085 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -42,6 +42,12 @@ LOG() { echo "LOG: $*" >>/tmp/debug.log } +fw_version() { + local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ') + # chop off date, since will always be epoch w/timeless builds + echo "${FW_VER::-10}" +} + preserve_rom() { TRACE "Under /etc/ash_functions:preserve_rom" new_rom="$1" @@ -232,6 +238,8 @@ recovery() { touch /tmp/config . /tmp/config + DEBUG "Board $CONFIG_BOARD - version $(fw_version)" + if [ "$CONFIG_TPM" = "y" ]; then DEBUG "Extending TPM PCR 4 for recovery shell access" tpmr extend -ix 4 -ic recovery diff --git a/initrd/init b/initrd/init index 67a179b76..93bd5222f 100755 --- a/initrd/init +++ b/initrd/init @@ -203,9 +203,7 @@ if [ "$CONFIG_BASIC" = "y" ]; then fi # export firmware version -export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ') -# chop off date, since will always be epoch w/timeless builds -FW_VER=${FW_VER::-10} +export FW_VER=$(fw_version) # Add our boot devices into the /etc/fstab, if they are defined # in the configuration file. From fc874728f6878994066ac1ed8d8635939f60dacf Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 19 Apr 2024 14:30:55 -0400 Subject: [PATCH 15/26] oem-factory-reset + seal-hotpkey: Give debug output to underatand in what state is the USB Security dongle Signed-off-by: Thierry Laurion --- initrd/bin/oem-factory-reset | 2 ++ initrd/bin/seal-hotpkey | 2 ++ 2 files changed, 4 insertions(+) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index ff0889f66..6b597fc08 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -496,7 +496,9 @@ gpg_key_factory_reset() { fi # If Nitrokey Storage is inserted, reset AES keys as well if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ]; then + DEBUG "Nitrokey Storage detected, resetting AES keys..." /bin/hotp_verification regenerate ${ADMIN_PIN_DEF} + DEBUG "Restarting scdaemon to remove possible exclusive lock of dongle" killall -9 scdaemon fi # Toggle forced sig (good security practice, forcing PIN request for each signature request) diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 77940dcad..a0cb1ddad 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -26,6 +26,8 @@ fatal_error() { echo -e "\nERROR: ${1}; press Enter to continue." read + # get lsusb output for debugging + DEBUG "lsusb output: $(lsusb)" die "$1" } From 89a0c103aea946b56326b13c4ebacdd052e811fa Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 19 Apr 2024 15:13:38 -0400 Subject: [PATCH 16/26] QEMU/KVM board configs: logical reorganization of requirements for board configs. Next step is creating fbwhiptail/whiptail/tpm1/tpm2 mk files and include them in all boards Signed-off-by: Thierry Laurion --- .../qemu-coreboot-fbwhiptail-tpm1-hotp.config | 74 ++++++++++++------ .../qemu-coreboot-fbwhiptail-tpm1.config | 70 +++++++++++------ .../qemu-coreboot-fbwhiptail-tpm2-hotp.config | 76 ++++++++++++------- .../qemu-coreboot-fbwhiptail-tpm2.config | 74 +++++++++++------- .../qemu-coreboot-whiptail-tpm1-hotp.config | 74 ++++++++++++------ .../qemu-coreboot-whiptail-tpm1.config | 72 ++++++++++++------ .../qemu-coreboot-whiptail-tpm2-hotp.config | 76 ++++++++++++------- .../qemu-coreboot-whiptail-tpm2.config | 72 +++++++++++------- 8 files changed, 374 insertions(+), 214 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config index 1b5308f2a..61668b2c6 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config @@ -8,56 +8,83 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +#export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#Enable TPM2 pcap output under /tmp +#export CONFIG_TPM2_CAPTURE_PCAP=y + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +#CONFIG_TPM2_TSS=y +#CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support CONFIG_HOTPKEY=y -export CONFIG_AUTO_BOOT_TIMEOUT=5 - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) #CONFIG_NEWT=y #CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +#export CONFIG_TPM2_TOOLS=y +#export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -65,9 +92,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -export CONFIG_TPM=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index 090272412..f02c73336 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y @@ -16,48 +19,70 @@ export CONFIG_LINUX_VERSION=5.10.5 #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#Enable TPM2 pcap output under /tmp +#export CONFIG_TPM2_CAPTURE_PCAP=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y + + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +#CONFIG_TPM2_TSS=y +#CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support #CONFIG_HOTPKEY=y - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) #CONFIG_NEWT=y #CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +#export CONFIG_TPM2_TOOLS=y +#export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -65,9 +90,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -export CONFIG_TPM=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config index 6b714bf9f..36094e597 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config @@ -7,58 +7,83 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +#export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #Enable TPM2 pcap output under /tmp export CONFIG_TPM2_CAPTURE_PCAP=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y + + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support CONFIG_HOTPKEY=y -export CONFIG_AUTO_BOOT_TIMEOUT=5 - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) #CONFIG_NEWT=y #CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -66,13 +91,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -#TPM2 requirements -export CONFIG_TPM2_TOOLS=y -export CONFIG_PRIMARY_KEY_TYPE=ecc -CONFIG_TPM2_TSS=y -CONFIG_OPENSSL=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config index 629eeffea..c382c0d70 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config @@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y @@ -19,47 +22,67 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #Enable TPM2 pcap output under /tmp export CONFIG_TPM2_CAPTURE_PCAP=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y + + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y -CONFIG_HOTPKEY=n - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) #CONFIG_NEWT=y #CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -67,13 +90,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -#TPM2 requirements -export CONFIG_TPM2_TOOLS=y -export CONFIG_PRIMARY_KEY_TYPE=ecc -CONFIG_TPM2_TSS=y -CONFIG_OPENSSL=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2" diff --git a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config index 024c7b921..38315372d 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config @@ -8,56 +8,83 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +#export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#Enable TPM2 pcap output under /tmp +#export CONFIG_TPM2_CAPTURE_PCAP=y + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +#CONFIG_TPM2_TSS=y +#CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support CONFIG_HOTPKEY=y -export CONFIG_AUTO_BOOT_TIMEOUT=5 - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): #CONFIG_CAIRO=y #CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) CONFIG_NEWT=y CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +#export CONFIG_TPM2_TOOLS=y +#export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -65,9 +92,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -export CONFIG_TPM=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1-hotp" diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index b6f76de58..610667161 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -6,7 +6,10 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 -#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)) +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + +#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y @@ -16,48 +19,70 @@ export CONFIG_LINUX_VERSION=5.10.5 #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#Enable TPM2 pcap output under /tmp +#export CONFIG_TPM2_CAPTURE_PCAP=y + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +#CONFIG_TPM2_TSS=y +#CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support #CONFIG_HOTPKEY=y - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): #CONFIG_CAIRO=y #CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) CONFIG_NEWT=y CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +#export CONFIG_TPM2_TOOLS=y +#export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -65,9 +90,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -export CONFIG_TPM=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1" diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config index 157f6ce15..e5b2bddfd 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config @@ -7,58 +7,83 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +#export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=y export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #Enable TPM2 pcap output under /tmp export CONFIG_TPM2_CAPTURE_PCAP=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y + + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support CONFIG_HOTPKEY=y -export CONFIG_AUTO_BOOT_TIMEOUT=5 - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): #CONFIG_CAIRO=y #CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) CONFIG_NEWT=y CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -66,13 +91,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -#TPM2 requirements -export CONFIG_TPM2_TOOLS=y -export CONFIG_PRIMARY_KEY_TYPE=ecc -CONFIG_TPM2_TSS=y -CONFIG_OPENSSL=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp" diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index 684d508e5..076f01698 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.22.01 export CONFIG_LINUX_VERSION=5.10.5 +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y @@ -19,47 +22,67 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #Enable TPM2 pcap output under /tmp export CONFIG_TPM2_CAPTURE_PCAP=y -CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config -CONFIG_LINUX_CONFIG=config/linux-qemu.config +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y + + +#Modules packed into tools.cpio ifeq "$(CONFIG_UROOT)" "y" CONFIG_BUSYBOX=n else -CONFIG_KEXEC=y -CONFIG_QRENCODE=y -CONFIG_TPMTOTP=y -CONFIG_POPT=y -CONFIG_FLASHTOOLS=y -CONFIG_FLASHROM=y -CONFIG_PCIUTILS=y -CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_DROPBEAR=y +CONFIG_PCIUTILS=y +#Runtime tools to write to EC/MSR +CONFIG_IOTOOLS=y CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support #CONFIG_HOTPKEY=y - -#Uncomment only one of the following block -#Required for graphical gui-init (FBWhiptail) +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#FBWhiptail based (Graphical): #CONFIG_CAIRO=y #CONFIG_FBWHIPTAIL=y -# #text-based init (generic-init and gui-init) CONFIG_NEWT=y CONFIG_SLANG=y - +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y endif +#Runtime on-demand additional hardware support (modules.cpio) export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y -CONFIG_LINUX_USB=y -CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: -#Whiptail-based init (text-based or FBWhiptail) + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init -# #text-based original init: #export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n @@ -67,13 +90,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" - -#TPM2 requirements -export CONFIG_TPM2_TOOLS=y -export CONFIG_PRIMARY_KEY_TYPE=ecc -CONFIG_TPM2_TSS=y -CONFIG_OPENSSL=y - export CONFIG_BOOT_DEV="/dev/vda1" export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2" From ba20d98bdd8c39ad506ef4a2a3e1f51bc84db9f8 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 21 Apr 2024 18:31:43 +0200 Subject: [PATCH 17/26] UX improvements PIN questions Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 6b597fc08..308483960 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -989,11 +989,11 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS} fi else - echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: " + echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [Y/n]: " read -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" != "n" \ + -a "$prompt_output" != "N" ]; then echo -e "\nThey must be each at least 8 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then @@ -1011,7 +1011,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # That is, if keys were NOT generated in memory (on smartcard only) or # if keys were generated in memory but are to be moved from local keyring to smartcard if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then - while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " read USER_PIN From be65c4be5b5fbeca9cdb97268135507252efe171 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 21 Apr 2024 18:42:52 +0200 Subject: [PATCH 18/26] fix small incongruency with previous commit Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 308483960..d12b0c624 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -1012,7 +1012,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # if keys were generated in memory but are to be moved from local keyring to smartcard if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " read USER_PIN done From cc70e772f8a0dcdb319d4d06e27af227a5cae51e Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 21 Apr 2024 19:00:29 +0200 Subject: [PATCH 19/26] fix another small incongruency with previous commit Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index d12b0c624..54f129dc2 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -994,7 +994,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" != "n" \ -a "$prompt_output" != "N" ]; then - echo -e "\nThey must be each at least 8 characters in length.\n" + echo -e "\nThe TPM Owner Password and Admin PIN must be at least 8, the User PIN at least 6 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then while [[ ${#TPM_PASS} -lt 8 ]]; do From 2828e2ca60a698c69749dd4b0b37a1593b73601b Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Mon, 22 Apr 2024 22:50:34 +0200 Subject: [PATCH 20/26] Revert "fix another small incongruency with previous commit" This reverts commit cc70e772f8a0dcdb319d4d06e27af227a5cae51e. Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 54f129dc2..d12b0c624 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -994,7 +994,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" != "n" \ -a "$prompt_output" != "N" ]; then - echo -e "\nThe TPM Owner Password and Admin PIN must be at least 8, the User PIN at least 6 characters in length.\n" + echo -e "\nThey must be each at least 8 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then while [[ ${#TPM_PASS} -lt 8 ]]; do From 0854f2ce802d8a3891318f4b807d4c57e677ae24 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Mon, 22 Apr 2024 22:51:17 +0200 Subject: [PATCH 21/26] Revert "fix small incongruency with previous commit" This reverts commit be65c4be5b5fbeca9cdb97268135507252efe171. Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index d12b0c624..308483960 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -1012,7 +1012,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # if keys were generated in memory but are to be moved from local keyring to smartcard if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " read USER_PIN done From 408524fb31d26e4c65d02bfaa744aed4617e4400 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Mon, 22 Apr 2024 22:51:25 +0200 Subject: [PATCH 22/26] Revert "UX improvements PIN questions" This reverts commit ba20d98bdd8c39ad506ef4a2a3e1f51bc84db9f8. Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 308483960..6b597fc08 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -989,11 +989,11 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS} fi else - echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [Y/n]: " + echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: " read -n 1 prompt_output echo - if [ "$prompt_output" != "n" \ - -a "$prompt_output" != "N" ]; then + if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ]; then echo -e "\nThey must be each at least 8 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then @@ -1011,7 +1011,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # That is, if keys were NOT generated in memory (on smartcard only) or # if keys were generated in memory but are to be moved from local keyring to smartcard if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then - while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " read USER_PIN From 70e9c663bcca20a41b29353828ce217302ada7cc Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Mon, 22 Apr 2024 22:56:13 +0200 Subject: [PATCH 23/26] only change user PIN minimum requirement to 6 Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 6b597fc08..67318a1db 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -994,7 +994,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ]; then - echo -e "\nThey must be each at least 8 characters in length.\n" + echo -e "\nThe TPM Owner Password and Admin PIN must be at least 8, the User PIN at least 6 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then while [[ ${#TPM_PASS} -lt 8 ]]; do @@ -1002,8 +1002,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then read TPM_PASS done fi - while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG Admin PIN: " read ADMIN_PIN done From b6bd682cb3ff4143dea8e1ba0a0b742ae68d4aa4 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 22 Apr 2024 17:24:21 -0400 Subject: [PATCH 24/26] Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts Signed-off-by: Thierry Laurion --- initrd/bin/gui-init | 3 ++- initrd/bin/oem-factory-reset | 16 ++++++++++--- initrd/bin/unseal-hotp | 46 ++++++++++++++++++------------------ 3 files changed, 38 insertions(+), 27 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index cd69e87c6..dfd412f2d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -250,8 +250,8 @@ update_totp() update_hotp() { TRACE_FUNC + HOTP="Unverified" if [ -x /bin/hotp_verification ]; then - HOTP=`unseal-hotp` if ! hotp_verification info ; then if [ "$skip_to_menu" = "true" ]; then return 1 # Already asked to skip to menu from a prior error @@ -265,6 +265,7 @@ update_hotp() return fi fi + HOTP=`unseal-hotp` # Don't output HOTP codes to screen, so as to make replay attacks harder hotp_verification check "$HOTP" case "$?" in diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 6b597fc08..c368eef91 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -783,12 +783,22 @@ report_integrity_measurements() { # Check and report on HOTP status if [ -x /bin/hotp_verification ]; then - HOTP=$(unseal-hotp) >/dev/null 2>&1 + HOTP="Unverified" enable_usb - if ! hotp_verification info >/dev/null 2>&1; then - whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Please insert your HOTP enabled USB Security Dongle' --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80 + for attempt in 1 2 3; do + if ! hotp_verification info >/dev/null 2>&1; then + whiptail $CONFIG_WARNING_BG_COLOR --title "WARNING: Please insert your HOTP enabled USB Security Dongle (Attempt $attempt/3)" --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80 + else + break + fi + done + + if [ $attempt -eq 3 ]; then + die "No HOTP enabled USB Security Dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild." fi + # Don't output HOTP codes to screen, so as to make replay attacks harder + HOTP=$(unseal-hotp) >/dev/null 2>&1 hotp_verification check $HOTP case "$?" in 0) diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 031c6d278..8565ac612 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -6,13 +6,12 @@ HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" -mount_boot_or_die() -{ +mount_boot_or_die() { TRACE_FUNC # Mount local disk if it is not already mounted - if ! grep -q /boot /proc/mounts ; then - mount -o ro /boot \ - || die "Unable to mount /boot" + if ! grep -q /boot /proc/mounts; then + mount -o ro /boot || + die "Unable to mount /boot" fi } @@ -38,34 +37,35 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) if [ "$CONFIG_TPM" = "y" ]; then - DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..." - tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret" + DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..." + tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret" else - # without a TPM, generate a secret based on the SHA-256 of the ROM - secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed" + # without a TPM, generate a secret based on the SHA-256 of the ROM + secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed" fi # Truncate the secret if it is longer than the maximum HOTP secret truncate_max_bytes 20 "$HOTP_SECRET" -if ! hotp $counter_value < "$HOTP_SECRET"; then - shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die 'Unable to compute HOTP hash?' +if ! hotp $counter_value <"$HOTP_SECRET"; then + shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null + die 'Unable to compute HOTP hash?' fi -shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - -#increment_tpm_counter $counter > /dev/null \ -#|| die "Unable to increment tpm counter" +shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null +#Incrementing counter under $HOTP_COUNTER +# +# If for whatever reason, this counter is 5 counts different then on HOTP USB Security dongle, HOTP unseal fails. +#Note: HOTP_COUNTER="/boot/kexec_hotp_counter" is not detached signed under kexec.sig since it changes +# +# TODO: figure out a better alternative then a counter that can be modified on disk +# As of now, this counter isincreased only in the validated presence of the HOTP dongle being connected per callers mount -o remount,rw /boot - -counter_value=`expr $counter_value + 1` -echo $counter_value > $HOTP_COUNTER \ -|| die "Unable to create hotp counter file" - -#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ -#|| die "Unable to create hotp counter file" +DEBUG "Incrementing HOTP counter under $HOTP_COUNTER" +counter_value=$(expr $counter_value + 1) +echo $counter_value >$HOTP_COUNTER || + die "Unable to create hotp counter file" mount -o remount,ro /boot exit 0 From cb03ec5584edddcdf3e4a5701bcee80ab72ef951 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Tue, 23 Apr 2024 01:10:53 +0200 Subject: [PATCH 25/26] change correct PIN minimum Signed-off-by: Christian Foerster --- initrd/bin/oem-factory-reset | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 67318a1db..cbff40d04 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -1002,8 +1002,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then read TPM_PASS done fi - while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG Admin PIN: " read ADMIN_PIN done @@ -1011,8 +1011,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # That is, if keys were NOT generated in memory (on smartcard only) or # if keys were generated in memory but are to be moved from local keyring to smartcard if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then - while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " read USER_PIN done From 019098c82119adc48496616480b1c0c0d39fea6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Kope=C4=87?= Date: Wed, 24 Apr 2024 10:53:13 +0200 Subject: [PATCH 26/26] config/coreboot-nitropad-*.config: disable power on AC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The coreboot power failure state Kconfig options are wired up to the Power on AC feature on Clevo mainboards. Set the power failure state to 0 to prevent these boards from powering on or waking up with AC attach. Signed-off-by: Michał Kopeć --- config/coreboot-nitropad-ns50.config | 6 +++--- config/coreboot-nitropad-nv41.config | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config index 19c43d6d8..867ee36c6 100644 --- a/config/coreboot-nitropad-ns50.config +++ b/config/coreboot-nitropad-ns50.config @@ -200,10 +200,10 @@ CONFIG_COREBOOT_ROMSIZE_KB=32768 CONFIG_ROM_SIZE=0x02000000 CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y -# CONFIG_POWER_STATE_OFF_AFTER_FAILURE is not set -CONFIG_POWER_STATE_ON_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +#CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set # CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set -CONFIG_MAINBOARD_POWER_FAILURE_STATE=1 +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 # end of Mainboard CONFIG_SYSTEM_TYPE_LAPTOP=y diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config index 631e61766..1e819f3a6 100644 --- a/config/coreboot-nitropad-nv41.config +++ b/config/coreboot-nitropad-nv41.config @@ -200,10 +200,10 @@ CONFIG_COREBOOT_ROMSIZE_KB=32768 CONFIG_ROM_SIZE=0x02000000 CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y -# CONFIG_POWER_STATE_OFF_AFTER_FAILURE is not set -CONFIG_POWER_STATE_ON_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +#CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set # CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set -CONFIG_MAINBOARD_POWER_FAILURE_STATE=1 +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 # end of Mainboard CONFIG_SYSTEM_TYPE_LAPTOP=y