Nlnet past funded work placeholder for Accessible Security project (2019) #1729
Description
This is a placeholder for NLnet funded Accessible Security Project (2019) to be able to refer here in its website (they can't change references per platform limitation) section to funded output at https://nlnet.nl/project/AccessibleSecurity/ through https://nlnet.nl/PET/ fund.
A big thanks for NlNet to have trusted me managing the project, once again, and to all direct and indirect participants.
Funded work outcomes:
- Remote administration support Optional under QubesOS Q4.1
- Actual trimming (discards) of unused data on qubes by default on QubesOS 4.1
- Mac randomization by default under QubesOS 4.1
- FWUPD support (optional) under QubesOS 4.1
- Talos II coreboot initial first phase port -> Heads port
Details and FOSS outcome:
Remote administration support Optional under Q4.1 (Whonix-Qubes collaboration)
- GUI daemon adrelanos/qubes-remote-support#1
- Various fixes adrelanos/qubes-remote-support#2
- Thanks to @marmarek, @marmata and @adrelanos for accepting to jump in this sub-project and delivering the expected outcome.
Actual trimming (discards) of unused data on qubes by default on Q4.1
- Update to anaconda-29.24.7 QubesOS/qubes-anaconda#1
- Update to version 31.22 QubesOS/qubes-anaconda#4
- Thanks to @marmarek for accepting to deliver the expected outcome of this subproject.
QubesOS Mac randomization by default under Q4.1
- network: enable MAC randomization for wifi connections by default QubesOS/qubes-core-agent-linux#297
- Thanks to @marmarek for having accepted to deliver this sub-project outcome
Qubes OS FWUPD support (optional) under Q4.1
Talos II coreboot initial first phase port (Thanks to whole @3mdeb's @Dasharo team!)
- Outcome blog post https://blog.3mdeb.com/2022/2022-02-16-talos2_coreboot_status/
- First release at https://docs.dasharo.com/variants/talos_2/releases/- Initialization of the remaining cores
- Patches:
- XIVE (eXternal Interrupt Virtualization Engine) implementation:
- code: XIVE 3mdeb/coreboot#90
- IPMI and watchdog fixes
- single CPU power management (OCC complex):
- XIVE (eXternal Interrupt Virtualization Engine) implementation:
- Patches:
- Memory layout and boot time optimizations
- Patches:
- memlayout:
- MVPD cache:
- Patches:
- PCIe initialization
- Patches:
- analyze/documentation: Add documentation on PCIe initialization 3mdeb/openpower-coreboot-docs#62
- code: PCIe initialization 3mdeb/coreboot#106
- Patches:
- Initialization of the remaining cores
- Second CPU initialization
- Outcome blob post https://blog.3mdeb.com/2022/2022-04-12-talos2_2nd_cpu_and_testing/
- Patches:
- dependencies for the second CPU initialization (RAM):
- FSI:
- code: Implement FSI for Power9 Dasharo/coreboot#56
- isteps 8.1 - 8.4:
- XBus initialization:
- initialization of memory controller of the second CPU + perform training of RAM local to the second CPU:
- FSI:
- dependencies for the second CPU initialization (RAM):
- Second CPU initialization (power management)
- Patches:
- MVPD for the second CPU:
- HOMER image for the second CPU:
- CPU power management (OCC complex):
- Patches:
- Second CPU initialization (other components)
- Patches:
- dependencies (istep 10.6):
- RNG initialization:
- PCI initialization:
- time synchronization:
- switch from FIT to ELF payload type:
- parallel initialization of the CPUs (faster boot time):
- Patches:
- Patches:
- Outcome blob post https://blog.3mdeb.com/2022/2022-04-12-talos2_2nd_cpu_and_testing/
- TPM support
- Documentation on overview of available TPM options for the POWER9:
- More detailed documentation on the selected approach (TPM over I2c):
- Support for the selected I2C TPM module in coreboot:
- Support for the selected I2C TPM module in skiboot:
- Fix coreboot's cbmem utility to print TPM eventlog on POWER9:
- coreboot changes: Make cbmem work and print TCPA log Dasharo/coreboot#197
- skiboot changes: Heads corrections Dasharo/skiboot#2
- Additionally, open-source hardware PCB design was created with the selected TPM module to simplify usage of the solution for the end-users
- https://github.com/3mdeb/talos-tpm-module
- the module will be available in 3mdeb shop, or anyone can produce it by themselves
- https://github.com/3mdeb/talos-tpm-module
- Presentation of TPM module usage on POWER9 with coreboot + skiboot + heads firmware stack:
Review documentation and reproducibility of past results on Talos II testing platform provided by RaptorSystems free of charge (@tlaurion)
- testing of Dasharo releases 0.4.1, 0.5.0 and 0.6 releases, leading to many opened issue and countless hours of troubleshooting on both sides
- First tested result was 0.4.1 which never worked on my CPU lower end CPU shipped by RaptorSystems:
- 0.5 release brought dual CPU support, which broke single CPU support:
- 0.6 release was the first release actually booting on my platform, but Heads support was not functional:
- 0.6.1 is unreleased and where current testing is happening, including missing flashrom support
- 0.6.1 is happening in both Heads and Dasharo, where final outcome (with 3mdeb selling TPM module) will lead into final publicizing of Heads being officially supported on Talos II.
- Documentation reviewed, corrected and tested were:
- Dasharo building manual:
- Heads upstream work, leading to ongoing 0.6.1 release which is now upstream under Heads, and built on CircleCI:
- Dasharo Initial deployement and updates without flashing through OpenBMC
- Dasharo firmware upgrade (so users can switch between heads<->petitboot, hostboot<->coreboot)