remove CONFIG_GPG=y #508
remove CONFIG_GPG=y #508
Conversation
Building make BOARD=x230-flash fails due to size. Removal of CONFIG_GPG fixes this. For further details, see #451
|
for ref, GPG is not required to be used in x230-flash stage. its just bloat. |
|
Erm, what a facepalm moment. GPG is needed to sign the coreboot.rom . closing |
|
No it's not?
It is required in x230 but not in x230-flash.
@osresearch: when is the next merge day?
…On Mon, Jan 14, 2019, 13:58 shamen123, ***@***.***> wrote:
Erm, what a facepalm moment. GPG is needed to sign the coreboot.rom .
closing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#508 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAygsvidgzrYdHmgq7vSH2eg7Ne9CaBPks5vDNM-gaJpZM4Z5ryJ>
.
|
|
I guess you could sign coreboot.rom after flashing the 12mb, like this?
EDIT have tested this method and it works. |
|
@shamen123
Can you explain what is missing for you? I'm not sure I understand.
The hashes for rom integrity outside of heads requires sha256sum and
requires the tools to be installed on the host system, not in heads to
validate reproducibility.
Signing generated configuration hashes (kexec_*) requires gpg inside of
heads.
x230-flash generates the 4m rom, which only exists to flash the 12mb rom
from within heads. Gpg was put in the board configuration file so that the
user can generate his gpg keypair and insert it in a reproducible rom with
cbfs from heads recovery shell prior to flash it back. But this was a nice
to have. It can be done with the 12mb rom. And the 4mb rom is only needed
to flash.sh /media/coreboot.rom after having called mount-usb.
…On Tue, Jan 15, 2019, 06:36 shamen123, ***@***.***> wrote:
Reopened #508 <#508>.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#508 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAygstDrymKgwsTHUM5Tr5QQBn3vyFHQks5vDb04gaJpZM4Z5ryJ>
.
|
This is the bit where my confusion arose. It seemed from the docs that we should sign the 12mb ROM before flashing. In fact, its not the case. Flash the 12Mb, then sign the 12 ROM with cbfs, then flash the 12 ROM again. All fine,was just some confusion yesterday thats all. the process is flash x230-flash |
@shamen123 : What is suggested here is to insert your gpg public key in the built reproducible rom ( make BOARD=x230) prior to flashing it from withing Heads (make BOARD=x230-flash, then flash externally) When using fbwhiptail and using gui-init, a menu offers you to insert your public key. Unfortunately, generating 4096 keys from within Heads requires GPG2. Unfortunately, generating keys from within x230-flash environment is not possible anymore for size constraints, and even less possible with GPG2 being a requirement to generate 4096bits keys inside of the GPG card. Waiting for @osresearch merge day patiently :) Please close the issue if you do not have any more question, as the title of your issue is a duplicate of #451. A pull request on the documentation is more then welcome though :) |
|
This is not a issue, its a pull request to actually make the change to comment out CONFIG_GPG=y AFAIK, there is no pull request for 451. |
|
Oups, my bad! Sorry! :)
…On January 17, 2019 11:34:13 AM EST, shamen123 ***@***.***> wrote:
This is not a issue, its a pull request to actually make the change to
comment out CONFIG_GPG=y
AFAIK, there is no pull request for 451.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#508 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
Building make BOARD=x230-flash fails due to size. Removal of CONFIG_GPG fixes this. For further details, see #451