talos-2: kernel version bump to 6.6.16

[tlaurion]

This is WiP in goal of not putting Talos-2 unmaintained in tree and blocker for #1796

• Also needs fix for Talos II - GPG prompts wait for input on BMC and timeouts, preventing signing from main console (from actual keyboard and gpg prompt on physical display) #1710 (Works solely when BMC used, otherwise GPG prompt sent to BMC, but never to vga output)

---

Current state of this PR: Builds but sealing/unsealing doesn't work.

@SergiiDmytruk @krystian-hebel : some patches are missing to be feature complete, as discussed at #1802 (comment)

TLDR TODOs, adapt:

• https://github.com/linuxboot/heads/blob/79dc677d35e5f23f6dd787ce33753e3535233558/patches/linux-5.5-openpower/0010-arch-powerpc-Kconfig-enable-inclusion-of-drivers-fir.patch
• https://github.com/linuxboot/heads/blob/79dc677d35e5f23f6dd787ce33753e3535233558/patches/linux-5.5-openpower/0011-drivers-firmware-google-expose-CBMEM-as-sysfs-file.patch

Otherwise, Talos-2 cannot replay measurements from exposed CBMEM as file and sealing/unsealing of secret don't work.

---

OLD:

Fails as can been seen CircleCI https://app.circleci.com/pipelines/github/tlaurion/heads/2864/workflows/a472cced-20d2-4540-892e-e8d562a3e63a/jobs/53747?invite=true#step-102-48894_248

Patches having landed under patches/linux-6.6.16-openpower come from https://gitlab.raptorengineering.com/openpower-firmware/machine-talos-ii/op-build/-/tree/f89ea5cc89392de0d1bd6a554009809b5f68692c/openpower/linux and apply cleanly.

Unfortunately, this fails with trace (docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make -d BOARD=talos-2 #linux.modify_and_save_oldconfig_in_place)
EDIT:

Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration

Fixed by #1802 (comment)

[SergiiDmytruk]

This looks like more relevant error:

Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration

[tlaurion]

This looks like more relevant error:

Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration
Oct 02 15:31:08 cc1: error: '-m32' not supported in this configuration

Yes sorry @SergiiDmytruk , i didn't get the whole error log, pointed to circleci log after having modified OP

[SergiiDmytruk]

Seems to be caused by CONFIG_VDSO32=y which is the result of CONFIG_COMPAT=y. It's for supporting 32-bit PowerPC binaries in PPC64, which seems unnecessary. Maybe there was no 32-bit VDSO before? If this compatibility is desired, likely need to build cross toolchain differently so that -m32 works.

[tlaurion]

@SergiiDmytruk @krystian-hebel kernel builds with 5261213

But patches still need porting for CBMEM output to file and maybe others (0010+) under https://github.com/linuxboot/heads/tree/79dc677d35e5f23f6dd787ce33753e3535233558/patches/linux-5.5-openpower

Otherwise, no sealing/unsealing works. Pushed commit with kernel CBMEM support activated under facad5d which is needed since Talos II uses TPM event log replay to enforce sealing, and requires workaround for cbmem to be accessible as a file per previous implementation, which is a patch.

[SergiiDmytruk]

You likely want an equivalent of that shebangs patch as well to avoid issues with Nix. Top part of 0010 might be necessary, and was probably done for 0011 to work. 0011 does look missing from upstream, CONFIG_GOOGLE_CBMEM might be something else and expose CBMEM as a set of entries rather than a continuous memory buffer.

[tlaurion]

You likely want an equivalent of that shebangs patch as well to avoid issues with Nix.

Unneeded. Those patches were required prior of Linux kernel being made nix friendly somewhere after 5.15 if I recall well (Heads patches/linux* shows those patches not being required anymore, just as for coreboot newer releases that were made nix friendly as well). As can be seen with 5261213 being built by CI successfully.

Top part of 0010 might be necessary, and was probably done for 0011 to work. 0011 does look missing from upstream, CONFIG_GOOGLE_CBMEM might be something else and expose CBMEM as a set of entries rather than a continuous memory buffer.

@SergiiDmytruk facad5d added CONFIG_GOOGLE_CBMEM, while 0010 and 0011 (0010+ as said previously) needs to be reworked for this PR to be merged without regression for #1796 to be fixed and plan for feature freeze for next downstream releases and next qubesos release which might happen between downstream releases. I'm pointing work needing to be done here otherwise Talos-2 will go unmaintained. Unfortunately, I won't have much more time to fix this myself.

[tlaurion]

@SergiiDmytruk modified OP for better task trackablility prior of next release, and assigned to you.

[tlaurion]

@macpijan work spooling needed if #1821 deadline is to be met.

[tlaurion]

Opened Dasharo/dasharo-issues#1133