feat: Radxa X4 kairos support

kairos-io / kairos

:penguin: The immutable Linux meta-distribution for edge Kubernetes.

https://kairos.io

Apache License 2.0

1.13k stars 97 forks source link

feat: Radxa X4 kairos support #2871

Closed Itxaka closed 1 month ago

Itxaka commented 1 month ago

Is your feature request related to a problem? Please describe.

Support the Radxa X4 board with Kairos

Describe the solution you'd like

Boots Kairos
Boots Trusted Boot Kairos
Does it out of the box hopefully
If not, clear docs on how to support it are written

Describe alternatives you've considered

Additional context

Good review and information about the board: https://github.com/geerlingguy/sbc-reviews/issues/48 https://bret.dk/intel-n100-radxa-x4-first-thoughts/

Itxaka commented 1 month ago

First tests were ok.

Kairos:

booted, installed, worked with no issues

Kairos trusted boot:

secureboot was not enabled by default
Needed a beta bios to be able to do secureboot and key management
Once bios was installed and keys cleared it worked
booted, keys added and installed with no issues
during boot it could not unlock the oem partition

Unfortunately the beta bios is not publicly available and flashing it is under your own, so if it breaks, bad luck.

In any case, seems that something is off with the measurements as the unlocking not being available seems to point to that.

Next step would be to hardcode an user in the uki iso and check whats going on.

Itxaka commented 1 month ago

Had a quick look, the problem with unlocking the encrypted partitions seems to be that the measurements dont match by using the latest enki (the one that has the golang ukifier and measurer)

So building with osbuilder 0.300.x made it not work, not even manually attaching the partitions

Bui.ding with 0.202.1 (uses systemd-measure) also didnt work during boot. But manually I could attache them, so no idea whats going on? Maybe the tpm are not clear on reboot as expected?

Needs further investigation.

Itxaka commented 1 month ago

Seems like we were missing the required modules to discover the devices on boot.

mmc_block and sdhci-pci need to be added to immucore

Itxaka commented 1 month ago

on immmucore https://github.com/kairos-io/immucore/releases/tag/v0.5.0 the modules are added and the board works out of the box.

Nothing special to do about this in order to install, just make sure to use kairos 3.2.X :D

cc @mudler 👀

Itxaka commented 1 month ago

Steps:

Using kairos 3.2.0
Beta bios that enables secureboot and key management (contact @Itxaka if you need access to it)
Boot into bios and do the usual, enable secureboot, clear all keys and reset
Image NEEDS to be the fat one, so all firmware on disk (follow https://kairos.io/docs/reference/kairos-factory/#examples in oder to create custom image with all firmware)
Thats it. Works out of the box.