-
-
Notifications
You must be signed in to change notification settings - Fork 185
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WIP ACM BIOS and ACM init recognized. TXT-STS: IBB not measured (Ivy …
…can't. Broadwell+ can) - Update coreboot target to that it includes coreboot 4.17 - Addition of blobs/xx30/download_extract_acm.sh - Downloads SINIT ACM blob from an archive.org copy of the archive - Downloads Latest BIOS from Lenovo and extracts the ACM BIOS from there - Add a x230-hotp-maximized-acm board config based on coreboot 4.17 - coreboot config includes SINIT and ACM blobs - CircleCI modifications - Add unzip in apt packages requirements - Added a step into CircleCI which calls blobs/xx30/download_extract_acm.sh to have blobs - Add x230-hotp-maximized-ac builds Todos: - txt_bios_policy.bin not present under CBFS (Not required up until Intel gen 10 for Bootguard) - IBB not existing concept, so cannot include bootblock (goal of this inclusion if ACM blobs were desired/tolerated) This is building block for TXT (DRTM) under Heads.
- Loading branch information
Showing
5 changed files
with
205 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| #!/bin/bash | ||
|
|
||
| BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
|
||
| X230_ACM_EXE_SHA256SUM="5651d17fe33323cdff35cf6390005f47741a98b6c2ea4e0a46d6149a68f28eac g2uj33us.exe" | ||
| X230_FL1_SHA256SUM='dfef8b06618897eafe4e727cc7782a6aa6c31d5419c230e55fa39bdcd184a923 app/G2ETB7WW/$01D3000.FL1' | ||
| UEFIExtract_SHA256SUM="11ae7656e675f47e42684fe2bfb1e09f18825f9bf787892fb25c0a8d9cf04ac7 UEFIExtract_NE_A59_linux_x86_64.zip" | ||
| X230_BIOS_ACM_SHA256SUM="8f09aa059326b04f124d3dc7661fd6c4ef52ca126d790b17761cfbcb864738bf X230_acm_bios/body.bin" | ||
| XX30_SINIT_ZIP_SHA256SUM="c94851c9a0f1b02d6ce11e57fc60620da5770f3e35bf01708f6f0cbc73ce05c8 3rd-gen-i5-i7-racm-sinit-67.zip" | ||
| XX30_SINIT_SHA256SUM="77e2c92360ad3af495cedb024fcd3250507c1c5df9cfc157179a16a590cfe4da 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin" | ||
|
|
||
| echo "### Creating temp dir" | ||
| extractdir=$(mktemp -d) | ||
| echo "working dir: $extractdir" | ||
| cd "$extractdir" | ||
|
|
||
| echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..." | ||
| wget https://download.lenovo.com/pccbbs/mobiles/g2uj33us.exe | ||
| echo "### Verifying expected hash of g2uj33us.exe" | ||
| echo "$X230_ACM_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; } | ||
|
|
||
| echo "### Extracting g1rg24ww.exe..." | ||
| innoextract ./g2uj33us.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;} | ||
| echo '### Verifying expected hash of app/G2ETB7WW/$01D3000.FL1' | ||
| echo "$X230_FL1_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; } | ||
|
|
||
| echo "### Downloading UEFIExtract..." | ||
| wget https://github.com/LongSoft/UEFITool/releases/download/A59/UEFIExtract_NE_A59_linux_x86_64.zip | ||
| echo "### Verifying expected checksum of UEFIExtract_NE_A59_linux_x86_64.zip ..." | ||
| echo "$UEFIExtract_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification UEFIExtract_NE_A59_linux_x86_64.zip..." && exit 1; } | ||
|
|
||
| echo "###Extracting BIOS ACM from app/G2ETB7WW/$01D3000.FL1 ..." | ||
| unzip UEFIExtract_NE_A59_linux_x86_64.zip | ||
| ./UEFIExtract 'app/G2ETB7WW/$01D3000.FL1' 2D27C618-7DCD-41F5-BB10-21166BE7E143 -o X230_acm_bios -m body | ||
|
|
||
| echo "### Verifying expected hash of X230 BIOS ACM..." | ||
| echo "$X230_BIOS_ACM_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on X230 ACM BIOS BLOB..." && exit 1; } | ||
|
|
||
| echo "### Moving X230_acm_bios/body.bin under $BLOBDIR/x230_acm_bios.bin ..." | ||
| mv X230_acm_bios/body.bin $BLOBDIR/x230_acm_bios.bin | ||
|
|
||
| echo "### Downloading Ivy Bridge (xx30) SINIT ACM..." | ||
| wget https://web.archive.org/web/20220616203154/https://downloadmirror.intel.com/728789/3rd-gen-i5-i7-racm-sinit-67.zip | ||
|
|
||
| echo "### Verifying expected hash of BIOS ACM..." | ||
| echo "$XX30_SINIT_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; } | ||
|
|
||
| echo "###Extracting SINIT ACM blob from 3rd-gen-i5-i7-racm-sinit-67.zip ..." | ||
| unzip 3rd-gen-i5-i7-racm-sinit-67.zip | ||
|
|
||
| echo "### Verifying expected hash of X230 BIOS ACM..." | ||
| echo "$XX30_SINIT_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; } | ||
|
|
||
| echo "### Moving 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin under $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin" | ||
| mv 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin | ||
|
|
||
| #echo "" | ||
| echo "###Cleaning up..." | ||
| cd - > /dev/null 2>&1 | ||
| echo "Removing $extractdir ..." | ||
| #rm -r "$extractdir" |
93 changes: 93 additions & 0 deletions
93
boards/x230-hotp-maximized-acm/x230-hotp-maximized-acm.config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| # Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec) | ||
| # | ||
| # Includes | ||
| # - ACM BIOS and ACM INIT blobs, downloaded through the blobs/xx30/download_extract_acm.sh) | ||
| # - Deactivated+neutered ME and expanded consequent IFD BIOS regions | ||
| # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) | ||
| # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set | ||
| # | ||
| # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) | ||
| export CONFIG_COREBOOT=y | ||
| export CONFIG_COREBOOT_VERSION=4.17 | ||
| export CONFIG_LINUX_VERSION=4.14.62 | ||
|
|
||
| CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-maximized-acm.config | ||
| CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config | ||
|
|
||
| #Additional hardware support | ||
| CONFIG_LINUX_USB=y | ||
| CONFIG_LINUX_E1000E=y | ||
|
|
||
| CONFIG_CRYPTSETUP2=y | ||
| CONFIG_FLASHROM=y | ||
| CONFIG_FLASHTOOLS=y | ||
| CONFIG_GPG2=y | ||
| CONFIG_KEXEC=y | ||
| CONFIG_UTIL_LINUX=y | ||
| CONFIG_LVM2=y | ||
| CONFIG_MBEDTLS=y | ||
| CONFIG_PCIUTILS=y | ||
|
|
||
| #Remote attestation support | ||
| #TPM based requirements | ||
| export CONFIG_TPM=y | ||
| CONFIG_POPT=y | ||
| CONFIG_QRENCODE=y | ||
| CONFIG_TPMTOTP=y | ||
| #HOTP based remote attestation for supported USB Security dongle | ||
| #With/Without TPM support | ||
| CONFIG_HOTPKEY=y | ||
|
|
||
| #Nitrokey Storage admin tool | ||
| CONFIG_NKSTORECLI=n | ||
|
|
||
| #GUI Support | ||
| #Console based Whiptail support(Console based, no FB): | ||
| #CONFIG_SLANG=y | ||
| #CONFIG_NEWT=y | ||
| #FBWhiptail based (Graphical): | ||
| CONFIG_CAIRO=y | ||
| CONFIG_FBWHIPTAIL=y | ||
|
|
||
| #Additional tools: | ||
| #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) | ||
| CONFIG_DROPBEAR=y | ||
|
|
||
| export CONFIG_BOOTSCRIPT=/bin/gui-init | ||
| export CONFIG_BOOT_REQ_HASH=n | ||
| export CONFIG_BOOT_REQ_ROLLBACK=n | ||
| export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" | ||
| export CONFIG_BOOT_KERNEL_REMOVE="quiet" | ||
| export CONFIG_BOOT_DEV="/dev/sda1" | ||
| export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized" | ||
| export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" | ||
|
|
||
| # xx30-*-maximized boards require of you initially call one of the | ||
| # following to have gbe.bin ifd.bin and me.bin | ||
| # - blobs/xx30/download_clean_me.sh | ||
| # To download Lenovo original ME binary, neuter+deactivate ME, produce | ||
| # reduced IFD ME region and expanded BIOS IFD region. | ||
| # - blobs/xx30/extract.sh | ||
| # To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. | ||
| # | ||
| # This board has two SPI flash chips, an 8 MB that holds the IFD, | ||
| # the ME image and part of the coreboot image, and a 4 MB one that | ||
| # has the rest of the coreboot and the reset vector. | ||
| # | ||
| # As a consequence, this replaces the need of having to flash x230-flash | ||
| # and expands available CBFS region (11.5Mb available CBFS space) | ||
| # | ||
| # When flashing via an external programmer it is easiest to have | ||
| # two separate files for these pieces. | ||
| all: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) | ||
| @sha256sum $@ | tee -a "$(HASHES)" | ||
|
|
||
| all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom | ||
| $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) | ||
| $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) | ||
| @sha256sum $@ | tee -a "$(HASHES)" | ||
|
|
||
| all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom | ||
| $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) | ||
| $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) | ||
| @sha256sum $@ | tee -a "$(HASHES)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # CONFIG_USE_BLOBS is not set | ||
| CONFIG_VENDOR_LENOVO=y | ||
| CONFIG_NO_POST=y | ||
| CONFIG_CBFS_SIZE=0xB80000 | ||
| CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" | ||
| CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" | ||
| CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" | ||
| CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 | ||
| CONFIG_HAVE_IFD_BIN=y | ||
| CONFIG_BOARD_LENOVO_X230=y | ||
| CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" | ||
| CONFIG_UART_PCI_ADDR=0x0 | ||
| # CONFIG_PCIEXP_HOTPLUG is not set | ||
| CONFIG_HAVE_ME_BIN=y | ||
| CONFIG_HAVE_GBE_BIN=y | ||
| CONFIG_NO_GFX_INIT=y | ||
| CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 | ||
| CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 | ||
| CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 | ||
| CONFIG_DRIVERS_PS2_KEYBOARD=y | ||
| CONFIG_TPM_MEASURED_BOOT=y | ||
| CONFIG_INTEL_TXT=y | ||
| CONFIG_INTEL_TXT_BIOSACM_FILE="../../blobs/xx30/x230_acm_bios.bin" | ||
| CONFIG_INTEL_TXT_SINITACM_FILE="../../blobs/xx30/3rd_gen_i5_i7_RACM-SINIT_67.bin" | ||
| CONFIG_INTEL_TXT_BDR_VERSION=5 | ||
| CONFIG_INTEL_TXT_LOGGING=y | ||
| CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y | ||
| CONFIG_PAYLOAD_LINUX=y | ||
| CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized-acm/bzImage" | ||
| CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized-acm/initrd.cpio.xz" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters