diff --git a/.circleci/config.yml b/.circleci/config.yml index 44ad1061c..fe197f617 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -13,7 +13,7 @@ commands: command: | ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime apt update - apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo unzip - run: name: Make Board command: | @@ -45,7 +45,7 @@ jobs: command: | ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime apt update - apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo unzip - checkout - run: @@ -95,6 +95,11 @@ jobs: command: | ./blobs/xx30/download_clean_me.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py) + - run: + name: Download and extract xx30 ACM BIOS and SINIT + command: | + ./blobs/xx30/download_extract_acm.sh + - run: name: Download and extract t530 vbios roms for dgpu boards command: | @@ -332,6 +337,14 @@ workflows: subcommand: "" requires: - x230-hotp-maximized + + - build: + name: x230-hotp-maximized-ac + target: x230-maximized-ac + subcommand: "" + requires: + - x230-hotp-maximized + - build: name: t530-hotp-maximized target: t530-hotp-maximized diff --git a/blobs/xx30/download_extract_acm.sh b/blobs/xx30/download_extract_acm.sh new file mode 100755 index 000000000..ff7d2ddc0 --- /dev/null +++ b/blobs/xx30/download_extract_acm.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +X230_ACM_EXE_SHA256SUM="5651d17fe33323cdff35cf6390005f47741a98b6c2ea4e0a46d6149a68f28eac g2uj33us.exe" +X230_FL1_SHA256SUM='dfef8b06618897eafe4e727cc7782a6aa6c31d5419c230e55fa39bdcd184a923 app/G2ETB7WW/$01D3000.FL1' +UEFIExtract_SHA256SUM="11ae7656e675f47e42684fe2bfb1e09f18825f9bf787892fb25c0a8d9cf04ac7 UEFIExtract_NE_A59_linux_x86_64.zip" +X230_BIOS_ACM_SHA256SUM="8f09aa059326b04f124d3dc7661fd6c4ef52ca126d790b17761cfbcb864738bf X230_acm_bios/body.bin" +XX30_SINIT_ZIP_SHA256SUM="c94851c9a0f1b02d6ce11e57fc60620da5770f3e35bf01708f6f0cbc73ce05c8 3rd-gen-i5-i7-racm-sinit-67.zip" +XX30_SINIT_SHA256SUM="77e2c92360ad3af495cedb024fcd3250507c1c5df9cfc157179a16a590cfe4da 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin" + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +echo "working dir: $extractdir" +cd "$extractdir" + +echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..." +wget https://download.lenovo.com/pccbbs/mobiles/g2uj33us.exe +echo "### Verifying expected hash of g2uj33us.exe" +echo "$X230_ACM_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; } + +echo "### Extracting g1rg24ww.exe..." +innoextract ./g2uj33us.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;} +echo '### Verifying expected hash of app/G2ETB7WW/$01D3000.FL1' +echo "$X230_FL1_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; } + +echo "### Downloading UEFIExtract..." +wget https://github.com/LongSoft/UEFITool/releases/download/A59/UEFIExtract_NE_A59_linux_x86_64.zip +echo "### Verifying expected checksum of UEFIExtract_NE_A59_linux_x86_64.zip ..." +echo "$UEFIExtract_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification UEFIExtract_NE_A59_linux_x86_64.zip..." && exit 1; } + +echo "###Extracting BIOS ACM from app/G2ETB7WW/$01D3000.FL1 ..." +unzip UEFIExtract_NE_A59_linux_x86_64.zip +./UEFIExtract 'app/G2ETB7WW/$01D3000.FL1' 2D27C618-7DCD-41F5-BB10-21166BE7E143 -o X230_acm_bios -m body + +echo "### Verifying expected hash of X230 BIOS ACM..." +echo "$X230_BIOS_ACM_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on X230 ACM BIOS BLOB..." && exit 1; } + +echo "### Moving X230_acm_bios/body.bin under $BLOBDIR/x230_acm_bios.bin ..." +mv X230_acm_bios/body.bin $BLOBDIR/x230_acm_bios.bin + +echo "### Downloading Ivy Bridge (xx30) SINIT ACM..." +wget https://web.archive.org/web/20220616203154/https://downloadmirror.intel.com/728789/3rd-gen-i5-i7-racm-sinit-67.zip + +echo "### Verifying expected hash of BIOS ACM..." +echo "$XX30_SINIT_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; } + +echo "###Extracting SINIT ACM blob from 3rd-gen-i5-i7-racm-sinit-67.zip ..." +unzip 3rd-gen-i5-i7-racm-sinit-67.zip + +echo "### Verifying expected hash of X230 BIOS ACM..." +echo "$XX30_SINIT_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; } + +echo "### Moving 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin under $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin" +mv 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin + +#echo "" +echo "###Cleaning up..." +cd - > /dev/null 2>&1 +echo "Removing $extractdir ..." +#rm -r "$extractdir" diff --git a/boards/x230-hotp-maximized-acm/x230-hotp-maximized-acm.config b/boards/x230-hotp-maximized-acm/x230-hotp-maximized-acm.config new file mode 100644 index 000000000..5c972bcf4 --- /dev/null +++ b/boards/x230-hotp-maximized-acm/x230-hotp-maximized-acm.config @@ -0,0 +1,90 @@ +# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec) +# +# Includes +# - ACM BIOS and ACM INIT blobs, downloaded through the blobs/xx30/download_extract_acm.sh) +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.17 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-maximized-acm.config +CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. +# +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash x230-flash +# and expands available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/config/coreboot-x230-hotp-maximized-acm.config b/config/coreboot-x230-hotp-maximized-acm.config new file mode 100644 index 000000000..7ae7231bb --- /dev/null +++ b/config/coreboot-x230-hotp-maximized-acm.config @@ -0,0 +1,30 @@ +# CONFIG_USE_BLOBS is not set +CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_X230=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_PCIEXP_HOTPLUG is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_NO_GFX_INIT=y +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_INTEL_TXT=y +CONFIG_INTEL_TXT_BIOSACM_FILE="../../blobs/xx30/x230_acm_bios.bin" +CONFIG_INTEL_TXT_SINITACM_FILE="../../blobs/xx30/3rd_gen_i5_i7_RACM-SINIT_67.bin" +CONFIG_INTEL_TXT_BDR_VERSION=5 +CONFIG_INTEL_TXT_LOGGING=y +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized/bzImage" +CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized/initrd.cpio.xz" diff --git a/modules/coreboot b/modules/coreboot index faf88cdd4..a92156cca 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -25,6 +25,12 @@ else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.15" coreboot-blobs_hash := c0e2d8006da226208ba274a44895d102cb2879cf139cc67bba5f62e67b871f6d coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs) EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned -Wno-error=address-of-packed-member +else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.17" + coreboot_version := 4.17 + coreboot_hash := 95da11d1c6a450385101a68799258a398ce965f4e46cce6fe8d5ebd74e50c125 + coreboot-blobs_hash := a2277fe7a2b2aab5da0aa335158460e00b852382f6736f2179992805702eb607 + coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs) + EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned -Wno-error=address-of-packed-member else $(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") endif