WIP xx30/Haswell+ TXT support, IBB CPU anchored RoT through ACM blobs?

.circleci/config.yml

@@ -13,7 +13,7 @@ commands:
           command: |
             ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo unzip
       - run:
           name: Make Board
           command: |
@@ -45,7 +45,7 @@ jobs:
           command: |
             ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime 
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo unzip
       - checkout
 
       - run:
@@ -95,6 +95,11 @@ jobs:
           command: |
             ./blobs/xx30/download_clean_me.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
 
+      - run:
+          name: Download and extract xx30 ACM BIOS and SINIT
+          command: |
+            ./blobs/xx30/download_extract_acm.sh
+
       - run:
           name: Download and extract t530 vbios roms for dgpu boards
           command: |
@@ -332,6 +337,14 @@ workflows:
           subcommand: ""
           requires:
             - x230-hotp-maximized
+
+      - build:
+          name: x230-hotp-maximized-acm
+          target: x230-hotp-maximized-acm
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: t530-hotp-maximized
           target: t530-hotp-maximized

blobs/xx30/download_extract_acm.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+X230_ACM_EXE_SHA256SUM="5651d17fe33323cdff35cf6390005f47741a98b6c2ea4e0a46d6149a68f28eac  g2uj33us.exe"
+X230_FL1_SHA256SUM='dfef8b06618897eafe4e727cc7782a6aa6c31d5419c230e55fa39bdcd184a923  app/G2ETB7WW/$01D3000.FL1'
+UEFIExtract_SHA256SUM="11ae7656e675f47e42684fe2bfb1e09f18825f9bf787892fb25c0a8d9cf04ac7  UEFIExtract_NE_A59_linux_x86_64.zip"
+X230_BIOS_ACM_SHA256SUM="8f09aa059326b04f124d3dc7661fd6c4ef52ca126d790b17761cfbcb864738bf  X230_acm_bios/body.bin"
+XX30_SINIT_ZIP_SHA256SUM="c94851c9a0f1b02d6ce11e57fc60620da5770f3e35bf01708f6f0cbc73ce05c8  3rd-gen-i5-i7-racm-sinit-67.zip"
+XX30_SINIT_SHA256SUM="77e2c92360ad3af495cedb024fcd3250507c1c5df9cfc157179a16a590cfe4da  3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin"
+
+echo "### Creating temp dir"
+extractdir=$(mktemp -d)
+echo "working dir: $extractdir"
+cd "$extractdir"
+
+echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
+wget https://download.lenovo.com/pccbbs/mobiles/g2uj33us.exe
+echo "### Verifying expected hash of g2uj33us.exe"
+echo "$X230_ACM_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
+
+echo "### Extracting g1rg24ww.exe..."
+innoextract ./g2uj33us.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;}
+echo '### Verifying expected hash of app/G2ETB7WW/$01D3000.FL1'
+echo "$X230_FL1_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
+
+echo "### Downloading UEFIExtract..."
+wget https://github.com/LongSoft/UEFITool/releases/download/A59/UEFIExtract_NE_A59_linux_x86_64.zip
+echo "### Verifying expected checksum of UEFIExtract_NE_A59_linux_x86_64.zip ..."
+echo "$UEFIExtract_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification UEFIExtract_NE_A59_linux_x86_64.zip..." && exit 1; }
+
+echo "###Extracting BIOS ACM from app/G2ETB7WW/$01D3000.FL1 ..."
+unzip UEFIExtract_NE_A59_linux_x86_64.zip
+./UEFIExtract 'app/G2ETB7WW/$01D3000.FL1' 2D27C618-7DCD-41F5-BB10-21166BE7E143 -o X230_acm_bios -m body
+
+echo "### Verifying expected hash of X230 BIOS ACM..."
+echo "$X230_BIOS_ACM_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on X230 ACM BIOS BLOB..." && exit 1; }
+
+echo "### Moving X230_acm_bios/body.bin under $BLOBDIR/x230_acm_bios.bin ..."
+mv X230_acm_bios/body.bin $BLOBDIR/x230_acm_bios.bin
+
+echo "### Downloading Ivy Bridge (xx30) SINIT ACM..."
+wget https://web.archive.org/web/20220616203154/https://downloadmirror.intel.com/728789/3rd-gen-i5-i7-racm-sinit-67.zip
+
+echo "### Verifying expected hash of BIOS ACM..."
+echo "$XX30_SINIT_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; }
+
+echo "###Extracting SINIT ACM blob from 3rd-gen-i5-i7-racm-sinit-67.zip ..."
+unzip 3rd-gen-i5-i7-racm-sinit-67.zip
+
+echo "### Verifying expected hash of X230 BIOS ACM..."
+echo "$XX30_SINIT_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on XX30 (Ivy Bridge) SINIT ACM BLOB..." && exit 1; }
+
+echo "### Moving 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin under $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin"
+mv 3rd_gen_i5_i7_RACM-SINIT_67/3rd_gen_i5_i7_RACM-SINIT_67.bin $BLOBDIR/3rd_gen_i5_i7_RACM-SINIT_67.bin
+
+#echo ""
+echo "###Cleaning up..."
+cd - > /dev/null 2>&1 
+echo "Removing $extractdir ..."
+#rm -r "$extractdir"

boards/x230-hotp-maximized-acm/x230-hotp-maximized-acm.config

@@ -0,0 +1,93 @@
+# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - ACM BIOS and ACM INIT blobs, downloaded through the blobs/xx30/download_extract_acm.sh)
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-maximized-acm.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+
+# xx30-*-maximized boards require of you initially call one of the
+#  following to have gbe.bin ifd.bin and me.bin
+#  - blobs/xx30/download_clean_me.sh
+#     To download Lenovo original ME binary, neuter+deactivate ME, produce
+#      reduced IFD ME region and expanded BIOS IFD region.
+#  - blobs/xx30/extract.sh
+#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
+#
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#   
+# As a consequence, this replaces the need of having to flash x230-flash 
+#  and expands available CBFS region (11.5Mb available CBFS space)
+#
+# When flashing via an external programmer it is easiest to have
+# two separate files for these pieces.
+all: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"

config/coreboot-x230-hotp-maximized-acm.config

@@ -0,0 +1,30 @@
+# CONFIG_USE_BLOBS is not set
+CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_CBFS_SIZE=0xB80000
+CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
+CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_X230=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_UART_PCI_ADDR=0x0
+# CONFIG_PCIEXP_HOTPLUG is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_NO_GFX_INIT=y
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_INTEL_TXT=y
+CONFIG_INTEL_TXT_BIOSACM_FILE="../../blobs/xx30/x230_acm_bios.bin"
+CONFIG_INTEL_TXT_SINITACM_FILE="../../blobs/xx30/3rd_gen_i5_i7_RACM-SINIT_67.bin"
+CONFIG_INTEL_TXT_BDR_VERSION=5
+CONFIG_INTEL_TXT_LOGGING=y
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized-acm/bzImage"
+CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized-acm/initrd.cpio.xz"

modules/coreboot

@@ -25,6 +25,12 @@ else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.15"
 	coreboot-blobs_hash := c0e2d8006da226208ba274a44895d102cb2879cf139cc67bba5f62e67b871f6d
 	coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs)
 	EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned -Wno-error=address-of-packed-member
+else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.17"
+	coreboot_version := 4.17
+	coreboot_hash := 95da11d1c6a450385101a68799258a398ce965f4e46cce6fe8d5ebd74e50c125
+	coreboot-blobs_hash := a2277fe7a2b2aab5da0aa335158460e00b852382f6736f2179992805702eb607
+	coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs)
+	EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned -Wno-error=address-of-packed-member
 else
 	$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION")
 endif