xxx0 maximized (t400 x200)

.circleci/config.yml

@@ -470,6 +470,26 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t400-maximized
+          target: t400-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: t400-maximized-debug
+          target: t400-maximized-debug
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+      - build:
+          name: x200-maximized
+          target: x200-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: librem_13v2
           target: librem_13v2

blobs/xxx0/README

@@ -0,0 +1,39 @@
+Coreboot supports generating modified ifd and gbe out of the box.
+To replicate the blobs in this directory (based on coreboot 4.8.1 but simply replace version in paths):
+
+make BOARDS=t400-maximized
+
+This will create the ROM.
+
+Then (considering you git clone heads under ~)
+
+#To generate GBE and IFD
+cd ~/heads/build/coreboot-4.8.1/util/bincfg
+make gen-gbe-ich9m
+make gen-ifd-x200
+mv flashregion_0_fd.bin ../../../../blobs/xxx0/ifd.bin
+mv flashregion_3_gbe.bin ../../../../blobs/xxx0/gbe.bin
+
+#To unlock IFD, permitting to reflash whole flash internally
+cd ~/heads/build/coreboot-4.8.1/util/ifdtool
+make
+cd ~/heads/blobs/xxx0/
+~/heads/build/coreboot-4.8.1/util/ifdtool/ifdtool -u ifd.bin
+mv ifd.bin.new ifd.bin
+
+sha256sum -c hashes.txt
+
+should output:
+gbe.bin: OK
+ifd.bin: OK
+
+IFD contains regions that were outputed to layout.txt through ifdtool -f layout.txt ifd.bin
+It defines a BIOS region of 007fffff – 00003000 = 7FCFFF
+Which 7FCFFF has been defined as CBFS_SIZE under coreboot config to use the whole region
+
+DISCLAIMER: Considering neither gbe.bin nor ifd.bin are proprietary blobs (generated from specifications), those blobs are in tree to ease ROM reproducibility.
+
+Note that MAC address is fixed under gbe-ich9m.spec to DE:AD:C0:FF:EE. 
+- If you want to keep your MAC, call extract.sh prior of building ROM.
+- If you want to fixate your MAC to a custom address, change it under ~/heads/build/coreboot-4.8.1/util/bincfg/gbe-ich9m.spec prior of generating the gbe.bin above
+

blobs/xxx0/extract.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+function printusage {
+  echo "Usage: $0 -f <romdump> -i <ifdtool>(optional)"
+  exit 0
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":f:m:i:" opt; do
+  case $opt in
+    f)
+      FILE="$OPTARG"
+      ;;
+    i)
+      if [ -x "$OPTARG" ]; then
+        IFDTOOL="$OPTARG"
+      fi
+      ;;
+  esac
+done
+
+if [ -z "$IFDTOOL" ]; then
+  IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
+  if [ -z "$IFDTOOL" ]; then
+    echo "ifdtool required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+echo "FILE: $FILE"
+echo "IFD: $IFDTOOL"
+
+bioscopy=$(mktemp)
+extractdir=$(mktemp -d)
+
+echo "###Copying $FILE under $bioscopy"
+cp "$FILE" $bioscopy
+
+cd "$extractdir"
+echo "###Unlocking $bioscopy IFD..."
+$IFDTOOL -u $bioscopy
+echo "###Extracting regions from ROM..."
+$IFDTOOL -x $bioscopy.new
+echo "###Copying GBE region under $BLOBDIR/gbe.bin..."
+cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
+
+echo "###Cleaning up..."
+rm "$bioscopy"
+rm -r "$extractdir"

blobs/xxx0/hashes.txt

@@ -0,0 +1,2 @@
+7917e0f0eb16c895da25d8acf01155e88ca189724c48a14cd1645d0d09f1cf5b  gbe.bin
+7415548cbe93b5543c6ccbf1b8d9d4f4ef794c4f376e46638a25f84378c19872  ifd.bin

blobs/xxx0/layout.txt

@@ -0,0 +1,3 @@
+00000000:00000fff fd
+00003000:007fffff bios
+00001000:00002fff gbe

boards/t400-maximized-debug/t400-maximized-debug.config

@@ -0,0 +1,61 @@
+# Configuration for a t400 running non-Qubes OSes with USBDEBUG activated under coreboot config
+#
+# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x7FCFFF:
+# dropbear support(ssh client/server)
+# e1000e (ethernet driver)
+#
+# Includes (read blobs/xxx0/README) 
+# - Generated IFD from bincfg 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/ifd-x200.set
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.13
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t400-maximized-debug.config
+CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=n
+CONFIG_POPT=y
+CONFIG_QRENCODE=n
+CONFIG_TPMTOTP=n
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=n
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=n
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad T400-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"

boards/t400-maximized/t400-maximized.config

@@ -0,0 +1,61 @@
+# Configuration for a t400 running non-Qubes OSes.
+#
+# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x7FCFFF:
+# dropbear support(ssh client/server)
+# e1000e (ethernet driver)
+#
+# Includes (read blobs/xxx0/README) 
+# - Generated IFD from bincfg 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/ifd-x200.set
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.13
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t400-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=n
+CONFIG_POPT=y
+CONFIG_QRENCODE=n
+CONFIG_TPMTOTP=n
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=n
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=n
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad T400-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"

boards/x200-maximized/x200-maximized.config

@@ -0,0 +1,61 @@
+# Configuration for a x200 running non-Qubes OSes.
+#
+# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x7FCFFF:
+# dropbear support(ssh client/server)
+# e1000e (ethernet driver)
+#
+# Includes (read blobs/xxx0/README) 
+# - Generated IFD from bincfg 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/ifd-x200.set
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.13
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x200-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=n
+CONFIG_POPT=y
+CONFIG_QRENCODE=n
+CONFIG_TPMTOTP=n
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=n
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=n
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad X200-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"

config/coreboot-t400-maximized-debug.config

@@ -0,0 +1,15 @@
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x7FCFFF
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xxx0/ifd.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xxx0/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_T400=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_NO_GFX_INIT=y
+CONFIG_USBDEBUG=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"

config/coreboot-t400-maximized.config

@@ -0,0 +1,14 @@
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x7FCFFF
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xxx0/ifd.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xxx0/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_T400=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_NO_GFX_INIT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"

config/coreboot-x200-maximized.config

@@ -0,0 +1,14 @@
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x7FCFFF
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xxx0/ifd.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xxx0/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_X200=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_NO_GFX_INIT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"