mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-12 07:52:56 +00:00
Add T430s config files and blobs.
This commit is contained in:
parent
60081318b5
commit
0e962d6ad0
56
blobs/t430s/download_clean_me.sh
Executable file
56
blobs/t430s/download_clean_me.sh
Executable file
@ -0,0 +1,56 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function printusage {
|
||||||
|
echo "Usage: $0 -m <me_cleaner>(optional)"
|
||||||
|
}
|
||||||
|
|
||||||
|
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||||
|
|
||||||
|
if [ "$#" -eq 0 ]; then printusage; fi
|
||||||
|
|
||||||
|
while getopts ":m:" opt; do
|
||||||
|
case $opt in
|
||||||
|
m)
|
||||||
|
if [ -x "$OPTARG" ]; then
|
||||||
|
MECLEAN="$OPTARG"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
|
||||||
|
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
|
||||||
|
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "$MECLEAN" ]; then
|
||||||
|
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
|
||||||
|
if [ -z "$MECLEAN" ]; then
|
||||||
|
echo "me_cleaner.py required but not found or specified with -m. Aborting."
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "### Creating temp dir"
|
||||||
|
extractdir=$(mktemp -d)
|
||||||
|
cd "$extractdir"
|
||||||
|
|
||||||
|
echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
|
||||||
|
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; }
|
||||||
|
echo "### Verifying expected hash of g1rg24ww.exe"
|
||||||
|
echo "$ME_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
|
||||||
|
|
||||||
|
echo "### Extracting g1rg24ww.exe..."
|
||||||
|
innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;}
|
||||||
|
echo "### Verifying expected hash of app/ME8_5M_Production.bin"
|
||||||
|
echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
|
||||||
|
|
||||||
|
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
|
||||||
|
$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
|
||||||
|
echo "### Verifying expected hash of me.bin"
|
||||||
|
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; }
|
||||||
|
|
||||||
|
|
||||||
|
echo "###Cleaning up..."
|
||||||
|
cd -
|
||||||
|
rm -r "$extractdir"
|
68
blobs/t430s/extract.sh
Executable file
68
blobs/t430s/extract.sh
Executable file
@ -0,0 +1,68 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function printusage {
|
||||||
|
echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||||
|
|
||||||
|
if [ "$#" -eq 0 ]; then printusage; fi
|
||||||
|
|
||||||
|
while getopts ":f:m:i:" opt; do
|
||||||
|
case $opt in
|
||||||
|
f)
|
||||||
|
FILE="$OPTARG"
|
||||||
|
;;
|
||||||
|
m)
|
||||||
|
if [ -x "$OPTARG" ]; then
|
||||||
|
MECLEAN="$OPTARG"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
i)
|
||||||
|
if [ -x "$OPTARG" ]; then
|
||||||
|
IFDTOOL="$OPTARG"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$MECLEAN" ]; then
|
||||||
|
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
|
||||||
|
if [ -z "$MECLEAN" ]; then
|
||||||
|
echo "me_cleaner.py required but not found or specified with -m. Aborting."
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$IFDTOOL" ]; then
|
||||||
|
IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
|
||||||
|
if [ -z "$IFDTOOL" ]; then
|
||||||
|
echo "ifdtool required but not found or specified with -m. Aborting."
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "FILE: $FILE"
|
||||||
|
echo "ME: $MECLEAN"
|
||||||
|
echo "IFD: $IFDTOOL"
|
||||||
|
|
||||||
|
bioscopy=$(mktemp)
|
||||||
|
extractdir=$(mktemp -d)
|
||||||
|
|
||||||
|
echo "###Copying $FILE under $bioscopy"
|
||||||
|
cp "$FILE" $bioscopy
|
||||||
|
|
||||||
|
cd "$extractdir"
|
||||||
|
echo "###Unlocking $bioscopy IFD..."
|
||||||
|
$IFDTOOL -u $bioscopy
|
||||||
|
echo "###Extracting regions from ROM..."
|
||||||
|
$IFDTOOL -x $bioscopy
|
||||||
|
echo "###Copying GBE region under $BLOBDIR/gbe.bin..."
|
||||||
|
cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
|
||||||
|
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... "
|
||||||
|
$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy"
|
||||||
|
|
||||||
|
echo "###Cleaning up..."
|
||||||
|
rm "$bioscopy"
|
||||||
|
rm -r "$extractdir"
|
BIN
blobs/t430s/gbe.bin
Normal file
BIN
blobs/t430s/gbe.bin
Normal file
Binary file not shown.
BIN
blobs/t430s/ifd.bin
Normal file
BIN
blobs/t430s/ifd.bin
Normal file
Binary file not shown.
71
boards/t430s-maximized/t430s-maximized.config
Normal file
71
boards/t430s-maximized/t430s-maximized.config
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Configuration for a T430s running Qubes 4.1 and other Linux Based OSes (through kexec)
|
||||||
|
#
|
||||||
|
# Includes
|
||||||
|
# - Deactivated+neutered ME and expanded consequent IFD BIOS regions
|
||||||
|
# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
|
||||||
|
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
|
||||||
|
#
|
||||||
|
# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
|
||||||
|
export CONFIG_COREBOOT=y
|
||||||
|
export CONFIG_COREBOOT_VERSION=4.13
|
||||||
|
export CONFIG_LINUX_VERSION=4.14.62
|
||||||
|
|
||||||
|
CONFIG_COREBOOT_CONFIG=config/coreboot-t430s-maximized.config
|
||||||
|
CONFIG_LINUX_CONFIG=config/linux-x230.config
|
||||||
|
|
||||||
|
#Additional hardware support
|
||||||
|
CONFIG_LINUX_USB=y
|
||||||
|
CONFIG_LINUX_E1000E=y
|
||||||
|
|
||||||
|
CONFIG_CRYPTSETUP2=y
|
||||||
|
CONFIG_FLASHROM=y
|
||||||
|
CONFIG_FLASHTOOLS=y
|
||||||
|
CONFIG_GPG2=y
|
||||||
|
CONFIG_KEXEC=y
|
||||||
|
CONFIG_UTIL_LINUX=y
|
||||||
|
CONFIG_LVM2=y
|
||||||
|
CONFIG_MBEDTLS=y
|
||||||
|
CONFIG_PCIUTILS=y
|
||||||
|
|
||||||
|
#Remote attestation support
|
||||||
|
#TPM based requirements
|
||||||
|
export CONFIG_TPM=y
|
||||||
|
CONFIG_POPT=y
|
||||||
|
CONFIG_QRENCODE=y
|
||||||
|
CONFIG_TPMTOTP=y
|
||||||
|
#HOTP based remote attestation for supported USB Security dongle
|
||||||
|
#With/Without TPM support
|
||||||
|
#CONFIG_HOTPKEY=y
|
||||||
|
|
||||||
|
#Nitrokey Storage admin tool
|
||||||
|
CONFIG_NKSTORECLI=n
|
||||||
|
|
||||||
|
#GUI Support
|
||||||
|
#Console based Whiptail support(Console based, no FB):
|
||||||
|
#CONFIG_SLANG=y
|
||||||
|
#CONFIG_NEWT=y
|
||||||
|
#FBWhiptail based (Graphical):
|
||||||
|
CONFIG_CAIRO=y
|
||||||
|
CONFIG_FBWHIPTAIL=y
|
||||||
|
|
||||||
|
#Additional tools:
|
||||||
|
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
|
||||||
|
CONFIG_DROPBEAR=y
|
||||||
|
|
||||||
|
export CONFIG_BOOTSCRIPT=/bin/gui-init
|
||||||
|
export CONFIG_BOOT_REQ_HASH=n
|
||||||
|
export CONFIG_BOOT_REQ_ROLLBACK=n
|
||||||
|
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
|
||||||
|
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
|
||||||
|
export CONFIG_BOOT_DEV="/dev/sda1"
|
||||||
|
export CONFIG_BOARD_NAME="Thinkpad T430s-maximized"
|
||||||
|
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -c MX25L12835F/MX25L12845E/MX25L12865E -p internal"
|
||||||
|
|
||||||
|
# xx30-*-maximized boards require of you initially call one of the
|
||||||
|
# following to have gbe.bin ifd.bin and me.bin
|
||||||
|
# - blobs/xx30/download_clean_me.sh
|
||||||
|
# To download Lenovo original ME binary, neuter+deactivate ME, produce
|
||||||
|
# reduced IFD ME region and expanded BIOS IFD region.
|
||||||
|
# - blobs/xx30/extract.sh
|
||||||
|
# To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
|
||||||
|
|
21
config/coreboot-t430s-maximized.config
Normal file
21
config/coreboot-t430s-maximized.config
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
CONFIG_USE_OPTION_TABLE=y
|
||||||
|
CONFIG_STATIC_OPTION_TABLE=y
|
||||||
|
# CONFIG_USE_BLOBS is not set
|
||||||
|
CONFIG_VENDOR_LENOVO=y
|
||||||
|
CONFIG_NO_POST=y
|
||||||
|
CONFIG_CBFS_SIZE=0xB80000
|
||||||
|
CONFIG_IFD_BIN_PATH="../../blobs/t430s/ifd.bin"
|
||||||
|
CONFIG_ME_BIN_PATH="../../blobs/t430s/me.bin"
|
||||||
|
CONFIG_GBE_BIN_PATH="../../blobs/t430s/gbe.bin"
|
||||||
|
CONFIG_HAVE_IFD_BIN=y
|
||||||
|
CONFIG_BOARD_LENOVO_T430S=y
|
||||||
|
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
|
||||||
|
CONFIG_UART_PCI_ADDR=0
|
||||||
|
CONFIG_HAVE_ME_BIN=y
|
||||||
|
CONFIG_HAVE_GBE_BIN=y
|
||||||
|
CONFIG_DRIVERS_PS2_KEYBOARD=y
|
||||||
|
CONFIG_TPM_MEASURED_BOOT=y
|
||||||
|
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
|
||||||
|
CONFIG_PAYLOAD_LINUX=y
|
||||||
|
CONFIG_PAYLOAD_FILE="../../build/t430s-maximized/bzImage"
|
||||||
|
CONFIG_LINUX_INITRD="../../build/t430s-maximized/initrd.cpio.xz"
|
Loading…
Reference in New Issue
Block a user