diff --git a/.circleci/config.yml b/.circleci/config.yml index 2e50225b..6edb6d36 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -190,6 +190,30 @@ jobs: - store-artifacts: path: build/librem_mini_v2 + - run: + name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx20/download_parse_me.sh + - run: + name: x220-hotp-maximized + command: | + rm -rf build/x220-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x220-hotp-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi \ + - run: + name: Output x220-hotp-maximized hashes + command: | + cat build/x220-hotp-maximized/hashes.txt \ + - run: + name: Archiving build logs for x220-hotp-maximized + command: | + tar zcvf build/x220-hotp-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x220-hotp-maximized + - run: name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) command: | @@ -214,6 +238,30 @@ jobs: - store-artifacts: path: build/x220-maximized + - run: + name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx20/download_parse_me.sh + - run: + name: t420-hotp-maximized + command: | + rm -rf build/t420-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t420-hotp-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output t420-hotp-maximized hashes + command: | + cat build/t420-hotp-maximized/hashes.txt \ + - run: + name: Archiving build logs for t420-hotp-maximized + command: | + tar zcvf build/t420-hotp-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/t420-hotp-maximized + - run: name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) command: | diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config new file mode 100644 index 00000000..e5bc6479 --- /dev/null +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -0,0 +1,64 @@ +# Configuration for a T420 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expended consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t420-hotp-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="ThinkPad T420-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq" + +# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx20/download_parse_me.sh +# To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region. diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index fc837818..e6069025 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -5,8 +5,7 @@ # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set # -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool -# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from +# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 export CONFIG_LINUX_VERSION=4.14.62 @@ -36,10 +35,10 @@ CONFIG_QRENCODE=y CONFIG_TPMTOTP=y #HOTP based remote attestation for supported USB Security dongle #With/Without TPM support -CONFIG_HOTPKEY=y +CONFIG_HOTPKEY=n #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index ba2fabc1..de7939ce 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -5,8 +5,7 @@ # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set # -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool -# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 export CONFIG_LINUX_VERSION=4.14.62 @@ -39,7 +38,7 @@ CONFIG_TPMTOTP=y CONFIG_HOTPKEY=y #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index d3bb59be..1f8578fa 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -5,7 +5,6 @@ # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set # -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 @@ -39,7 +38,7 @@ CONFIG_TPMTOTP=y #CONFIG_HOTPKEY=y #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config new file mode 100644 index 00000000..33103354 --- /dev/null +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -0,0 +1,64 @@ +# Configuration for a X220 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expended consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x220-hotp-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="ThinkPad X220-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq" + +# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx20/download_parse_me.sh +# To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region. diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 85f4d91b..6d16697f 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -4,9 +4,6 @@ # - Deactivated+neutered ME and expended consequent IFD BIOS regions # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set -# -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool -# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 export CONFIG_LINUX_VERSION=4.14.62 @@ -36,10 +33,10 @@ CONFIG_QRENCODE=y CONFIG_TPMTOTP=y #HOTP based remote attestation for supported USB Security dongle #With/Without TPM support -CONFIG_HOTPKEY=y +CONFIG_HOTPKEY=n #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index fe629a0a..8c162ab3 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -5,8 +5,7 @@ # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set # -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool -# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 export CONFIG_LINUX_VERSION=4.14.62 @@ -39,7 +38,7 @@ CONFIG_TPMTOTP=y CONFIG_HOTPKEY=y #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 49ce572c..4d39fed7 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -5,7 +5,6 @@ # - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) # - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set # -# - Includes NKSTORECLI to support Nitrokey Storage administrative tool # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 @@ -39,7 +38,7 @@ CONFIG_TPMTOTP=y #CONFIG_HOTPKEY=y #Nitrokey Storage admin tool -CONFIG_NKSTORECLI=y +CONFIG_NKSTORECLI=n #GUI Support #Console based Whiptail support(Console based, no FB): diff --git a/config/coreboot-t420-hotp-maximized.config b/config/coreboot-t420-hotp-maximized.config new file mode 100644 index 00000000..406005d6 --- /dev/null +++ b/config/coreboot-t420-hotp-maximized.config @@ -0,0 +1,24 @@ +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x750000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" +CONFIG_BOARD_LENOVO_T420=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t420-hotp-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +CONFIG_LINUX_INITRD="../../build/t420-maximized/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-x220-hotp-maximized.config b/config/coreboot-x220-hotp-maximized.config new file mode 100644 index 00000000..7c516eb9 --- /dev/null +++ b/config/coreboot-x220-hotp-maximized.config @@ -0,0 +1,24 @@ +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x750000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" +CONFIG_BOARD_LENOVO_X220=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" +#CONFIG_DEBUG_TPM=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x220-hotp-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +CONFIG_LINUX_INITRD="../../build/x220-maximized/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y