xx20 boards: add xx20-hotp-maximized boards, remove hotp support from xx20-boards. Modify CircleCI conf accordingly.

.circleci/config.yml

@@ -190,6 +190,30 @@ jobs:
       - store-artifacts:
           path: build/librem_mini_v2
 
+      - run:
+          name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
+          command: |
+            ./blobs/xx20/download_parse_me.sh
+      - run:
+          name: x220-hotp-maximized
+          command: |
+            rm -rf build/x220-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x220-hotp-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi \
+      - run:
+          name: Output x220-hotp-maximized hashes
+          command: |
+            cat build/x220-hotp-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for x220-hotp-maximized
+          command: |
+            tar zcvf build/x220-hotp-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/x220-hotp-maximized
+
       - run:
           name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
           command: |
@@ -214,6 +238,30 @@ jobs:
       - store-artifacts:
           path: build/x220-maximized
 
+      - run:
+          name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
+          command: |
+            ./blobs/xx20/download_parse_me.sh
+      - run:
+          name: t420-hotp-maximized
+          command: |
+            rm -rf build/t420-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t420-hotp-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output t420-hotp-maximized hashes
+          command: |
+            cat build/t420-hotp-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for t420-hotp-maximized
+          command: |
+            tar zcvf build/t420-hotp-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/t420-hotp-maximized
+
       - run:
           name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
           command: |

boards/t420-hotp-maximized/t420-hotp-maximized.config

@@ -0,0 +1,66 @@
+# Configuration for a T420 running Qubes and other Linux Based OSes (through kexec)
+#
+# Includes
+# - Deactivated+neutered ME and expended consequent IFD BIOS regions
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx20/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.8.1
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t420-hotp-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="ThinkPad T420-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+
+# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
+#  - blobs/xx20/download_parse_me.sh
+#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.

boards/t420-maximized/t420-maximized.config

@@ -5,8 +5,7 @@
 # - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx20/extract.sh)
 #   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
 #
-# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
-# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.8.1
 export CONFIG_LINUX_VERSION=4.14.62
@@ -36,7 +35,7 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
-CONFIG_HOTPKEY=y
+CONFIG_HOTPKEY=n
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=y

boards/x220-hotp-maximized/x220-hotp-maximized.config

@@ -0,0 +1,66 @@
+# Configuration for a X220 running Qubes and other Linux Based OSes (through kexec)
+#
+# Includes
+# - Deactivated+neutered ME and expended consequent IFD BIOS regions
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx20/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.8.1
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x220-hotp-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="ThinkPad X220-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+
+# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
+#  - blobs/xx20/download_parse_me.sh
+#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.

boards/x220-maximized/x220-maximized.config

@@ -4,9 +4,6 @@
 # - Deactivated+neutered ME and expended consequent IFD BIOS regions
 # - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx20/extract.sh)
 #   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
-#
-# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
-# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.8.1
 export CONFIG_LINUX_VERSION=4.14.62
@@ -36,7 +33,7 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
-CONFIG_HOTPKEY=y
+CONFIG_HOTPKEY=n
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=y

config/coreboot-t420-hotp-maximized.config

@@ -0,0 +1,24 @@
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x750000
+CONFIG_ONBOARD_VGA_IS_PRIMARY=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin"
+CONFIG_BOARD_LENOVO_T420=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_NO_POST=y
+CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t420-hotp-maximized/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/t420-maximized/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y

config/coreboot-x220-hotp-maximized.config

@@ -0,0 +1,24 @@
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x750000
+CONFIG_ONBOARD_VGA_IS_PRIMARY=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin"
+CONFIG_BOARD_LENOVO_X220=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_NO_POST=y
+CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin"
+#CONFIG_DEBUG_TPM=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x220-hotp-maximized/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/x220-maximized/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y