Merge pull request #1556 from JonathonHall-Purism/site-local-config

Makefile: Allow downstreams to put local customizations in site-local/config

Makefile

@@ -12,13 +12,6 @@ HEADS_GIT_VERSION	:= $(shell git describe --abbrev=7 --tags --dirty)
 # Override BRAND_NAME to set the name displayed in the UI, filenames, versions, etc.
 BRAND_NAME	?= Heads
 
-CB_OUTPUT_BASENAME	:= $(shell echo $(BRAND_NAME) | tr A-Z a-z)-$(BOARD)-$(HEADS_GIT_VERSION)
-CB_OUTPUT_FILE		:= $(CB_OUTPUT_BASENAME).rom
-CB_OUTPUT_FILE_GPG_INJ	:= $(CB_OUTPUT_BASENAME)-gpg-injected.rom
-CB_BOOTBLOCK_FILE	:= $(CB_OUTPUT_BASENAME).bootblock
-CB_UPDATE_PKG_FILE	:= $(CB_OUTPUT_BASENAME).zip
-LB_OUTPUT_FILE		:= linuxboot-$(BOARD)-$(HEADS_GIT_VERSION).rom
-
 all:
 -include .config
 
@@ -59,6 +52,20 @@ CONFIG_LEGACY_FLASH := n
 
 include $(CONFIG)
 
+# Include site-local/config only if it exists, downstreams can set configs for
+# all boards, including overriding values specified by boards.  site-local is
+# not a part of the upstream distribution but is for downstreams to insert
+# customizations at well-defined points, like in coreboot:
+# https://doc.coreboot.org/tutorial/managing_local_additions.html
+-include $(pwd)/site-local/config
+
+CB_OUTPUT_BASENAME	:= $(shell echo $(BRAND_NAME) | tr A-Z a-z)-$(BOARD)-$(HEADS_GIT_VERSION)
+CB_OUTPUT_FILE		:= $(CB_OUTPUT_BASENAME).rom
+CB_OUTPUT_FILE_GPG_INJ	:= $(CB_OUTPUT_BASENAME)-gpg-injected.rom
+CB_BOOTBLOCK_FILE	:= $(CB_OUTPUT_BASENAME).bootblock
+CB_UPDATE_PKG_FILE	:= $(CB_OUTPUT_BASENAME).zip
+LB_OUTPUT_FILE		:= linuxboot-$(BOARD)-$(HEADS_GIT_VERSION).rom
+
 # Unless otherwise specified, we are building for heads
 CONFIG_HEADS	?= y
 
@@ -74,6 +81,10 @@ else
 $(error "Unexpected value of $$(CONFIG_TARGET_ARCH): $(CONFIG_TARGET_ARCH)")
 endif
 
+ifneq "$(BOARD_TARGETS)" ""
+include targets/$(BOARD_TARGETS).mk
+endif
+
 # Create directories if they don't already exist
 BUILD_LOG	:= $(shell mkdir -p "$(log_dir)")
 PACKAGES	:= $(shell mkdir -p "$(packages)")

README.md

@@ -81,7 +81,7 @@ QEMU:
 
 OS booting can be tested in QEMU using a software TPM.  HOTP can be tested by forwarding a USB token from the host to the guest.
 
-For more information and setup instructions, refer to the [qemu-coreboot-fbwhiptail-tpm1-hotp documentation](boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md).
+For more information and setup instructions, refer to the [qemu documentation](targets/qemu.md).
 
 coreboot console messages
 ---

boards/UNTESTED_t430-legacy-flash/UNTESTED_t430-legacy-flash.config

@@ -32,19 +32,4 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image
 
 CONFIG_LEGACY_FLASH=y
 
-# This board is "special" in that we need a 4MB top SPI flashable ROM.
+BOARD_TARGETS := legacy_flash
-# This is enough to allow the board to boot into a minimal Heads and read the full Legacy
-# ROM from an external USB media.
-# 
-# No tools outside of flashrom are provided here as you can see per activated modules above.
-# Everything Heads is now delegated to the Legacy ROM to be flashed
-# from xx30-flash ROMs. 
-#
-# Instructions to mount USB thumb drive and flash legacy 12Mb image will be given on screen
-# per CONFIG_BOOTSCRIPT script above.
-#
-# Below, we just move produced ROM with a name appended with -top.rom for clarity.
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,MV 4MB top ROM,$@, mv $< $@)
-	@sha256sum $@

boards/UNTESTED_t530-dgpu-hotp-maximized/UNTESTED_t530-dgpu-hotp-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_t530-dgpu-maximized/UNTESTED_t530-dgpu-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_t530-hotp-maximized/UNTESTED_t530-hotp-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_t530-maximized/UNTESTED_t530-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-dgpu-K1000m-hotp-maximized/UNTESTED_w530-dgpu-K1000m-hotp-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-dgpu-K1000m-maximized/UNTESTED_w530-dgpu-K1000m-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-dgpu-K2000m-hotp-maximized/UNTESTED_w530-dgpu-K2000m-hotp-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-dgpu-K2000m-maximized/UNTESTED_w530-dgpu-K2000m-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-hotp-maximized/UNTESTED_w530-hotp-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/UNTESTED_w530-maximized/UNTESTED_w530-maximized.config

@@ -74,25 +74,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config

@@ -70,93 +70,4 @@ export CONFIG_TPM=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config

@@ -71,93 +71,4 @@ export CONFIG_TPM=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config

@@ -75,95 +75,4 @@ CONFIG_OPENSSL=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --create-config-files skip-if-exist
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram --tpm2
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpm2 \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config

@@ -77,95 +77,4 @@ CONFIG_OPENSSL=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --create-config-files skip-if-exist
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram --tpm2
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpm2 \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config

@@ -70,93 +70,4 @@ export CONFIG_TPM=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1-hotp"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config

@@ -71,93 +71,4 @@ export CONFIG_TPM=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.md

boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config

@@ -75,95 +75,4 @@ CONFIG_OPENSSL=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --create-config-files skip-if-exist
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram --tpm2
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpm2 \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config

@@ -77,95 +77,4 @@ CONFIG_OPENSSL=y
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2"
 
-# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+BOARD_TARGETS := qemu
-# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
-# that way without a GPG key.
-ifneq "$(PUBKEY_ASC)" ""
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
-else
-QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-endif
-
-#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
-TPMDIR=$(build)/$(BOARD)/vtpm
-$(TPMDIR)/.manufacture:
-	mkdir -p "$(TPMDIR)"
-	swtpm_setup --create-config-files skip-if-exist
-	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram --tpm2
-	touch "$(TPMDIR)/.manufacture"
-ROOT_DISK_IMG=$(build)/$(BOARD)/root.qcow2
-# Default to 20G disk
-QEMU_DISK_SIZE?=20G
-$(ROOT_DISK_IMG):
-	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
-# Remember the amount of memory so it doesn't have to be specified every time.
-# Default to 4G, most bootable OSes are not usable with less.
-QEMU_MEMORY_SIZE?=4G
-MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
-$(MEMORY_SIZE_FILE):
-	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
-USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
-$(USB_FD_IMG):
-	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
-	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
-	# though it is meaningful to use mkfs.vfat (etc.) as non-root
-	MKFS_VFAT=mkfs.vfat; \
-	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
-	"$$MKFS_VFAT" "$(USB_FD_IMG)"
-# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
-# of the temporary flash drive for exporting GPG keys.
-ifneq "$(INSTALL_IMG)" ""
-QEMU_USB_FD_IMG := $(INSTALL_IMG)
-else
-QEMU_USB_FD_IMG := $(USB_FD_IMG)
-endif
-# To forward a USB token, set USB_TOKEN to one of the following:
-# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
-# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
-# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
-# - LibremKey - forwards a Librem Key by VID:PID
-# - <other> - Provide the QEMU usb-host parameters, such as
-#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
-ifeq "$(USB_TOKEN)" "NitrokeyPro"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
-else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
-else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
-else ifeq "$(USB_TOKEN)" "LibremKey"
-QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
-else ifneq "$(USB_TOKEN)" ""
-QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
-endif
-
-run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-	swtpm socket \
-		--tpm2 \
-		--tpmstate dir="$(TPMDIR)" \
-		--flags "startup-clear" \
-		--terminate \
-		--ctrl type=unixio,path="$(TPMDIR)/sock" &
-	sleep 0.5
-
-	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
-		--machine q35,accel=kvm:tcg \
-		-rtc base=utc \
-		-smp "$$(nproc)" \
-		-vga std \
-		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-		-serial stdio \
-		--bios "$(QEMU_BOOT_ROM)" \
-		-object rng-random,filename=/dev/urandom,id=rng0 \
-		-device virtio-rng-pci,rng=rng0 \
-		-netdev user,id=u1 -device e1000,netdev=u1 \
-		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
-		-tpmdev emulator,id=tpm0,chardev=chrtpm \
-		-device tpm-tis,tpmdev=tpm0 \
-		-device qemu-xhci,id=usb \
-		-device usb-tablet \
-		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
-		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
-		$(QEMU_USB_TOKEN_DEV) \
-
-	stty sane
-	@echo

boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.md

@@ -1 +0,0 @@
-../qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md

boards/t430-hotp-maximized/t430-hotp-maximized.config

@@ -72,25 +72,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t430-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/t430-maximized/t430-maximized.config

@@ -73,25 +73,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t430-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/t440p-maximized/t440p-maximized.config

@@ -52,14 +52,5 @@ $(pwd)/blobs/t440p/me.bin:
 	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
 		$(pwd)/blobs/t440p/download-clean-me $(pwd)/blobs/t440p
 
-# Haswell boards have an 8 MiB and 4 MiB SPI flash chip. So, we split the
+# Generate split 4MB top / 8MB bottom ROMs
-# Coreboot ROM into two files to flash one on each chip.
+BOARD_TARGETS := split_8mb4mb
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/talos-2/talos-2.config

@@ -50,20 +50,4 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p2"
 export CONFIG_BOARD_NAME="Talos 2"
 export CONFIG_FLASHROM_OPTIONS="--noverify-all -p linux_mtd"
 
-OUTPUT_PREFIX	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
+BOARD_TARGETS := ppc_tgz
-BUNDLED_LINUX	:= $(OUTPUT_PREFIX)-zImage.bundled
-OUTPUT_FILES	:= $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX)
-
-all: $(board_build)/$(BUNDLED_LINUX)
-$(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled
-	$(call do-copy,$<,$@)
-
-all: $(board_build)/$(OUTPUT_PREFIX).tgz
-$(board_build)/$(OUTPUT_PREFIX).tgz: \
-	$(addprefix $(board_build)/,$(OUTPUT_FILES))
-	rm -rf $(board_build)/pkg # cleanup in case directory exists
-	mkdir $(board_build)/pkg
-	cp $^ $(board_build)/pkg
-	cd $(board_build)/pkg && sha256sum * > sha256sum.txt
-	cd $(board_build)/pkg && tar zcf $@ *
-	rm -r $(board_build)/pkg

boards/w541-maximized/w541-maximized.config

@@ -52,14 +52,5 @@ $(pwd)/blobs/w541/me.bin:
 	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
 		$(pwd)/blobs/w541/download-clean-me $(pwd)/blobs/w541
 
-# Haswell boards have an 8 MiB and 4 MiB SPI flash chip. So, we split the
+# Generate split 4MB top / 8MB bottom ROMs
-# Coreboot ROM into two files to flash one on each chip.
+BOARD_TARGETS := split_8mb4mb
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config

@@ -86,25 +86,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/x230-hotp-maximized/x230-hotp-maximized.config

@@ -77,25 +77,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config

@@ -76,25 +76,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/x230-legacy-flash/x230-legacy-flash.config

@@ -33,19 +33,4 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image
 
 CONFIG_LEGACY_FLASH=y
 
-# This board is "special" in that we need a 4MB top SPI flashable ROM.
+BOARD_TARGETS := legacy_flash
-# This is enough to allow the board to boot into a minimal Heads and read the full Legacy
-# ROM from an external USB media.
-# 
-# No tools outside of flashrom are provided here as you can see per activated modules above.
-# Everything Heads is now delegated to the Legacy ROM to be flashed
-# from xx30-flash ROMs. 
-#
-# Instructions to mount USB thumb drive and flash legacy 12Mb image will be given on screen
-# per CONFIG_BOOTSCRIPT script above.
-#
-# Below, we just move produced ROM with a name appended with -top.rom for clarity.
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,MV 4MB top ROM,$@, mv $< $@)
-	@sha256sum $@

boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config

@@ -86,25 +86,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

boards/x230-maximized/x230-maximized.config

@@ -77,25 +77,6 @@ export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
 #      reduced IFD ME region and expanded BIOS IFD region.
 #  - blobs/xx30/extract.sh
 #     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+# Generate split 4MB top / 8MB bottom ROMs
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+BOARD_TARGETS := split_8mb4mb
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"

targets/legacy_flash.mk

@@ -0,0 +1,16 @@
+# legacy-flash boards are "special" in that we need a 4MB top SPI flashable ROM.
+# This is enough to allow the board to boot into a minimal Heads and read the full Legacy
+# ROM from an external USB media.
+#
+# No tools outside of flashrom are provided here as you can see per activated modules above.
+# Everything Heads is now delegated to the Legacy ROM to be flashed
+# from xx30-flash ROMs.
+#
+# Instructions to mount USB thumb drive and flash legacy 12Mb image will be given on screen
+# per CONFIG_BOOTSCRIPT script above.
+#
+# Below, we just move produced ROM with a name appended with -top.rom for clarity.
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,MV 4MB top ROM,$@, mv $< $@)
+	@sha256sum $@

targets/ppc_tgz.mk

@@ -0,0 +1,17 @@
+OUTPUT_PREFIX	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
+BUNDLED_LINUX	:= $(OUTPUT_PREFIX)-zImage.bundled
+OUTPUT_FILES	:= $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX)
+
+all: $(board_build)/$(BUNDLED_LINUX)
+$(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled
+	$(call do-copy,$<,$@)
+
+all: $(board_build)/$(OUTPUT_PREFIX).tgz
+$(board_build)/$(OUTPUT_PREFIX).tgz: \
+	$(addprefix $(board_build)/,$(OUTPUT_FILES))
+	rm -rf $(board_build)/pkg # cleanup in case directory exists
+	mkdir $(board_build)/pkg
+	cp $^ $(board_build)/pkg
+	cd $(board_build)/pkg && sha256sum * > sha256sum.txt
+	cd $(board_build)/pkg && tar zcf $@ *
+	rm -r $(board_build)/pkg

targets/qemu.mk

@@ -0,0 +1,109 @@
+# Targets for running in qemu, including:
+# * virtual TPM
+# * virtual disk image (configurable size)
+# * virtual USB flash drive
+# * configurable guest memory size
+# * forwarded USB security token
+
+# Use the GPG-injected ROM if a key was given, since we can't reflash a GPG
+# keyring in QEMU.  Otherwise use the plain ROM, some things can still be tested
+# that way without a GPG key.
+ifneq "$(PUBKEY_ASC)" ""
+QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE_GPG_INJ)
+else
+QEMU_BOOT_ROM := $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+endif
+
+ifeq "$(CONFIG_TPM2_TSS)" "y"
+SWTPM_TPMVER := --tpm2
+SWTPM_PRESETUP := swtpm_setup --create-config-files skip-if-exist
+else
+# TPM1 is the default
+SWTPM_TPMVER :=
+# No pre-setup
+SWTPM_PRESETUP := true
+endif
+
+#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
+TPMDIR=$(build)/$(BOARD)/vtpm
+$(TPMDIR)/.manufacture:
+	mkdir -p "$(TPMDIR)"
+	$(SWTPM_PRESETUP)
+	swtpm_setup --tpm-state "$(TPMDIR)" --create-platform-cert --lock-nvram $(SWTPM_TPMVER)
+	touch "$(TPMDIR)/.manufacture"
+ROOT_DISK_IMG:=$(build)/$(BOARD)/root.qcow2
+# Default to 20G disk
+QEMU_DISK_SIZE?=20G
+$(ROOT_DISK_IMG):
+	qemu-img create -f qcow2 "$(ROOT_DISK_IMG)" $(QEMU_DISK_SIZE)
+# Remember the amount of memory so it doesn't have to be specified every time.
+# Default to 4G, most bootable OSes are not usable with less.
+QEMU_MEMORY_SIZE?=4G
+MEMORY_SIZE_FILE=$(build)/$(BOARD)/memory
+$(MEMORY_SIZE_FILE):
+	@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
+USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
+$(USB_FD_IMG):
+	dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
+	# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
+	# though it is meaningful to use mkfs.vfat (etc.) as non-root
+	MKFS_VFAT=mkfs.vfat; \
+	[ -x /usr/sbin/mkfs.vfat ] && MKFS_VFAT=/usr/sbin/mkfs.vfat; \
+	"$$MKFS_VFAT" "$(USB_FD_IMG)"
+# Pass INSTALL_IMG=<path_to_img.iso> to attach an installer as a USB flash drive instead
+# of the temporary flash drive for exporting GPG keys.
+ifneq "$(INSTALL_IMG)" ""
+QEMU_USB_FD_IMG := $(INSTALL_IMG)
+else
+QEMU_USB_FD_IMG := $(USB_FD_IMG)
+endif
+# To forward a USB token, set USB_TOKEN to one of the following:
+# - NitrokeyPro - forwards a Nitrokey Pro by VID:PID
+# - NitrokeyStorage - forwards a Nitrokey Storage by VID:PID
+# - Nitrokey3NFC - forwards a Nitrokey 3 by VID:PID
+# - LibremKey - forwards a Librem Key by VID:PID
+# - <other> - Provide the QEMU usb-host parameters, such as
+#   'hostbus=<#>,hostport=<#>' or 'vendorid=<#>,productid=<#>'
+ifeq "$(USB_TOKEN)" "NitrokeyPro"
+QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16648
+else ifeq "$(USB_TOKEN)" "NitrokeyStorage"
+QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=16649
+else ifeq "$(USB_TOKEN)" "Nitrokey3NFC"
+QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=8352,productid=17074
+else ifeq "$(USB_TOKEN)" "LibremKey"
+QEMU_USB_TOKEN_DEV := -device usb-host,vendorid=12653,productid=19531
+else ifneq "$(USB_TOKEN)" ""
+QEMU_USB_TOKEN_DEV := -device "usb-host,$(USB_TOKEN)"
+endif
+
+run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
+	swtpm socket \
+		$(SWTPM_TPMVER) \
+		--tpmstate dir="$(TPMDIR)" \
+		--flags "startup-clear" \
+		--terminate \
+		--ctrl type=unixio,path="$(TPMDIR)/sock" &
+	sleep 0.5
+
+	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
+		--machine q35,accel=kvm:tcg \
+		-rtc base=utc \
+		-smp "$$(nproc)" \
+		-vga std \
+		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
+		-serial stdio \
+		--bios "$(QEMU_BOOT_ROM)" \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-device virtio-rng-pci,rng=rng0 \
+		-netdev user,id=u1 -device e1000,netdev=u1 \
+		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
+		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+		-device tpm-tis,tpmdev=tpm0 \
+		-device qemu-xhci,id=usb \
+		-device usb-tablet \
+		-drive file="$(QEMU_USB_FD_IMG)",if=none,id=usb-fd-drive,format=raw \
+		-device usb-storage,bus=usb.0,drive=usb-fd-drive \
+		$(QEMU_USB_TOKEN_DEV) \
+
+	stty sane
+	@echo

targets/split_8mb4mb.mk

@@ -0,0 +1,18 @@
+# Many Lenovo boards have two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# As a consequence, this replaces the need of having to flash a legacy-flash ROM
+#  and expands available CBFS region (11.5Mb available CBFS space)
+#
+# When flashing via an external programmer it is easiest to have
+# two separate files for these pieces.
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"