ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add xx30-maximized and xx30-hotp-maximized boards (11.5mb flashable BIOS regions, reproducible me.bin and generated gbe.bin and totally externally and internally flashable roms) (#703)

Browse Source 
* xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER https://github.com/osresearch/heads/pull/703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations.

* Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!)

* xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME
extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin. 
download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place.
Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space.

* CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit).
This commit is contained in:
tlaurion 2020-12-02 17:01:44 -05:00 committed by GitHub
parent 7ee4a11d1b
commit 36c04f19e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 1234 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
.circleci/config.yml
View File

@ -8,7 +8,7 @@ jobs:
name: Install dependencies
command: |
apt update
apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync
apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract
- checkout
- run:
@ -121,7 +121,6 @@ jobs:
- run:
name: x230-flash
#We delete build/make-4.2.1/ directory until issue #799 is fixed.
command: |
rm -rf build/x230-flash/* build/log/* && make CPUS=4 V=1 BOARD=x230-flash || touch /tmp/failed_build
no_output_timeout: 3h
@ -240,6 +239,127 @@ jobs:
- store-artifacts:
path: build/x230-nkstorecli
- run:
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me.sh
- run:
name: x230-maximized
command: |
rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build
no_output_timeout: 3h
- run:
name: Output build failing logs
command: |
if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
- run:
name: Output x230-maximized hashes
command: |
cat build/x230-maximized/hashes.txt \
- run:
name: Archiving build logs for x230-maximized
command: |
tar zcvf build/x230-maximized/logs.tar.gz ./build/log/*
- store-artifacts:
path: build/x230-maximized
- run:
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me.sh
- run:
name: t430-hotp-maximized
command: |
rm -rf build/t430-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-hotp-maximized || touch /tmp/failed_build
no_output_timeout: 3h
- run:
name: Output build failing logs
command: |
if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
- run:
name: Output t430-hotp-maximized hashes
command: |
cat build/t430-hotp-maximized/hashes.txt \
- run:
name: Archiving build logs for t430-hotp-maximized
command: |
tar zcvf build/t430-hotp-maximized/logs.tar.gz ./build/log/*
- store-artifacts:
path: build/t430-hotp-maximized
- run:
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me.sh
- run:
name: x230-maximized
command: |
rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build
no_output_timeout: 3h
- run:
name: Output build failing logs
command: |
if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
- run:
name: Output x230-maximized hashes
command: |
cat build/x230-maximized/hashes.txt \
- run:
name: Archiving build logs for x230-maximized
command: |
tar zcvf build/x230-maximized/logs.tar.gz ./build/log/*
- store-artifacts:
path: build/x230-maximized
- run:
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me.sh
- run:
name: x230-hotp-maximized
command: |
rm -rf build/x230-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-hotp-maximized || touch /tmp/failed_build
no_output_timeout: 3h
- run:
name: Output build failing logs
command: |
if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
- run:
name: Output x230-hotp-maximized hashes
command: |
cat build/x230-hotp-maximized/hashes.txt \
- run:
name: Archiving build logs for x230-hotp-maximized
command: |
tar zcvf build/x230-hotp-maximized/logs.tar.gz ./build/log/*
- store-artifacts:
path: build/x230-hotp-maximized
- run:
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me.sh
- run:
name: t430-maximized
command: |
rm -rf build/t430-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-maximized || touch /tmp/failed_build
no_output_timeout: 3h
- run:
name: Output build failing logs
command: |
if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
- run:
name: Output t430-maximized hashes
command: |
cat build/t430-maximized/hashes.txt \
- run:
name: Archiving build logs for t430-maximized
command: |
tar zcvf build/t430-maximized/logs.tar.gz ./build/log/*
- store-artifacts:
path: build/t430-maximized
- run:
name: qemu-coreboot
command: |

16
.gitlab-ci.yml.deprecated
View File

@ -19,6 +19,7 @@ build:
- dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
- git fetch origin
- git reset --hard origin/$CI_COMMIT_REF_NAME
- echo "Removing old x230-flash artifacts..."
- rm -rf ./build/x230-flash/*
- rm -rf ./build/log/*
@ -28,6 +29,7 @@ build:
- cat ./build/x230-flash/hashes.txt
- echo "Archiving x230-flash logs..."
- tar zcvf ./build/x230-flash/logs.tar.gz ./build/log/*
- echo "Removing old t430-flash artifacts..."
- rm -rf ./build/t430-flash/*
- rm -rf ./build/log/*
@ -37,6 +39,17 @@ build:
- cat ./build/t430-flash/hashes.txt
- echo "Archiving t430-flash logs..."
- tar zcvf ./build/t430-flash/logs.tar.gz ./build/log/*
- echo "Removing old x230-external-flash artifacts..."
- rm -rf ./build/x230-external-flash/*
- rm -rf ./build/log/*
- echo "Building BOARD=x230-external-flash board..."
- make BOARD=x230-external-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1)
- echo "x230-external-flash hashes:"
- cat ./build/x230-external-flash/hashes.txt
- echo "Archiving x230-external-flash logs..."
- tar zcvf ./build/x230-external-flash/logs.tar.gz ./build/log/*
- echo "Removing old x230-hotp-verification artifacts..."
- rm -rf ./build/x230-hotp-verification/*
- rm -rf ./build/log/*
@ -46,6 +59,7 @@ build:
- cat ./build/x230-hotp-verification/hashes.txt
- echo "Archiving x230-hotp-verification logs..."
- tar zcvf ./build/x230-hotp-verification/logs.tar.gz ./build/log/*
- echo "Removing old x230 artifacts..."
- rm -rf ./build/x230/*
- rm -rf ./build/log/*
@ -75,6 +89,7 @@ build:
- cat ./build/qemu-coreboot/hashes.txt
- echo "Archiving qemu-coreboot logs..."
- tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
- echo "Calculate used space for cache"
- du -shc packages crossgcc build
artifacts:
@ -83,5 +98,6 @@ build:
- ./build/x230-flash
- ./build/t430-flash
- ./build/x230-hotp-verification
- ./build/x230-external-flash
- ./build/x230
- ./build/t430

70
blobs/xx30/README Normal file
View File

@ -0,0 +1,70 @@
The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t430/downloads/DS032435
This provides latest ME version 8.1.72.3002, for which only BUP and ROMP regions will be kept as non-removable:
Here is what Lenovo provides as a Summary of Changes:
Version 8.1.72.3002 (G1RG24WW)
(Fix) Fixed the following security vulnerabilites: CVE-2017-5711, CVE-2017-5712, CVE-2017-13077, CVE-2017-13078, CVE-2017-13080.
1.0.0:Automatically extract and neuter me.bin
download_clean_me.sh : Downloads latest ME from lenovo verify checksum, extract ME, neuters ME, relocate and trim it and place it into me.bin
sha256sum:
c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin
1.0.1: Extract blobs from rom original and updated to 2.76 BIOS version:
extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim it, modify BIOS and ME region of IFD and place output files into this dir.
sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent.
1.1: Manually generating blobs
--------------------
Manually generate me.bin:
You can arrive to the same result of the following me.bin by doing the following manually:
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe && innoextract g1rg24ww.exe && python ~/me_cleaner/me_cleaner.py -r -t -O ~/heads/blobs/xx30/me.bin app/ME8_5M_Production.bin
sha256sums:
f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe
821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin
c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin
ifd.bin was extracted from sacrificed X230 (dead motherboard) fron an external flashrom backup (no way found to be able to extract it from Lenovo firmware upgrades as of now):
python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/xx30/ifd.bin -M /tmp/temporary_me.bin dead_serving_a_purpose_x230_bottom_spi_backup.rom
sha256sum:
c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin
ls -al blobs/xx30/*.bin
-rw-r--r-- 1 user user 8192 Oct 25 14:07 gbe.bin
-rw-r--r-- 1 user user 4096 Oct 28 16:19 ifd.bin
-rw-r--r-- 1 user user 98304 Oct 28 16:15 me.bin
Manually regenerate gbe.bin:
blobs/x230/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510
And then by following those instructions:
# Use this target to generate GbE for X220/x230
gen-gbe-82579LM:
cd build/coreboot-*/util/bincfg/
make
./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin
# duplicate binary as per spec
cat gbe1.bin gbe1.bin > ../../../../blobs/xx30/gbe.bin
rm -f gbe1.bin
cd -
sha256sum:
9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 blobs/xx30/gbe.bin
------------------------
Notes: as specified in first link, this ME can be deployed to:
Helix (Type 3xxx)
T430, T430i, T430s, T430si, T431s
T530, T530i
W530
X1 Carbon (Type 34xx), X1 Helix (Type 3xxx), X1 Helix (Type 3xxx) 3G
X230, X230i, X230 Tablet, X230i Tablet, X230s

56
blobs/xx30/download_clean_me.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
function printusage {
echo "Usage: $0 -m <me_cleaner>(optional)"
}
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ "$#" -eq 0 ]; then printusage; fi
while getopts ":m:" opt; do
case $opt in
m)
if [ -x "$OPTARG" ]; then
MECLEAN="$OPTARG"
fi
;;
esac
done
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin"
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe"
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin"
if [ -z "$MECLEAN" ]; then
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
if [ -z "$MECLEAN" ]; then
echo "me_cleaner.py required but not found or specified with -m. Aborting."
exit 1;
fi
fi
echo "### Creating temp dir"
extractdir=$(mktemp -d)
cd "$extractdir"
echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || ( echo "ERROR: wget not found" && exit 1 )
echo "### Verifying expected hash of g1rg24ww.exe"
echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 )
echo "### Extracting g1rg24ww.exe..."
innoextract ./g1rg24ww.exe || exit 1 "Failed calling innoextract. Tool installed on host?"
echo "### Verifying expected hash of app/ME8_5M_Production.bin"
echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 )
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
echo "### Verifying expected hash of me.bin"
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 )
echo "###Cleaning up..."
cd -
rm -r "$extractdir"

68
blobs/xx30/extract.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
function printusage {
echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
exit 0
}
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ "$#" -eq 0 ]; then printusage; fi
while getopts ":f:m:i:" opt; do
case $opt in
f)
FILE="$OPTARG"
;;
m)
if [ -x "$OPTARG" ]; then
MECLEAN="$OPTARG"
fi
;;
i)
if [ -x "$OPTARG" ]; then
IFDTOOL="$OPTARG"
fi
;;
esac
done
if [ -z "$MECLEAN" ]; then
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
if [ -z "$MECLEAN" ]; then
echo "me_cleaner.py required but not found or specified with -m. Aborting."
exit 1;
fi
fi
if [ -z "$IFDTOOL" ]; then
IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
if [ -z "$IFDTOOL" ]; then
echo "ifdtool required but not found or specified with -m. Aborting."
exit 1;
fi
fi
echo "FILE: $FILE"
echo "ME: $MECLEAN"
echo "IFD: $IFDTOOL"
bioscopy=$(mktemp)
extractdir=$(mktemp -d)
echo "###Copying $FILE under $bioscopy"
cp "$FILE" $bioscopy
cd "$extractdir"
echo "###Unlocking $bioscopy IFD..."
$IFDTOOL -u $bioscopy
echo "###Extracting regions from ROM..."
$IFDTOOL -x $bioscopy
echo "###Copying GBE region under $BLOBDIR/gbe.bin..."
cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... "
$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy"
echo "###Cleaning up..."
rm "$bioscopy"
rm -r "$extractdir"

BIN
blobs/xx30/gbe.bin Normal file
View File

Binary file not shown.

3
blobs/xx30/hashes.txt Normal file
View File

@ -0,0 +1,3 @@
9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin
c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin
c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 me.bin

BIN
blobs/xx30/ifd.bin Normal file
View File

Binary file not shown.

86
boards/t430-hotp-maximized/t430-hotp-maximized.config Normal file
View File

@ -0,0 +1,86 @@
# Configuration for a T430 running Qubes and other Linux Based OSes (through kexec)
#
# Includes
# - Deactivated+neutered ME and expanded consequent IFD BIOS regions
# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
#
# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
export CONFIG_LINUX_VERSION=4.14.62
CONFIG_COREBOOT_CONFIG=config/coreboot-t430-hotp-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=y
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOARD_NAME="Thinkpad T430-hotp-maximized"
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
# - blobs/xx30/download_clean_me.sh
# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region.
# - blobs/xx30/extract.sh
# To extract from backuped 8M (bottom SPI) ME binary, GBE and
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space)
#
# When flashing via an external programmer it is easiest to have
# two separate files for these pieces.
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
@sha256sum $@
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
@sha256sum $@

86
boards/t430-maximized/t430-maximized.config Normal file
View File

@ -0,0 +1,86 @@
# Configuration for a T430 running Qubes and other Linux Based OSes (through kexec)
#
# Includes
# - Deactivated+neutered ME and expanded consequent IFD BIOS regions
# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
#
# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
export CONFIG_LINUX_VERSION=4.14.62
CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
#CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=y
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOARD_NAME="Thinkpad T430-maximized"
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
# - blobs/xx30/download_clean_me.sh
# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region.
# - blobs/xx30/extract.sh
# To extract from backuped 8M (bottom SPI) ME binary, GBE and
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space)
#
# When flashing via an external programmer it is easiest to have
# two separate files for these pieces.
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
@sha256sum $@
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
@sha256sum $@

86
boards/x230-hotp-maximized/x230-hotp-maximized.config Normal file
View File

@ -0,0 +1,86 @@
# Configuration for a X230 running Qubes and other Linux Based OSes (through kexec)
#
# Includes
# - Deactivated+neutered ME and expanded consequent IFD BIOS regions
# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
#
# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
export CONFIG_LINUX_VERSION=4.14.62
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=y
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized"
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
# - blobs/xx30/download_clean_me.sh
# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region.
# - blobs/xx30/extract.sh
# To extract from backuped 8M (bottom SPI) ME binary, GBE and
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space)
#
# When flashing via an external programmer it is easiest to have
# two separate files for these pieces.
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
@sha256sum $@
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
@sha256sum $@

86
boards/x230-maximized/x230-maximized.config Normal file
View File

@ -0,0 +1,86 @@
# Configuration for a X230 running Qubes and other Linux Based OSes (through kexec)
#
# Includes
# - Deactivated+neutered ME and expanded consequent IFD BIOS regions
# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
#
# - Includes NKSTORECLI to support Nitrokey Storage administrative tool
# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
export CONFIG_LINUX_VERSION=4.14.62
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
#CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=y
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOARD_NAME="Thinkpad X230-maximized"
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
# - blobs/xx30/download_clean_me.sh
# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region.
# - blobs/xx30/extract.sh
# To extract from backuped 8M (bottom SPI) ME binary, GBE and
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space)
#
# When flashing via an external programmer it is easiest to have
# two separate files for these pieces.
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
@sha256sum $@
all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
@sha256sum $@

22
config/coreboot-t430-hotp-maximized.config Normal file
View File

@ -0,0 +1,22 @@
CONFIG_ANY_TOOLCHAIN=y
CONFIG_MEASURED_BOOT=y
CONFIG_VENDOR_LENOVO=y
CONFIG_CBFS_SIZE=0xB80000
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
CONFIG_BOARD_LENOVO_THINKPAD_T430=y
CONFIG_NO_POST=y
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="../../build/t430-hotp-maximized/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="../../build/t430-hotp-maximized/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

22
config/coreboot-t430-maximized.config Normal file
View File

@ -0,0 +1,22 @@
CONFIG_ANY_TOOLCHAIN=y
CONFIG_MEASURED_BOOT=y
CONFIG_VENDOR_LENOVO=y
CONFIG_CBFS_SIZE=0xB80000
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
CONFIG_BOARD_LENOVO_THINKPAD_T430=y
CONFIG_NO_POST=y
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="../../build/t430-maximized/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="../../build/t430-maximized/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

20
config/coreboot-x230-hotp-maximized.config Normal file
View File

@ -0,0 +1,20 @@
CONFIG_ANY_TOOLCHAIN=y
CONFIG_MEASURED_BOOT=y
CONFIG_VENDOR_LENOVO=y
CONFIG_CBFS_SIZE=0xB80000
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
CONFIG_BOARD_LENOVO_X230=y
CONFIG_NO_POST=y
CONFIG_UART_PCI_ADDR=0
CONFIG_NO_GFX_INIT=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized/initrd.cpio.xz"

20
config/coreboot-x230-maximized.config Normal file
View File

@ -0,0 +1,20 @@
CONFIG_ANY_TOOLCHAIN=y
CONFIG_MEASURED_BOOT=y
CONFIG_VENDOR_LENOVO=y
CONFIG_CBFS_SIZE=0xB80000
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
CONFIG_BOARD_LENOVO_X230=y
CONFIG_NO_POST=y
CONFIG_UART_PCI_ADDR=0
CONFIG_NO_GFX_INIT=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="../../build/x230-maximized/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="../../build/x230-maximized/initrd.cpio.xz"

471
patches/coreboot-4.8.1/0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch Normal file
View File

@ -0,0 +1,471 @@
diff --git a/util/bincfg/Makefile b/util/bincfg/Makefile
index 1b3e936..f568e67 100644
--- a/util/bincfg/Makefile
+++ b/util/bincfg/Makefile
@@ -19,6 +19,13 @@
cat gbe1.bin gbe1.bin > flashregion_3_gbe.bin
rm -f gbe1.bin
+# Use this target to generate GbE for X220/x230
+gen-gbe-82579LM:
+ ./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin
+ # duplicate binary as per spec
+ cat gbe1.bin gbe1.bin > flashregion_3_gbe.bin
+ rm -f gbe1.bin
+
# Use this target to generate IFD for X200
gen-ifd-x200:
./bincfg ifd-x200.spec ifd-x200.set flashregion_0_fd.bin
diff --git a/util/bincfg/gbe-82579LM.set b/util/bincfg/gbe-82579LM.set
new file mode 100644
index 0000000..01ae470
--- /dev/null
+++ b/util/bincfg/gbe-82579LM.set
@@ -0,0 +1,288 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+#
+# Datasheets:
+#
+# https://cdrdv2.intel.com/v1/dl/getContent/613456
+
+# The datasheet says that this spec covers the following pci ids:
+# 8086:1502 - Intel 82579LM gigabit ethernet controller
+# 8086:1503 - Intel 82579V gigabit ethernet controller
+
+# Naming convention
+# * Word groups separated by a blank line
+# * Word groups with known meaning given a prefix
+# * prefix will be defined in comment before group
+# * Variable names to be named using a prefix, descriptive name and bit offset
+# within the word, separated by an underscore.
+# * Example: "prefix_description_0"
+# * Unidentified reserved word groups will be named reserved and LAN Word
+# * EXCEPTION: Word 0x24, Word 0x25, Word 0x26 also include bit offset
+# within the word
+# Offset hex address, separated by an underscore.
+# * Example: "reserved_x03"
+# * Nonprefixed names will be named reserved and LAN Word Offset hex address,
+# separated by an underscore.
+# * Example: "imageversioninfo_x05"
+# * Unspecified words are prefixed with "offset_"
+
+# GbE values for 82579LM
+{
+ # This example sets MAC address to 00:DE:AD:C0:FF:EE
+ # USE YOUR DEVICES MAC ADDRESS!!
+ # prefix: "mac_"
+ "mac_address_0" = 0x00,
+ "mac_address_1" = 0xDE,
+ "mac_address_2" = 0xAD,
+ "mac_address_3" = 0xC0,
+ "mac_address_4" = 0xFF,
+ "mac_address_5" = 0xEE,
+
+ # Reserved (Word 0x3)
+ "reserved_x03" = 0x0800,
+
+ # Reserved (Word 0x04)
+ "reserved_x04" = 0xffff,
+
+ # Image Version Information (Word 0x05)
+ "imageversioninfo_x05" = 0x00D3,
+
+ "reserved_x06" = 0xffff,
+ "reserved_x07" = 0xffff,
+
+ # PBA Low and PBA High (Words 0x08 and 0x09)
+ # prefix: "pba_"
+ "pba_low_x08" = 0xffff,
+ "pba_high_x09" = 0xffff,
+
+ # PCI Init Control Word (Word 0x0A)
+ # prefix: "pci_"
+ "pci_loaddeviceid_0" = 1,
+ "pci_loadsubsystemid_1" = 1,
+ "pci_reserved_2" = 0,
+ "pci_reserved_3" = 0x0,
+ "pci_pmenable_6" = 1,
+ "pci_auxpwr_7" = 1,
+ "pci_reserved_8" = 0x10,
+
+ # ************* Configurable PCI IDs ****************
+ # TODO: make command line switch for these
+ # Subsystem ID (Word 0x0B)
+ "subsystemid_x0B" = 0,
+ # Subsystem Vendor ID (Word 0x0C)
+ "subsystemvendorid_x0C" = 0x8086,
+ # Device ID (Word 0x0D)
+ # TODO: 82579V uses "deviceid_x0D" = 0x1503,
+ "deviceid_x0D" = 0x1502,
+ # ************* END Configurable PCI IDs ****************
+
+ # Words 0x0E and 0x0F Are Reserved
+ "reserved_x0E" = 0x0,
+ "reserved_x0F" = 0x0,
+
+ # LAN Power Consumption (Word 0x10)
+ # prefix: "lanpwr_"
+ "lanpwr_d3pwr_0" = 0x2,
+ "lanpwr_reserved_5" = 0,
+ "lanpwr_d0pwr_8" = 0x7,
+
+ # Word 0x12 and Word 0x11 Are Reserved
+ "reserved_x11" = 0x0000,
+ "reserved_x12" = 0x0000,
+
+ # Shared Init Control Word (Word 0x13)
+ # prefix: "sicw_"
+ "sicw_dynamicclock_0" = 1,
+ "sicw_clkcnt_1" = 0,
+ "sicw_reserved_2" = 1,
+ "sicw_fullduplex_3" = 0,
+ "sicw_forcespeed_4" = 0,
+ "sicw_reserved_5" = 0,
+ "sicw_phydeviceype_6" = 0,
+ "sicw_reserved_8" = 1,
+ "sicw_phy_enpwrdown_9" = 0,
+ "sicw_reserved_10" = 1,
+ "sicw_macsecdisable_13" = 1,
+ "sicw_sign_14" = 0x2,
+
+ # Extended Configuration Word 1 (Word 0x14)
+ # prefix: "ecw1_"
+ "ecw1_extcfgptr_0" = 0x0028,
+ "ecw1_oemload_12" = 1,
+ "ecw1_phyload_13" = 1,
+ "ecw1_reserved_14" = 0,
+
+ # Extended Configuration Word 2 (Word 0x15)
+ # prefix: "ecw2_"
+ "ecw2_reserved_0" = 0x00,
+ "ecw2_extphylen_8" = 0x12,
+
+ # Extended Configuration Word 3 (Word 0x16)
+ # prefix: "ecw3_"
+ "ecw3_extcfg1_0" = 0x00,
+
+ # OEM Configuration Defaults (Word 0x17)
+ # prefix: "oem_"
+ "oem_reserved_0" = 0x000,
+ "oem_lpluenind0a_9" = 0,
+ "oem_lplueninnond0a_10" = 1,
+ "oem_gbedisinnond0a_11" = 1,
+ "oem_reserved_12" = 0,
+ "oem_gbedis_14" = 0,
+ "oem_reserved_15" = 0,
+
+ # LED 0 - 2 Configuration Defaults (Word 0x18)
+ # prefix: "l02_"
+ # Lenovo default values
+ "l02_led0mode_0" = 0x4,
+ "l02_led0invert_3" = 0,
+ "l02_led0blink_4" = 0,
+ "l02_led1mode_5" = 0x3,
+ "l02_led1invert_8" = 0,
+ "l02_led1blink_9" = 1,
+ "l02_led2mode_10" = 0x2,
+ "l02_led2invert_13" = 1,
+ "l02_led2blink_14" = 0,
+ "l02_blinkrate_15" = 0,
+
+ # Intel default Values
+ #"l02_led0mode_0" = 0x4,
+ #"l02_led0invert_3" = 0,
+ #"l02_led0blink_4" = 1,
+ #"l02_led1mode_5" = 0x7,
+ #"l02_led1invert_8" = 0,
+ #"l02_led1blink_9" = 0,
+ #"l02_led2mode_10" = 0x6,
+ #"l02_led2invert_13" = 0,
+ #"l02_led2blink_14" = 0,
+ #"l02_blinkrate_15" = 0,
+
+
+ # Reserved (Word 0x19)
+ # NOTE: bit 6 must be 1 for validation. See datasheet.
+ "reserved_x19" = 0x2B40,
+
+ # Reserved (Word 0x1A)
+ # Advanced Power Management Wake Up Enable
+ # prefix: "amp_"
+ "amp_enable_0" = 1,
+ "amp_reserved_1" = 0x0421,
+
+ # Reserved (Word 0x1B)
+ "reserved_x1B" = 0x0113,
+
+ # Reserved (Word 0x1C)
+ "reserved_x1C" = 0x1502,
+
+ # Reserved (Word 0x1D)
+ "reserved_x1D" = 0xBAAD,
+
+ # Reserved (Word 0x1E)
+ "reserved_x1E" = 0x1502,
+
+ # Reserved (Word 0x1F)
+ "reserved_x1F" = 0x1503,
+
+ # Reserved (Word 0x20)
+ "reserved_x20" = 0xBAAD,
+
+ # Reserved (Word 0x21)
+ "reserved_x21" = 0xBAAD,
+
+ # Reserved (Word 0x22)
+ "reserved_x22" = 0xBAAD,
+
+ # Reserved (Word 0x23)
+ "reserved_x23" = 0x1502,
+
+ # Reserved (Word 0x24)
+ "reserved_x24_0" = 0x0000,
+ "reserved_x24_14" = 0,
+ "reserved_x24_15" = 1,
+
+ # Reserved (Word 0x25)
+ "reserved_x25_0" = 0x0000,
+ "reserved_x25_4" = 1,
+ "reserved_x25_5" = 0,
+ "reserved_x25_7" = 1,
+ "reserved_x25_8" = 0x00,
+ "reserved_x25_15" = 1,
+
+ # Reserved (Word 0x26)
+ "reserved_x26_0" = 0x00,
+ "reserved_x26_9" = 1,
+ "reserved_x26_10" = 1,
+ "reserved_x26_11" = 1,
+ "reserved_x26_12" = 0,
+ "reserved_x26_14" = 1,
+ "reserved_x26_15" = 0,
+
+ # Reserved (Word 0x27)
+ "reserved_x27" = 0x80,
+
+ # Offsets 0x28-0x2F
+ "offset_x28" = 0x0000,
+ "offset_x29" = 0x0000,
+ "offset_x2A" = 0x0000,
+ "offset_x2B" = 0x0000,
+ "offset_x2C" = 0x0000,
+ "offset_x2D" = 0x0000,
+ "offset_x2E" = 0x0000,
+ "offset_x2F" = 0x0000,
+
+ # Boot Agent Main Setup Options (Word 0x30)
+ # Hardcoded PXE setup (disabled)
+ # prefix: "pxe30_"
+ "pxe30_protocolsel_0" = 0,
+ "pxe30_reserved_2" = 0,
+ "pxe30_defbootsel_3" = 0x3,
+ "pxe30_reserved_5" = 0,
+ "pxe30_prompttime_6" = 0x3,
+ "pxe30_dispsetup_8" = 0,
+ "pxe30_reserved_9" = 0,
+ "pxe30_forcespeed_10" = 0,
+ "pxe30_forcefullduplex_12" = 0,
+ "pxe30_reserved_13" = 0,
+ "pxe30_reserved_14" = 0,
+
+ # Boot Agent Configuration Customization Options (Word 0x31)
+ # prefix: "pxe31_"
+ "pxe31_disablemenu_0" = 1,
+ "pxe31_disabletitle_1" = 1,
+ "pxe31_disableprotsel_2" = 0,
+ "pxe31_disbootorder_3" = 0,
+ "pxe31_dislegacywak_4" = 0,
+ "pxe31_disableflasicwpro_5" = 0,
+ "pxe31_reserved_6" = 0,
+ "pxe31_ibootagentmode_8" = 0,
+ "pxe31_contretrydis_11" = 0,
+ "pxe31_reserved_12" = 0,
+ "pxe31_signature_14" = 10,
+
+ # Boot Agent Configuration Customization Options (Word 0x32)
+ # prefix: "pxe32_"
+ "pxe32_buildnum_0" = 0x28,
+ "pxe32_minorversion_8" = 0x2,
+ "pxe32_majorversion_12" = 0x1,
+
+ # IBA Capabilities (Word 0x33)
+ # prefix: "pxe33_"
+ "pxe33_basecodepresent_0" = 1,
+ "pxe33_undipresent_1" = 1,
+ "pxe33_reserved_2" = 1,
+ "pxe33_efiundipresent_3" = 0,
+ "pxe33_iscsi_4" = 0,
+ "pxe33_reserved_5" = 0,
+ "pxe33_signature_14" = 10,
+
+ "pxe_padding"[11] = 0xffff,
+
+ # Checksum is generated by bincfg
+ # "checksum_gbe" = xxx,
+
+ # G3 -> S5 PHY Configuration
+ "g3_s5_phy_conf"[0x16] = 0,
+
+ # Padding 0xf80 bytes
+ "padding"[0xf6a] = 0xff
+}
diff --git a/util/bincfg/gbe-82579LM.spec b/util/bincfg/gbe-82579LM.spec
new file mode 100644
index 0000000..0367aff
--- /dev/null
+++ b/util/bincfg/gbe-82579LM.spec
@@ -0,0 +1,147 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# Datasheets:
+#
+# https://cdrdv2.intel.com/v1/dl/getContent/613456
+
+# The datasheet says that this spec covers the following pci ids:
+# 8086:1502 - Intel 82579LM gigabit ethernet controller
+# 8086:1503 - Intel 82579V gigabit ethernet controller
+
+# GbE SPEC for 82579LM/82579V
+{
+ "mac_address_"[6] : 8,
+ "reserved_x03" : 16,
+ "reserved_x04" : 16,
+ "imageversioninfo_x05" : 16,
+ "reserved_x06" : 16,
+ "reserved_x07" : 16,
+ "pba_low_x08" : 16,
+ "pba_high_x09" : 16,
+ "pci_loaddeviceid_0" : 1,
+ "pci_loadsubsystemid_1" : 1,
+ "pci_reserved_2" : 1,
+ "pci_reserved_3" : 3,
+ "pci_pmenable_6" : 1,
+ "pci_auxpwr_7" : 1,
+ "pci_reserved_8" : 8,
+ "subsystemid_x0B" : 16,
+ "subsystemvendorid_x0C" : 16,
+ "deviceid_x0D" : 16,
+ "reserved_x0E" : 16,
+ "reserved_x0F" : 16,
+ "lanpwr_d3pwr_0" : 5,
+ "lanpwr_reserved_5" : 3,
+ "lanpwr_d0pwr_8" : 8,
+ "reserved_x11" : 16,
+ "reserved_x12" : 16,
+ "sicw_dynamicclock_0" : 1,
+ "sicw_clkcnt_1" : 1,
+ "sicw_reserved_2" : 1,
+ "sicw_fullduplex_3" : 1,
+ "sicw_forcespeed_4" : 1,
+ "sicw_reserved_5" : 1,
+ "sicw_phydeviceype_6" : 2,
+ "sicw_reserved_8" : 1,
+ "sicw_phy_enpwrdown_9" : 1,
+ "sicw_reserved_10" : 3,
+ "sicw_macsecdisable_13" : 1,
+ "sicw_sign_14" : 2,
+ "ecw1_extcfgptr_0" : 12,
+ "ecw1_oemload_12" : 1,
+ "ecw1_phyload_13" : 1,
+ "ecw1_reserved_14" : 2,
+ "ecw2_reserved_0" : 8,
+ "ecw2_extphylen_8" : 8,
+ "ecw3_extcfg1_0" : 16,
+ "oem_reserved_0" : 9,
+ "oem_lpluenind0a_9" : 1,
+ "oem_lplueninnond0a_10" : 1,
+ "oem_gbedisinnond0a_11" : 1,
+ "oem_reserved_12" : 2,
+ "oem_gbedis_14" : 1,
+ "oem_reserved_15" : 1,
+ "l02_led0mode_0" : 3,
+ "l02_led0invert_3" : 1,
+ "l02_led0blink_4" : 1,
+ "l02_led1mode_5" : 3,
+ "l02_led1invert_8" : 1,
+ "l02_led1blink_9" : 1,
+ "l02_led2mode_10" : 3,
+ "l02_led2invert_13" : 1,
+ "l02_led2blink_14" : 1,
+ "l02_blinkrate_15" : 1,
+ "reserved_x19" : 16,
+ "amp_enable_0" : 1,
+ "amp_reserved_1" : 15,
+ "reserved_x1B" : 16,
+ "reserved_x1C" : 16,
+ "reserved_x1D" : 16,
+ "reserved_x1E" : 16,
+ "reserved_x1F" : 16,
+ "reserved_x20" : 16,
+ "reserved_x21" : 16,
+ "reserved_x22" : 16,
+ "reserved_x23" : 16,
+ "reserved_x24_0" : 14,
+ "reserved_x24_14" : 1,
+ "reserved_x24_15" : 1,
+ "reserved_x25_0" : 4,
+ "reserved_x25_4" : 1,
+ "reserved_x25_5" : 2,
+ "reserved_x25_7" : 1,
+ "reserved_x25_8" : 7,
+ "reserved_x25_15" : 1,
+ "reserved_x26_0" : 9,
+ "reserved_x26_9" : 1,
+ "reserved_x26_10" : 1,
+ "reserved_x26_11" : 1,
+ "reserved_x26_12" : 2,
+ "reserved_x26_14" : 1,
+ "reserved_x26_15" : 1,
+ "reserved_x27" : 16,
+ "offset_x28" : 16,
+ "offset_x29" : 16,
+ "offset_x2A" : 16,
+ "offset_x2B" : 16,
+ "offset_x2C" : 16,
+ "offset_x2D" : 16,
+ "offset_x2E" : 16,
+ "offset_x2F" : 16,
+ "pxe30_protocolsel_0" : 2,
+ "pxe30_reserved_2" : 1,
+ "pxe30_defbootsel_3" : 2,
+ "pxe30_reserved_5" : 1,
+ "pxe30_prompttime_6" : 2,
+ "pxe30_dispsetup_8" : 1,
+ "pxe30_reserved_9" : 1,
+ "pxe30_forcespeed_10" : 2,
+ "pxe30_forcefullduplex_12" : 1,
+ "pxe30_reserved_13" : 1,
+ "pxe30_reserved_14" : 2,
+ "pxe31_disablemenu_0" : 1,
+ "pxe31_disabletitle_1" : 1,
+ "pxe31_disableprotsel_2" : 1,
+ "pxe31_disbootorder_3" : 1,
+ "pxe31_dislegacywak_4" : 1,
+ "pxe31_disableflasicwpro_5" : 1,
+ "pxe31_reserved_6" : 2,
+ "pxe31_ibootagentmode_8" : 3,
+ "pxe31_contretrydis_11" : 1,
+ "pxe31_reserved_12" : 2,
+ "pxe31_signature_14" : 2,
+ "pxe32_buildnum_0" : 8,
+ "pxe32_minorversion_8" : 4,
+ "pxe32_majorversion_12" : 4,
+ "pxe33_basecodepresent_0" : 1,
+ "pxe33_undipresent_1" : 1,
+ "pxe33_reserved_2" : 1,
+ "pxe33_efiundipresent_3" : 1,
+ "pxe33_iscsi_4" : 1,
+ "pxe33_reserved_5" : 9,
+ "pxe33_signature_14" : 2,
+ "pxe_padding"[11] : 16,
+ "checksum_gbe" : 16,
+ "g3_s5_phy_conf"[0x16] : 8,
+ "padding"[0xf6a] : 8
+}