From 36c04f19e468991176e65c4c6755373115bcaa4b Mon Sep 17 00:00:00 2001 From: tlaurion Date: Wed, 2 Dec 2020 17:01:44 -0500 Subject: [PATCH] Add xx30-maximized and xx30-hotp-maximized boards (11.5mb flashable BIOS regions, reproducible me.bin and generated gbe.bin and totally externally and internally flashable roms) (#703) * xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER https://github.com/osresearch/heads/pull/703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations. * Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!) * xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin. download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place. Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space. * CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit). --- .circleci/config.yml | 124 ++++- .gitlab-ci.yml.deprecated | 16 + blobs/xx30/README | 70 +++ blobs/xx30/download_clean_me.sh | 56 +++ blobs/xx30/extract.sh | 68 +++ blobs/xx30/gbe.bin | Bin 0 -> 8192 bytes blobs/xx30/hashes.txt | 3 + blobs/xx30/ifd.bin | Bin 0 -> 4096 bytes .../t430-hotp-maximized.config | 86 ++++ boards/t430-maximized/t430-maximized.config | 86 ++++ .../x230-hotp-maximized.config | 86 ++++ boards/x230-maximized/x230-maximized.config | 86 ++++ config/coreboot-t430-hotp-maximized.config | 22 + config/coreboot-t430-maximized.config | 22 + config/coreboot-x230-hotp-maximized.config | 20 + config/coreboot-x230-maximized.config | 20 + ...incfg-Intel_GBE_82579LM_set_and_spec.patch | 471 ++++++++++++++++++ 17 files changed, 1234 insertions(+), 2 deletions(-) create mode 100644 blobs/xx30/README create mode 100755 blobs/xx30/download_clean_me.sh create mode 100755 blobs/xx30/extract.sh create mode 100644 blobs/xx30/gbe.bin create mode 100644 blobs/xx30/hashes.txt create mode 100644 blobs/xx30/ifd.bin create mode 100644 boards/t430-hotp-maximized/t430-hotp-maximized.config create mode 100644 boards/t430-maximized/t430-maximized.config create mode 100644 boards/x230-hotp-maximized/x230-hotp-maximized.config create mode 100644 boards/x230-maximized/x230-maximized.config create mode 100644 config/coreboot-t430-hotp-maximized.config create mode 100644 config/coreboot-t430-maximized.config create mode 100644 config/coreboot-x230-hotp-maximized.config create mode 100644 config/coreboot-x230-maximized.config create mode 100644 patches/coreboot-4.8.1/0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch diff --git a/.circleci/config.yml b/.circleci/config.yml index 92bc0746..e2b79cd9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ jobs: name: Install dependencies command: | apt update - apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract - checkout - run: @@ -121,7 +121,6 @@ jobs: - run: name: x230-flash - #We delete build/make-4.2.1/ directory until issue #799 is fixed. command: | rm -rf build/x230-flash/* build/log/* && make CPUS=4 V=1 BOARD=x230-flash || touch /tmp/failed_build no_output_timeout: 3h @@ -240,6 +239,127 @@ jobs: - store-artifacts: path: build/x230-nkstorecli + - run: + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx30/download_clean_me.sh + - run: + name: x230-maximized + command: | + rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output x230-maximized hashes + command: | + cat build/x230-maximized/hashes.txt \ + - run: + name: Archiving build logs for x230-maximized + command: | + tar zcvf build/x230-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x230-maximized + + - run: + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx30/download_clean_me.sh + - run: + name: t430-hotp-maximized + command: | + rm -rf build/t430-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-hotp-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output t430-hotp-maximized hashes + command: | + cat build/t430-hotp-maximized/hashes.txt \ + - run: + name: Archiving build logs for t430-hotp-maximized + command: | + tar zcvf build/t430-hotp-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/t430-hotp-maximized + + - run: + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx30/download_clean_me.sh + - run: + name: x230-maximized + command: | + rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output x230-maximized hashes + command: | + cat build/x230-maximized/hashes.txt \ + - run: + name: Archiving build logs for x230-maximized + command: | + tar zcvf build/x230-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x230-maximized + + - run: + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx30/download_clean_me.sh + - run: + name: x230-hotp-maximized + command: | + rm -rf build/x230-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-hotp-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output x230-hotp-maximized hashes + command: | + cat build/x230-hotp-maximized/hashes.txt \ + - run: + name: Archiving build logs for x230-hotp-maximized + command: | + tar zcvf build/x230-hotp-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x230-hotp-maximized + + + - run: + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx30/download_clean_me.sh + - run: + name: t430-maximized + command: | + rm -rf build/t430-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output t430-maximized hashes + command: | + cat build/t430-maximized/hashes.txt \ + - run: + name: Archiving build logs for t430-maximized + command: | + tar zcvf build/t430-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/t430-maximized + - run: name: qemu-coreboot command: | diff --git a/.gitlab-ci.yml.deprecated b/.gitlab-ci.yml.deprecated index 545d8b59..28c9f7ea 100644 --- a/.gitlab-ci.yml.deprecated +++ b/.gitlab-ci.yml.deprecated @@ -19,6 +19,7 @@ build: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin - git reset --hard origin/$CI_COMMIT_REF_NAME + - echo "Removing old x230-flash artifacts..." - rm -rf ./build/x230-flash/* - rm -rf ./build/log/* @@ -28,6 +29,7 @@ build: - cat ./build/x230-flash/hashes.txt - echo "Archiving x230-flash logs..." - tar zcvf ./build/x230-flash/logs.tar.gz ./build/log/* + - echo "Removing old t430-flash artifacts..." - rm -rf ./build/t430-flash/* - rm -rf ./build/log/* @@ -37,6 +39,17 @@ build: - cat ./build/t430-flash/hashes.txt - echo "Archiving t430-flash logs..." - tar zcvf ./build/t430-flash/logs.tar.gz ./build/log/* + + - echo "Removing old x230-external-flash artifacts..." + - rm -rf ./build/x230-external-flash/* + - rm -rf ./build/log/* + - echo "Building BOARD=x230-external-flash board..." + - make BOARD=x230-external-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230-external-flash hashes:" + - cat ./build/x230-external-flash/hashes.txt + - echo "Archiving x230-external-flash logs..." + + - tar zcvf ./build/x230-external-flash/logs.tar.gz ./build/log/* - echo "Removing old x230-hotp-verification artifacts..." - rm -rf ./build/x230-hotp-verification/* - rm -rf ./build/log/* @@ -46,6 +59,7 @@ build: - cat ./build/x230-hotp-verification/hashes.txt - echo "Archiving x230-hotp-verification logs..." - tar zcvf ./build/x230-hotp-verification/logs.tar.gz ./build/log/* + - echo "Removing old x230 artifacts..." - rm -rf ./build/x230/* - rm -rf ./build/log/* @@ -75,6 +89,7 @@ build: - cat ./build/qemu-coreboot/hashes.txt - echo "Archiving qemu-coreboot logs..." - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* + - echo "Calculate used space for cache" - du -shc packages crossgcc build artifacts: @@ -83,5 +98,6 @@ build: - ./build/x230-flash - ./build/t430-flash - ./build/x230-hotp-verification + - ./build/x230-external-flash - ./build/x230 - ./build/t430 diff --git a/blobs/xx30/README b/blobs/xx30/README new file mode 100644 index 00000000..7847c997 --- /dev/null +++ b/blobs/xx30/README @@ -0,0 +1,70 @@ +The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t430/downloads/DS032435 + +This provides latest ME version 8.1.72.3002, for which only BUP and ROMP regions will be kept as non-removable: +Here is what Lenovo provides as a Summary of Changes: +Version 8.1.72.3002 (G1RG24WW) + + (Fix) Fixed the following security vulnerabilites: CVE-2017-5711, CVE-2017-5712, CVE-2017-13077, CVE-2017-13078, CVE-2017-13080. + +1.0.0:Automatically extract and neuter me.bin +download_clean_me.sh : Downloads latest ME from lenovo verify checksum, extract ME, neuters ME, relocate and trim it and place it into me.bin + +sha256sum: +c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin + +1.0.1: Extract blobs from rom original and updated to 2.76 BIOS version: +extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim it, modify BIOS and ME region of IFD and place output files into this dir. + +sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent. + + + + +1.1: Manually generating blobs +-------------------- +Manually generate me.bin: +You can arrive to the same result of the following me.bin by doing the following manually: +wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe && innoextract g1rg24ww.exe && python ~/me_cleaner/me_cleaner.py -r -t -O ~/heads/blobs/xx30/me.bin app/ME8_5M_Production.bin + +sha256sums: +f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe +821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin +c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin + +ifd.bin was extracted from sacrificed X230 (dead motherboard) fron an external flashrom backup (no way found to be able to extract it from Lenovo firmware upgrades as of now): +python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/xx30/ifd.bin -M /tmp/temporary_me.bin dead_serving_a_purpose_x230_bottom_spi_backup.rom + +sha256sum: +c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin + +ls -al blobs/xx30/*.bin +-rw-r--r-- 1 user user 8192 Oct 25 14:07 gbe.bin +-rw-r--r-- 1 user user 4096 Oct 28 16:19 ifd.bin +-rw-r--r-- 1 user user 98304 Oct 28 16:15 me.bin + + +Manually regenerate gbe.bin: +blobs/x230/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510 +And then by following those instructions: +# Use this target to generate GbE for X220/x230 +gen-gbe-82579LM: + cd build/coreboot-*/util/bincfg/ + make + ./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin + # duplicate binary as per spec + cat gbe1.bin gbe1.bin > ../../../../blobs/xx30/gbe.bin + rm -f gbe1.bin + cd - + +sha256sum: +9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 blobs/xx30/gbe.bin +------------------------ + +Notes: as specified in first link, this ME can be deployed to: + Helix (Type 3xxx) + T430, T430i, T430s, T430si, T431s + T530, T530i + W530 + X1 Carbon (Type 34xx), X1 Helix (Type 3xxx), X1 Helix (Type 3xxx) 3G + X230, X230i, X230 Tablet, X230i Tablet, X230s + diff --git a/blobs/xx30/download_clean_me.sh b/blobs/xx30/download_clean_me.sh new file mode 100755 index 00000000..5914718a --- /dev/null +++ b/blobs/xx30/download_clean_me.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -m (optional)" +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":m:" opt; do + case $opt in + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + esac +done + +FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin" +ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe" +ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin" + + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..." +wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || ( echo "ERROR: wget not found" && exit 1 ) +echo "### Verifying expected hash of g1rg24ww.exe" +echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 ) + +echo "### Extracting g1rg24ww.exe..." +innoextract ./g1rg24ww.exe || exit 1 "Failed calling innoextract. Tool installed on host?" +echo "### Verifying expected hash of app/ME8_5M_Production.bin" +echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 ) + +echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " +$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin +echo "### Verifying expected hash of me.bin" +echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 ) + + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/blobs/xx30/extract.sh b/blobs/xx30/extract.sh new file mode 100755 index 00000000..f63c4d31 --- /dev/null +++ b/blobs/xx30/extract.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -f -m (optional) -i (optional)" + exit 0 +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":f:m:i:" opt; do + case $opt in + f) + FILE="$OPTARG" + ;; + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + i) + if [ -x "$OPTARG" ]; then + IFDTOOL="$OPTARG" + fi + ;; + esac +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +if [ -z "$IFDTOOL" ]; then + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` + if [ -z "$IFDTOOL" ]; then + echo "ifdtool required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "FILE: $FILE" +echo "ME: $MECLEAN" +echo "IFD: $IFDTOOL" + +bioscopy=$(mktemp) +extractdir=$(mktemp -d) + +echo "###Copying $FILE under $bioscopy" +cp "$FILE" $bioscopy + +cd "$extractdir" +echo "###Unlocking $bioscopy IFD..." +$IFDTOOL -u $bioscopy +echo "###Extracting regions from ROM..." +$IFDTOOL -x $bioscopy +echo "###Copying GBE region under $BLOBDIR/gbe.bin..." +cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" +echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... " +$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy" + +echo "###Cleaning up..." +rm "$bioscopy" +rm -r "$extractdir" diff --git a/blobs/xx30/gbe.bin b/blobs/xx30/gbe.bin new file mode 100644 index 0000000000000000000000000000000000000000..0c9dfa1df053c351547cf46596df7cab4c9e8500 GIT binary patch literal 8192 zcmeI#F$%&k6vpw-6lsSJrII@oU3!E^7#LVsBp5k3kj)t^?567i9{h|D|A0uQhbIsmD64^+!QcpkBg1qChMCBc zbzoC(@)Bj*kcRyE`q2wQO+zJ5iCJ8VA literal 0 HcmV?d00001 diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config new file mode 100644 index 00000000..38e10af7 --- /dev/null +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -0,0 +1,86 @@ +# Configuration for a T430 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t430-hotp-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad T430-hotp-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config new file mode 100644 index 00000000..b5c06e85 --- /dev/null +++ b/boards/t430-maximized/t430-maximized.config @@ -0,0 +1,86 @@ +# Configuration for a T430 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad T430-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config new file mode 100644 index 00000000..3a39a36e --- /dev/null +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -0,0 +1,86 @@ +# Configuration for a X230 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config new file mode 100644 index 00000000..db317cbc --- /dev/null +++ b/boards/x230-maximized/x230-maximized.config @@ -0,0 +1,86 @@ +# Configuration for a X230 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad X230-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-external-flash boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash x230-flash and expends available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/config/coreboot-t430-hotp-maximized.config b/config/coreboot-t430-hotp-maximized.config new file mode 100644 index 00000000..7e102260 --- /dev/null +++ b/config/coreboot-t430-hotp-maximized.config @@ -0,0 +1,22 @@ +CONFIG_ANY_TOOLCHAIN=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_NO_POST=y +CONFIG_UART_PCI_ADDR=0 +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-hotp-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/t430-hotp-maximized/initrd.cpio.xz" +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config new file mode 100644 index 00000000..e4706b35 --- /dev/null +++ b/config/coreboot-t430-maximized.config @@ -0,0 +1,22 @@ +CONFIG_ANY_TOOLCHAIN=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_NO_POST=y +CONFIG_UART_PCI_ADDR=0 +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/t430-maximized/initrd.cpio.xz" +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-x230-hotp-maximized.config b/config/coreboot-x230-hotp-maximized.config new file mode 100644 index 00000000..1f50577b --- /dev/null +++ b/config/coreboot-x230-hotp-maximized.config @@ -0,0 +1,20 @@ +CONFIG_ANY_TOOLCHAIN=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_BOARD_LENOVO_X230=y +CONFIG_NO_POST=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_NO_GFX_INIT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/x230-hotp-maximized/initrd.cpio.xz" diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config new file mode 100644 index 00000000..fb9b6d1d --- /dev/null +++ b/config/coreboot-x230-maximized.config @@ -0,0 +1,20 @@ +CONFIG_ANY_TOOLCHAIN=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_BOARD_LENOVO_X230=y +CONFIG_NO_POST=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_NO_GFX_INIT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x230-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/x230-maximized/initrd.cpio.xz" diff --git a/patches/coreboot-4.8.1/0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch b/patches/coreboot-4.8.1/0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch new file mode 100644 index 00000000..490318bf --- /dev/null +++ b/patches/coreboot-4.8.1/0061-bincfg-Intel_GBE_82579LM_set_and_spec.patch @@ -0,0 +1,471 @@ +diff --git a/util/bincfg/Makefile b/util/bincfg/Makefile +index 1b3e936..f568e67 100644 +--- a/util/bincfg/Makefile ++++ b/util/bincfg/Makefile + +@@ -19,6 +19,13 @@ + cat gbe1.bin gbe1.bin > flashregion_3_gbe.bin + rm -f gbe1.bin + ++# Use this target to generate GbE for X220/x230 ++gen-gbe-82579LM: ++ ./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin ++ # duplicate binary as per spec ++ cat gbe1.bin gbe1.bin > flashregion_3_gbe.bin ++ rm -f gbe1.bin ++ + # Use this target to generate IFD for X200 + gen-ifd-x200: + ./bincfg ifd-x200.spec ifd-x200.set flashregion_0_fd.bin + +diff --git a/util/bincfg/gbe-82579LM.set b/util/bincfg/gbe-82579LM.set +new file mode 100644 +index 0000000..01ae470 +--- /dev/null ++++ b/util/bincfg/gbe-82579LM.set + +@@ -0,0 +1,288 @@ ++# SPDX-License-Identifier: GPL-3.0-or-later ++ ++# ++# Datasheets: ++# ++# https://cdrdv2.intel.com/v1/dl/getContent/613456 ++ ++# The datasheet says that this spec covers the following pci ids: ++# 8086:1502 - Intel 82579LM gigabit ethernet controller ++# 8086:1503 - Intel 82579V gigabit ethernet controller ++ ++# Naming convention ++# * Word groups separated by a blank line ++# * Word groups with known meaning given a prefix ++# * prefix will be defined in comment before group ++# * Variable names to be named using a prefix, descriptive name and bit offset ++# within the word, separated by an underscore. ++# * Example: "prefix_description_0" ++# * Unidentified reserved word groups will be named reserved and LAN Word ++# * EXCEPTION: Word 0x24, Word 0x25, Word 0x26 also include bit offset ++# within the word ++# Offset hex address, separated by an underscore. ++# * Example: "reserved_x03" ++# * Nonprefixed names will be named reserved and LAN Word Offset hex address, ++# separated by an underscore. ++# * Example: "imageversioninfo_x05" ++# * Unspecified words are prefixed with "offset_" ++ ++# GbE values for 82579LM ++{ ++ # This example sets MAC address to 00:DE:AD:C0:FF:EE ++ # USE YOUR DEVICES MAC ADDRESS!! ++ # prefix: "mac_" ++ "mac_address_0" = 0x00, ++ "mac_address_1" = 0xDE, ++ "mac_address_2" = 0xAD, ++ "mac_address_3" = 0xC0, ++ "mac_address_4" = 0xFF, ++ "mac_address_5" = 0xEE, ++ ++ # Reserved (Word 0x3) ++ "reserved_x03" = 0x0800, ++ ++ # Reserved (Word 0x04) ++ "reserved_x04" = 0xffff, ++ ++ # Image Version Information (Word 0x05) ++ "imageversioninfo_x05" = 0x00D3, ++ ++ "reserved_x06" = 0xffff, ++ "reserved_x07" = 0xffff, ++ ++ # PBA Low and PBA High (Words 0x08 and 0x09) ++ # prefix: "pba_" ++ "pba_low_x08" = 0xffff, ++ "pba_high_x09" = 0xffff, ++ ++ # PCI Init Control Word (Word 0x0A) ++ # prefix: "pci_" ++ "pci_loaddeviceid_0" = 1, ++ "pci_loadsubsystemid_1" = 1, ++ "pci_reserved_2" = 0, ++ "pci_reserved_3" = 0x0, ++ "pci_pmenable_6" = 1, ++ "pci_auxpwr_7" = 1, ++ "pci_reserved_8" = 0x10, ++ ++ # ************* Configurable PCI IDs **************** ++ # TODO: make command line switch for these ++ # Subsystem ID (Word 0x0B) ++ "subsystemid_x0B" = 0, ++ # Subsystem Vendor ID (Word 0x0C) ++ "subsystemvendorid_x0C" = 0x8086, ++ # Device ID (Word 0x0D) ++ # TODO: 82579V uses "deviceid_x0D" = 0x1503, ++ "deviceid_x0D" = 0x1502, ++ # ************* END Configurable PCI IDs **************** ++ ++ # Words 0x0E and 0x0F Are Reserved ++ "reserved_x0E" = 0x0, ++ "reserved_x0F" = 0x0, ++ ++ # LAN Power Consumption (Word 0x10) ++ # prefix: "lanpwr_" ++ "lanpwr_d3pwr_0" = 0x2, ++ "lanpwr_reserved_5" = 0, ++ "lanpwr_d0pwr_8" = 0x7, ++ ++ # Word 0x12 and Word 0x11 Are Reserved ++ "reserved_x11" = 0x0000, ++ "reserved_x12" = 0x0000, ++ ++ # Shared Init Control Word (Word 0x13) ++ # prefix: "sicw_" ++ "sicw_dynamicclock_0" = 1, ++ "sicw_clkcnt_1" = 0, ++ "sicw_reserved_2" = 1, ++ "sicw_fullduplex_3" = 0, ++ "sicw_forcespeed_4" = 0, ++ "sicw_reserved_5" = 0, ++ "sicw_phydeviceype_6" = 0, ++ "sicw_reserved_8" = 1, ++ "sicw_phy_enpwrdown_9" = 0, ++ "sicw_reserved_10" = 1, ++ "sicw_macsecdisable_13" = 1, ++ "sicw_sign_14" = 0x2, ++ ++ # Extended Configuration Word 1 (Word 0x14) ++ # prefix: "ecw1_" ++ "ecw1_extcfgptr_0" = 0x0028, ++ "ecw1_oemload_12" = 1, ++ "ecw1_phyload_13" = 1, ++ "ecw1_reserved_14" = 0, ++ ++ # Extended Configuration Word 2 (Word 0x15) ++ # prefix: "ecw2_" ++ "ecw2_reserved_0" = 0x00, ++ "ecw2_extphylen_8" = 0x12, ++ ++ # Extended Configuration Word 3 (Word 0x16) ++ # prefix: "ecw3_" ++ "ecw3_extcfg1_0" = 0x00, ++ ++ # OEM Configuration Defaults (Word 0x17) ++ # prefix: "oem_" ++ "oem_reserved_0" = 0x000, ++ "oem_lpluenind0a_9" = 0, ++ "oem_lplueninnond0a_10" = 1, ++ "oem_gbedisinnond0a_11" = 1, ++ "oem_reserved_12" = 0, ++ "oem_gbedis_14" = 0, ++ "oem_reserved_15" = 0, ++ ++ # LED 0 - 2 Configuration Defaults (Word 0x18) ++ # prefix: "l02_" ++ # Lenovo default values ++ "l02_led0mode_0" = 0x4, ++ "l02_led0invert_3" = 0, ++ "l02_led0blink_4" = 0, ++ "l02_led1mode_5" = 0x3, ++ "l02_led1invert_8" = 0, ++ "l02_led1blink_9" = 1, ++ "l02_led2mode_10" = 0x2, ++ "l02_led2invert_13" = 1, ++ "l02_led2blink_14" = 0, ++ "l02_blinkrate_15" = 0, ++ ++ # Intel default Values ++ #"l02_led0mode_0" = 0x4, ++ #"l02_led0invert_3" = 0, ++ #"l02_led0blink_4" = 1, ++ #"l02_led1mode_5" = 0x7, ++ #"l02_led1invert_8" = 0, ++ #"l02_led1blink_9" = 0, ++ #"l02_led2mode_10" = 0x6, ++ #"l02_led2invert_13" = 0, ++ #"l02_led2blink_14" = 0, ++ #"l02_blinkrate_15" = 0, ++ ++ ++ # Reserved (Word 0x19) ++ # NOTE: bit 6 must be 1 for validation. See datasheet. ++ "reserved_x19" = 0x2B40, ++ ++ # Reserved (Word 0x1A) ++ # Advanced Power Management Wake Up Enable ++ # prefix: "amp_" ++ "amp_enable_0" = 1, ++ "amp_reserved_1" = 0x0421, ++ ++ # Reserved (Word 0x1B) ++ "reserved_x1B" = 0x0113, ++ ++ # Reserved (Word 0x1C) ++ "reserved_x1C" = 0x1502, ++ ++ # Reserved (Word 0x1D) ++ "reserved_x1D" = 0xBAAD, ++ ++ # Reserved (Word 0x1E) ++ "reserved_x1E" = 0x1502, ++ ++ # Reserved (Word 0x1F) ++ "reserved_x1F" = 0x1503, ++ ++ # Reserved (Word 0x20) ++ "reserved_x20" = 0xBAAD, ++ ++ # Reserved (Word 0x21) ++ "reserved_x21" = 0xBAAD, ++ ++ # Reserved (Word 0x22) ++ "reserved_x22" = 0xBAAD, ++ ++ # Reserved (Word 0x23) ++ "reserved_x23" = 0x1502, ++ ++ # Reserved (Word 0x24) ++ "reserved_x24_0" = 0x0000, ++ "reserved_x24_14" = 0, ++ "reserved_x24_15" = 1, ++ ++ # Reserved (Word 0x25) ++ "reserved_x25_0" = 0x0000, ++ "reserved_x25_4" = 1, ++ "reserved_x25_5" = 0, ++ "reserved_x25_7" = 1, ++ "reserved_x25_8" = 0x00, ++ "reserved_x25_15" = 1, ++ ++ # Reserved (Word 0x26) ++ "reserved_x26_0" = 0x00, ++ "reserved_x26_9" = 1, ++ "reserved_x26_10" = 1, ++ "reserved_x26_11" = 1, ++ "reserved_x26_12" = 0, ++ "reserved_x26_14" = 1, ++ "reserved_x26_15" = 0, ++ ++ # Reserved (Word 0x27) ++ "reserved_x27" = 0x80, ++ ++ # Offsets 0x28-0x2F ++ "offset_x28" = 0x0000, ++ "offset_x29" = 0x0000, ++ "offset_x2A" = 0x0000, ++ "offset_x2B" = 0x0000, ++ "offset_x2C" = 0x0000, ++ "offset_x2D" = 0x0000, ++ "offset_x2E" = 0x0000, ++ "offset_x2F" = 0x0000, ++ ++ # Boot Agent Main Setup Options (Word 0x30) ++ # Hardcoded PXE setup (disabled) ++ # prefix: "pxe30_" ++ "pxe30_protocolsel_0" = 0, ++ "pxe30_reserved_2" = 0, ++ "pxe30_defbootsel_3" = 0x3, ++ "pxe30_reserved_5" = 0, ++ "pxe30_prompttime_6" = 0x3, ++ "pxe30_dispsetup_8" = 0, ++ "pxe30_reserved_9" = 0, ++ "pxe30_forcespeed_10" = 0, ++ "pxe30_forcefullduplex_12" = 0, ++ "pxe30_reserved_13" = 0, ++ "pxe30_reserved_14" = 0, ++ ++ # Boot Agent Configuration Customization Options (Word 0x31) ++ # prefix: "pxe31_" ++ "pxe31_disablemenu_0" = 1, ++ "pxe31_disabletitle_1" = 1, ++ "pxe31_disableprotsel_2" = 0, ++ "pxe31_disbootorder_3" = 0, ++ "pxe31_dislegacywak_4" = 0, ++ "pxe31_disableflasicwpro_5" = 0, ++ "pxe31_reserved_6" = 0, ++ "pxe31_ibootagentmode_8" = 0, ++ "pxe31_contretrydis_11" = 0, ++ "pxe31_reserved_12" = 0, ++ "pxe31_signature_14" = 10, ++ ++ # Boot Agent Configuration Customization Options (Word 0x32) ++ # prefix: "pxe32_" ++ "pxe32_buildnum_0" = 0x28, ++ "pxe32_minorversion_8" = 0x2, ++ "pxe32_majorversion_12" = 0x1, ++ ++ # IBA Capabilities (Word 0x33) ++ # prefix: "pxe33_" ++ "pxe33_basecodepresent_0" = 1, ++ "pxe33_undipresent_1" = 1, ++ "pxe33_reserved_2" = 1, ++ "pxe33_efiundipresent_3" = 0, ++ "pxe33_iscsi_4" = 0, ++ "pxe33_reserved_5" = 0, ++ "pxe33_signature_14" = 10, ++ ++ "pxe_padding"[11] = 0xffff, ++ ++ # Checksum is generated by bincfg ++ # "checksum_gbe" = xxx, ++ ++ # G3 -> S5 PHY Configuration ++ "g3_s5_phy_conf"[0x16] = 0, ++ ++ # Padding 0xf80 bytes ++ "padding"[0xf6a] = 0xff ++} + +diff --git a/util/bincfg/gbe-82579LM.spec b/util/bincfg/gbe-82579LM.spec +new file mode 100644 +index 0000000..0367aff +--- /dev/null ++++ b/util/bincfg/gbe-82579LM.spec + +@@ -0,0 +1,147 @@ ++# SPDX-License-Identifier: GPL-3.0-or-later ++# ++# Datasheets: ++# ++# https://cdrdv2.intel.com/v1/dl/getContent/613456 ++ ++# The datasheet says that this spec covers the following pci ids: ++# 8086:1502 - Intel 82579LM gigabit ethernet controller ++# 8086:1503 - Intel 82579V gigabit ethernet controller ++ ++# GbE SPEC for 82579LM/82579V ++{ ++ "mac_address_"[6] : 8, ++ "reserved_x03" : 16, ++ "reserved_x04" : 16, ++ "imageversioninfo_x05" : 16, ++ "reserved_x06" : 16, ++ "reserved_x07" : 16, ++ "pba_low_x08" : 16, ++ "pba_high_x09" : 16, ++ "pci_loaddeviceid_0" : 1, ++ "pci_loadsubsystemid_1" : 1, ++ "pci_reserved_2" : 1, ++ "pci_reserved_3" : 3, ++ "pci_pmenable_6" : 1, ++ "pci_auxpwr_7" : 1, ++ "pci_reserved_8" : 8, ++ "subsystemid_x0B" : 16, ++ "subsystemvendorid_x0C" : 16, ++ "deviceid_x0D" : 16, ++ "reserved_x0E" : 16, ++ "reserved_x0F" : 16, ++ "lanpwr_d3pwr_0" : 5, ++ "lanpwr_reserved_5" : 3, ++ "lanpwr_d0pwr_8" : 8, ++ "reserved_x11" : 16, ++ "reserved_x12" : 16, ++ "sicw_dynamicclock_0" : 1, ++ "sicw_clkcnt_1" : 1, ++ "sicw_reserved_2" : 1, ++ "sicw_fullduplex_3" : 1, ++ "sicw_forcespeed_4" : 1, ++ "sicw_reserved_5" : 1, ++ "sicw_phydeviceype_6" : 2, ++ "sicw_reserved_8" : 1, ++ "sicw_phy_enpwrdown_9" : 1, ++ "sicw_reserved_10" : 3, ++ "sicw_macsecdisable_13" : 1, ++ "sicw_sign_14" : 2, ++ "ecw1_extcfgptr_0" : 12, ++ "ecw1_oemload_12" : 1, ++ "ecw1_phyload_13" : 1, ++ "ecw1_reserved_14" : 2, ++ "ecw2_reserved_0" : 8, ++ "ecw2_extphylen_8" : 8, ++ "ecw3_extcfg1_0" : 16, ++ "oem_reserved_0" : 9, ++ "oem_lpluenind0a_9" : 1, ++ "oem_lplueninnond0a_10" : 1, ++ "oem_gbedisinnond0a_11" : 1, ++ "oem_reserved_12" : 2, ++ "oem_gbedis_14" : 1, ++ "oem_reserved_15" : 1, ++ "l02_led0mode_0" : 3, ++ "l02_led0invert_3" : 1, ++ "l02_led0blink_4" : 1, ++ "l02_led1mode_5" : 3, ++ "l02_led1invert_8" : 1, ++ "l02_led1blink_9" : 1, ++ "l02_led2mode_10" : 3, ++ "l02_led2invert_13" : 1, ++ "l02_led2blink_14" : 1, ++ "l02_blinkrate_15" : 1, ++ "reserved_x19" : 16, ++ "amp_enable_0" : 1, ++ "amp_reserved_1" : 15, ++ "reserved_x1B" : 16, ++ "reserved_x1C" : 16, ++ "reserved_x1D" : 16, ++ "reserved_x1E" : 16, ++ "reserved_x1F" : 16, ++ "reserved_x20" : 16, ++ "reserved_x21" : 16, ++ "reserved_x22" : 16, ++ "reserved_x23" : 16, ++ "reserved_x24_0" : 14, ++ "reserved_x24_14" : 1, ++ "reserved_x24_15" : 1, ++ "reserved_x25_0" : 4, ++ "reserved_x25_4" : 1, ++ "reserved_x25_5" : 2, ++ "reserved_x25_7" : 1, ++ "reserved_x25_8" : 7, ++ "reserved_x25_15" : 1, ++ "reserved_x26_0" : 9, ++ "reserved_x26_9" : 1, ++ "reserved_x26_10" : 1, ++ "reserved_x26_11" : 1, ++ "reserved_x26_12" : 2, ++ "reserved_x26_14" : 1, ++ "reserved_x26_15" : 1, ++ "reserved_x27" : 16, ++ "offset_x28" : 16, ++ "offset_x29" : 16, ++ "offset_x2A" : 16, ++ "offset_x2B" : 16, ++ "offset_x2C" : 16, ++ "offset_x2D" : 16, ++ "offset_x2E" : 16, ++ "offset_x2F" : 16, ++ "pxe30_protocolsel_0" : 2, ++ "pxe30_reserved_2" : 1, ++ "pxe30_defbootsel_3" : 2, ++ "pxe30_reserved_5" : 1, ++ "pxe30_prompttime_6" : 2, ++ "pxe30_dispsetup_8" : 1, ++ "pxe30_reserved_9" : 1, ++ "pxe30_forcespeed_10" : 2, ++ "pxe30_forcefullduplex_12" : 1, ++ "pxe30_reserved_13" : 1, ++ "pxe30_reserved_14" : 2, ++ "pxe31_disablemenu_0" : 1, ++ "pxe31_disabletitle_1" : 1, ++ "pxe31_disableprotsel_2" : 1, ++ "pxe31_disbootorder_3" : 1, ++ "pxe31_dislegacywak_4" : 1, ++ "pxe31_disableflasicwpro_5" : 1, ++ "pxe31_reserved_6" : 2, ++ "pxe31_ibootagentmode_8" : 3, ++ "pxe31_contretrydis_11" : 1, ++ "pxe31_reserved_12" : 2, ++ "pxe31_signature_14" : 2, ++ "pxe32_buildnum_0" : 8, ++ "pxe32_minorversion_8" : 4, ++ "pxe32_majorversion_12" : 4, ++ "pxe33_basecodepresent_0" : 1, ++ "pxe33_undipresent_1" : 1, ++ "pxe33_reserved_2" : 1, ++ "pxe33_efiundipresent_3" : 1, ++ "pxe33_iscsi_4" : 1, ++ "pxe33_reserved_5" : 9, ++ "pxe33_signature_14" : 2, ++ "pxe_padding"[11] : 16, ++ "checksum_gbe" : 16, ++ "g3_s5_phy_conf"[0x16] : 8, ++ "padding"[0xf6a] : 8 ++} +