Merge pull request #1373 from tlaurion/io386_remake

2025-02-21 09:31:51 +00:00 · 2023-06-20 20:02:34 -04:00 · 2023-06-20 20:02:34 -04:00 · 6ec0c81443
commit 6ec0c81443
parent 3b3c49b026 995a6931f1
45 changed files with 317 additions and 93 deletions
--- a/1
+++ b/1
@ -499,6 +499,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl
 bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
 bin_modules-$(CONFIG_BASH) += bash
 bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils
+bin_modules-$(CONFIG_IO386) += io386

 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
--- a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config
+++ b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config
@ -55,6 +55,10 @@ CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
 # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
 # for a console-based menu.
 CONFIG_CAIRO=y
--- a/boards/t420-hotp-maximized/t420-hotp-maximized.config
+++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config
@ -29,6 +29,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t420-maximized/t420-maximized.config
+++ b/boards/t420-maximized/t420-maximized.config
@ -28,6 +28,10 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t430-hotp-maximized/t430-hotp-maximized.config
+++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config
@ -27,6 +27,10 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t430-maximized/t430-maximized.config
+++ b/boards/t430-maximized/t430-maximized.config
@ -27,6 +27,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t440p-maximized/t440p-maximized.config
+++ b/boards/t440p-maximized/t440p-maximized.config
@ -20,6 +20,11 @@ CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
 # for a console-based menu.
 CONFIG_CAIRO=y
--- a/boards/t520-hotp-maximized/t520-hotp-maximized.config
+++ b/boards/t520-hotp-maximized/t520-hotp-maximized.config
@ -25,6 +25,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t520-maximized/t520-maximized.config
+++ b/boards/t520-maximized/t520-maximized.config
@ -25,6 +25,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config
+++ b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config
+++ b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t530-hotp-maximized/t530-hotp-maximized.config
+++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/t530-maximized/t530-maximized.config
+++ b/boards/t530-maximized/t530-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config
+++ b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config
+++ b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config
+++ b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config
+++ b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-hotp-maximized/w530-hotp-maximized.config
+++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/w530-maximized/w530-maximized.config
+++ b/boards/w530-maximized/w530-maximized.config
@ -28,6 +28,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x220-hotp-maximized/x220-hotp-maximized.config
+++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config
@ -29,6 +29,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x220-maximized/x220-maximized.config
+++ b/boards/x220-maximized/x220-maximized.config
@ -29,6 +29,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
+++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
@ -39,6 +39,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x230-hotp-maximized/x230-hotp-maximized.config
+++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config
@ -27,6 +27,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
+++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
@ -30,6 +30,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
+++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
@ -39,6 +39,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/boards/x230-maximized/x230-maximized.config
+++ b/boards/x230-maximized/x230-maximized.config
@ -27,6 +27,11 @@ CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y

+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+
+
 #Remote attestation support
 #TPM based requirements
 export CONFIG_TPM=y
--- a/config/coreboot-p8z77-m_pro-tpm1.config
+++ b/config/coreboot-p8z77-m_pro-tpm1.config
@ -1,17 +1,28 @@
-CONFIG_USE_BLOBS=y
 CONFIG_VENDOR_ASUS=y
 CONFIG_CBFS_SIZE=0x7E7000
 CONFIG_BOARD_ASUS_P8Z77_M_PRO=y
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_PCIEXP_HOTPLUG_BUSES=8
+CONFIG_PCIEXP_HOTPLUG_MEM=0x800000
+CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"
+CONFIG_UART_PCI_ADDR=0x0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
 CONFIG_NO_GFX_INIT=y
-CONFIG_TPM_MEASURED_BOOT=y
-CONFIG_TPM1=y
+CONFIG_PCIEXP_HOTPLUG_IO=0x2000
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM1=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
+CONFIG_POST_IO_PORT=0x80
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"
--- a/config/coreboot-t420-maximized.config
+++ b/config/coreboot-t420-maximized.config
@ -1,6 +1,6 @@
-# CONFIG_USE_BLOBS is not set
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_STATIC_OPTION_TABLE=y
+# CONFIG_USE_BLOBS is not set
 CONFIG_VENDOR_LENOVO=y
 CONFIG_NO_POST=y
 CONFIG_CBFS_SIZE=0x7E7FFF
@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_T420=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
--- a/config/coreboot-t430-maximized.config
+++ b/config/coreboot-t430-maximized.config
@ -1,6 +1,6 @@
-# CONFIG_USE_BLOBS is not set
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_STATIC_OPTION_TABLE=y
+# CONFIG_USE_BLOBS is not set
 CONFIG_VENDOR_LENOVO=y
 CONFIG_NO_POST=y
 CONFIG_CBFS_SIZE=0xBE4FFF
@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_THINKPAD_T430=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
--- a/config/coreboot-t440p.config
+++ b/config/coreboot-t440p.config
@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_THINKPAD_T440P=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_HAVE_MRC=y
 CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"
+CONFIG_UART_PCI_ADDR=0x0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
-CONFIG_NO_GFX_INIT=y
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
--- a/config/coreboot-t520-maximized.config
+++ b/config/coreboot-t520-maximized.config
@ -1,23 +1,21 @@
 # CONFIG_INCLUDE_CONFIG_FILE is not set
 # CONFIG_COLLECT_TIMESTAMPS is not set
-CONFIG_USE_BLOBS=y
-CONFIG_MEASURED_BOOT=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
 CONFIG_CBFS_SIZE=0x7E7FFF
-CONFIG_ONBOARD_VGA_IS_PRIMARY=y
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin"
-CONFIG_BOARD_LENOVO_T520=y
-CONFIG_DRIVERS_PS2_KEYBOARD=y
-CONFIG_NO_POST=y
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_T520=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_DEBUG_SMM_RELOCATION=y
--- a/config/coreboot-t530-dgpu-hotp-maximized.config
+++ b/config/coreboot-t530-dgpu-hotp-maximized.config
@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_STATIC_OPTION_TABLE=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
--- a/config/coreboot-t530-dgpu-maximized.config
+++ b/config/coreboot-t530-dgpu-maximized.config
@ -1,28 +1,27 @@
-CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_VGA_BIOS=y
 CONFIG_CBFS_SIZE=0xBE4FFF
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
+CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom"
+CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
-CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
-CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom"
-CONFIG_VGA_BIOS=y
-CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
-# CONFIG_VGA_BIOS_SECOND is not set
-CONFIG_VGA_ROM_RUN_DEFAULT=y
-CONFIG_VGA_BIOS_DGPU=y
+CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_T530=y
-CONFIG_NO_POST=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
-# CONFIG_CONSOLE_SERIAL is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_USE_OPTION_TABLE=y
-CONFIG_STATIC_OPTION_TABLE=y
--- a/config/coreboot-t530-maximized.config
+++ b/config/coreboot-t530-maximized.config
@ -1,23 +1,24 @@
-CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
 CONFIG_CBFS_SIZE=0xBE4FFF
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_T530=y
-CONFIG_NO_POST=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
-# CONFIG_CONSOLE_SERIAL is not set
-CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
 CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_USE_OPTION_TABLE=y
-CONFIG_STATIC_OPTION_TABLE=y
--- a/config/coreboot-w530-dgpu-K1000m-maximized.config
+++ b/config/coreboot-w530-dgpu-K1000m-maximized.config
@ -1,30 +1,28 @@
-CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_VGA_BIOS=y
 CONFIG_CBFS_SIZE=0xBE4FFF
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc"
+CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom"
+CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
-CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc"
-CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom"
-CONFIG_VGA_BIOS=y
-CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
-# CONFIG_VGA_BIOS_SECOND is not set
-CONFIG_VGA_ROM_RUN_DEFAULT=y
-CONFIG_VGA_BIOS_DGPU=y
+CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_W530=y
-CONFIG_NO_POST=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
-# CONFIG_CONSOLE_SERIAL is not set
-CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_USE_OPTION_TABLE=y
-CONFIG_STATIC_OPTION_TABLE=y
--- a/config/coreboot-w530-dgpu-K2000m-maximized.config
+++ b/config/coreboot-w530-dgpu-K2000m-maximized.config
@ -1,30 +1,28 @@
-CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_VGA_BIOS=y
 CONFIG_CBFS_SIZE=0xBE4FFF
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb"
+CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom"
+CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
-CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb"
-CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom"
-CONFIG_VGA_BIOS=y
-CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
-# CONFIG_VGA_BIOS_SECOND is not set
-CONFIG_VGA_ROM_RUN_DEFAULT=y
-CONFIG_VGA_BIOS_DGPU=y
+CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_W530=y
-CONFIG_NO_POST=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
-# CONFIG_CONSOLE_SERIAL is not set
-CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_VGA_BIOS_DGPU=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_USE_OPTION_TABLE=y
-CONFIG_STATIC_OPTION_TABLE=y
--- a/config/coreboot-w530-maximized.config
+++ b/config/coreboot-w530-maximized.config
@ -1,23 +1,24 @@
-CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
 CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
 CONFIG_CBFS_SIZE=0xBE4FFF
-CONFIG_HAVE_IFD_BIN=y
-CONFIG_HAVE_ME_BIN=y
-CONFIG_HAVE_GBE_BIN=y
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_W530=y
-CONFIG_NO_POST=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
-# CONFIG_CONSOLE_SERIAL is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
 CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
-CONFIG_USE_OPTION_TABLE=y
-CONFIG_STATIC_OPTION_TABLE=y
--- a/config/coreboot-x220-maximized.config
+++ b/config/coreboot-x220-maximized.config
@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_X220=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_NO_GFX_INIT=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
--- a/config/coreboot-x230-maximized-fhd_edp.config
+++ b/config/coreboot-x230-maximized-fhd_edp.config
@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_X230_EDP=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
--- a/config/coreboot-x230-maximized.config
+++ b/config/coreboot-x230-maximized.config
@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_X230=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_NO_GFX_INIT=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@ -10,6 +10,20 @@ TRACE "Under /bin/config-gui.sh"
 param=$1

 while true; do
+  dynamic_config_options=(
+    'b' ' Change the /boot device'
+    's' ' Save the current configuration to the running BIOS' \
+    'r' ' Clear GPG key(s) and reset all user settings' \
+  )
+  if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ];then
+    dynamic_config_options+=(
+      't' ' Deactivate Platform Locking to permit OS write access to firmware'
+    )
+  fi
+  dynamic_config_options+=(
+  'x' ' Return to Main Menu'
+  )
+  
  if [ ! -z "$param" ]; then
    # use first char from parameter
    menu_choice=${param::1}
@ -18,16 +32,19 @@ while true; do
    unset menu_choice
    whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
    --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
-    'b' ' Change the /boot device' \
-    's' ' Save the current configuration to the running BIOS' \
-    'r' ' Clear GPG key(s) and reset all user settings' \
-    'x' ' Return to Main Menu' \
+    "${dynamic_config_options[@]}" \
    2>/tmp/whiptail || recovery "GUI menu failed"

    menu_choice=$(cat /tmp/whiptail)
  fi

  case "$menu_choice" in
+    "t" )
+      unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE
+      replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n"
+      combine_configs
+      . /tmp/config
+    ;;
    "x" )
      exit 0
    ;;
--- a/initrd/bin/kexec-boot
+++ b/initrd/bin/kexec-boot
@ -150,5 +150,9 @@ if [ "$CONFIG_TPM" = "y" ]; then
 	tpmr kexec_finalize
 fi

+if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
+	lock_chip
+fi
+
 echo "Starting the new kernel"
 exec kexec -e
--- a/initrd/bin/lock_chip
+++ b/initrd/bin/lock_chip
@ -0,0 +1,23 @@
+#!/bin/sh
+# For this to work:
+#  - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work)
+#  - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
+#  - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
+# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly
+
+#include ash shell functions (TRACE requires it)
+. /etc/ash_functions
+
+TRACE "Under /bin/lock_chip"
+if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
+	APM_CNT=0xb2
+	FIN_CODE=0xcb
+fi
+
+if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
+	echo "Finalizing chipset"
+	io386 -o b -b x $APM_CNT $FIN_CODE
+else
+	echo "NOT Finalizing chipset"
+	echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
+fi
--- a/initrd/etc/ash_functions
+++ b/initrd/etc/ash_functions
@ -57,6 +57,7 @@ recovery() {

 	# ensure /tmp/config exists for recovery scripts that depend on it
 	touch /tmp/config
+	. /tmp/config

 	if [ "$CONFIG_TPM" = "y" ]; then
 		tpmr extend -ix 4 -ic recovery
--- a/modules/io386
+++ b/modules/io386
@ -0,0 +1,31 @@
+modules-$(CONFIG_IO386) += io386
+
+io386_depends := $(musl_dep)
+
+io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1
+io386_dir := io386-$(io386_version)
+io386_tar := io386-$(io386_version).tar.gz
+io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz
+io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06
+
+io386_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	CFLAGS="-Os" \
+	SHARED=yes \
+	PREFIX="/" \
+	&& \
+	$(MAKE) \
+	-C $(build)/$(io386_dir) \
+	$(CROSS_TOOLS) \
+	SHARED=yes \
+	PREFIX="/" \
+	DESTDIR="$(INSTALL)" \
+	install \
+
+io386_output := \
+	io386
+
+io386_libraries :=
+
+io386_configure :=