ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-03-13 15:56:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'gaspar-ilom/poc_t480' into coreboot_bump_2412

Browse Source 
Resolve conflicts for .circleci/config.yml

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2025-03-02 11:58:59 -05:00
commit 80055417f7
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
16 changed files with 240 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.circleci/config.yml
View File

@ -92,11 +92,15 @@ jobs:
name: Download Optiplex 7010/9010 blobs
command: |
./blobs/xx30/optiplex_7010_9010.sh ./blobs/xx30
# me_cleaner.py present under heads blobs/utils/me_cleaner dir comes from https://github.com/corna/me_cleaner/blob/43612a630c79f3bc6f2653bfe90dfe0b7b137e08/me_cleaner.py
- run:
# me_cleaner.py present under heads xx30 blobs dir comes from https://github.com/corna/me_cleaner/blob/43612a630c79f3bc6f2653bfe90dfe0b7b137e08/me_cleaner.py
name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx30/download_clean_me_manually.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
./blobs/xx30/download_clean_me_manually.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py)
- run:
name: Download, neuter and deguard xx80 ME (keep generated GBE and extracted IFD in tree)
command: |
./blobs/xx80/download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/
- run:
name: Download and extract t530 vbios roms for dgpu boards
command: |
@ -230,7 +234,7 @@ workflows:
# Below, sequentially build one board for each coreboot version.
# The last board in the sequence is the dependency for the parallel boards built at the end, and also save_cache.
# coreboot 24.02.01, base layer cache to be built and reused by all 24.02.01 boards
# coreboot 24.02.01
- build_and_persist:
name: novacustom-nv4x_adl
target: novacustom-nv4x_adl
@ -238,7 +242,7 @@ workflows:
requires:
- x86-musl-cross-make
# coreboot purism
# coreboot purism: based on coreboot 24.02.01, reuse dasharo 24.02.01 crossgcc
- build_and_persist:
name: librem_14
target: librem_14
@ -507,6 +511,14 @@ workflows:
requires:
- librem_14
# t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
- build:
name: t480-maximized
target: t480-maximized
subcommand: ""
requires:
- t480-hotp-maximized
# dasharo release, share 24.02.01 utils/crossgcc
- build:
name: UNTESTED_nitropad-ns50
@ -515,6 +527,7 @@ workflows:
requires:
- novacustom-nv4x_adl
#NovaCustom v56 boards are based on coreboot 24.02.01 fork, so depend on x230
- build:
name: novacustom-v560tu
target: novacustom-v560tu

2
BOARD_TESTERS.md
View File

@ -34,7 +34,7 @@ xx4x(Haswell):
xx8x(Kaby Lake Refresh):
===
- [ ] t480: @gaspar-ilom @doritos4mlady @MattClifton76
- [ ] t480: @gaspar-ilom @doritos4mlady @MattClifton76 @notgivenby @akunterkontrolle
Librems:
===

0
blobs/xx30/me_cleaner.py → blobs/utils/me_cleaner/me_cleaner.py
View File

1
blobs/xx80/.gitignore vendored
View File

@ -1 +1,2 @@
me.bin
tb.bin

30
blobs/xx80/README
View File

@ -1,30 +0,0 @@
The ME blobs dumped in this directory come from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
Therefore, Bootguard can be disabled by deguard with a patched ME.
1.0.0:Automatically extract, neuter and deguard me.bin
download_clean_me.sh : Downloads vulnerable ME from Dell verify checksum, extract ME, neuters ME, relocate and trim it, then apply deguard patch and place it into me.bin
sha256sum:
1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin
1.0.1: Extract blobs from original rom:
extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim and deguard it, modify BIOS and ME region of IFD and place output files into this dir.
sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent.
1.1: More blobs
--------------------
ifd.bin was extracted from a T480 from an external flashrom backup.
sha256sum:
f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin
sha256sum:
6b7f3912995fb87ae62956e009470b35b72b5b9a4bfd7bed48da429af9804866 gbe.bin
------------------------
Notes: as specified in first link, this ME can be deployed to:
T480 and T480s

53
blobs/xx80/README.md Normal file
View File

@ -0,0 +1,53 @@
# T480 Blobs
The following blobs are needed:
* `ifd.bin`
* `gbe.bin`
* `me.bin`
* `tb.bin` (optional but recommended flashing this blob to the separate Thunderbolt SPI chip to fix a bug in the original firmware)
## me.bin: automatically extract, neuter and deguard
download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin
The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
Therefore, Bootguard can be disabled by deguard with a patched ME.
As specified in the first link, this ME can be deployed to:
* T480
* T480s
## ifd.bin and gbe.bin
Both blobs were taken from libreboot: https://codeberg.org/libreboot/lbmk/src/commit/68ebde2f033ce662813dbf8f5ab21f160014029f/config/ifd/t480
The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE MAC`
## tb.bin
This blob was extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T430-maximized-flashing/
## Integrity
Sha256sums: `blobs/xx80/hashes.txt`
# CAVEATS for the board:
See the board configs `boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config`:
> This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
> This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
> Also it can be used to extract FDE keys from a TPM.
> The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
> Make sure you understand the implications of the attack for your threat model before using this board.
# Documentation
A guide on how to flash this board (both the Heads rom and the Thunderbolt `tb.bin` blob) can be found here:
https://osresearch.net/T430-maximized-flashing/

141
blobs/xx80/download_clean_deguard_me.sh → blobs/xx80/download_clean_deguard_me_pad_tb.sh
View File

@ -7,15 +7,23 @@ ME_version="11.6.0.1126"
ME_sku="2M"
ME_pch="LP"
# Thunderbolt firmware offset in bytes to pad to 1M
TBFW_SIZE=1048575
# Integrity checks for the vendor provided ME blob...
ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0"
# ...and the cleaned and deguarded version from that blob.
DEGUARDED_ME_BIN_HASH="1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b"
# Integrity checks for the vendor provided Thunderbolt blob...
TB_DOWNLOAD_HASH="a500a93fe6a3728aa6676c70f98cf46785ef15da7c5b1ccd7d3a478d190a28a8"
# ...and the padded and flashable version from that blob.
TB_BIN_HASH="3903a93df700dee46ca2ccbb9e70e09f25f372fcfc1d5df7338640748117b964"
function usage() {
echo -n \
"Usage: $(basename "$0") path_to_output_directory
"Usage: $(basename "$0") -m <me_cleaner>(optional) path_to_output_directory
Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS.
Download Thunderbolt firmware from Lenovo and pad it for flashing externally.
"
}
@ -30,20 +38,20 @@ function chk_sha256sum() {
fi
}
function chk_exists() {
if [ -e "$me_deguarded" ]; then
echo "me.bin already exists"
if echo "${DEGUARDED_ME_BIN_HASH} $me_deguarded" | sha256sum --check; then
echo "SKIPPING: SHA256 checksum for me.bin matches."
exit 0
function chk_exists_and_matches() {
if [[ -f "$1" ]]; then
if echo "${2} ${1}" | sha256sum --check; then
echo "SKIPPING: SHA256 checksum for $1 matches."
[[ "$3" = ME ]] && me_exists="y"
[[ "$3" = TB ]] && tb_exists="y"
fi
retry="y"
echo "me.bin exists but checksum doesn't match. Continuing..."
echo "$1 exists but checksum doesn't match. Continuing..."
fi
}
function download_and_clean() {
me_output="$(realpath "${1}")"
me_cleaner="$(realpath "${1}")"
me_output="$(realpath "${2}")"
# Download and unpack the Dell installer into a temporary directory and
# extract the deguardable Intel ME blob.
@ -63,21 +71,16 @@ function download_and_clean() {
extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin"
mv "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" "${COREBOOT_DIR}/util/me_cleaner"
rm -rf ./*
popd || exit
# Neutralize and shrink Intel ME. Note that this doesn't include
# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
# High Assurance Program) bits, as they are defined within the Flash
# Descriptor.
# However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function.
# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
pushd "${COREBOOT_DIR}/util/me_cleaner" || exit
# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
python me_cleaner.py --whitelist MFS -t -O "$me_output" "$extracted_me_filename"
rm -f "$extracted_me_filename"
python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}"
rm -rf ./*
popd || exit
}
@ -106,27 +109,91 @@ function deguard() {
popd || exit
}
function download_and_pad_tb() {
tb_output="$(realpath "${1}")"
# Download and unpack the Lenovo installer into a temporary directory and
# extract the TB blob.
pushd "$(mktemp -d)" || exit
# Download the installer that contains the TB blob
tb_installer_filename=""n24th13w.exe""
user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
curl -A "$user_agent" -s -O "https://download.lenovo.com/pccbbs/mobiles/${tb_installer_filename}"
chk_sha256sum "$TB_DOWNLOAD_HASH" "$tb_installer_filename"
# https://www.reddit.com/r/thinkpad/comments/9rnimi/ladies_and_gentlemen_i_present_to_you_the/
7z e n24th13w.exe \[0\]
mv \[0\] tb.bin
# pad with zeros
dd if=/dev/zero of=tb.bin bs=1 seek="$TBFW_SIZE" count=1
mv "tb.bin" "$tb_output"
rm -rf ./*
popd || exit
}
function usage_err() {
echo "$1"
usage
exit 1
}
function parse_params() {
while getopts ":m:" opt; do
case $opt in
m)
if [[ -x "$OPTARG" ]]; then
me_cleaner="$OPTARG"
fi
;;
?)
usage_err "Invalid Option: -$OPTARG"
;;
esac
done
if [[ -z "${me_cleaner}" ]]; then
if [[ -z "${COREBOOT_DIR}" ]]; then
usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable."
else
me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py"
fi
fi
echo "Using me_cleaner from ${me_cleaner}"
shift $(($OPTIND - 1))
output_dir="$(realpath "${1:-./}")"
if [[ ! -d "${output_dir}" ]]; then
usage_err "No valid output dir found"
fi
me_cleaned="${output_dir}/me_cleaned.bin"
me_deguarded="${output_dir}/me.bin"
tb_flashable="${output_dir}/tb.bin"
echo "Writing cleaned and deguarded ME to ${me_deguarded}"
echo "Writing flashable TB to ${tb_flashable}"
}
if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
if [[ "${1:-}" == "--help" ]]; then
usage
else
output_dir="$(realpath "${1:-./}")"
me_cleaned="${output_dir}/me_cleaned.bin"
me_deguarded="${output_dir}/me.bin"
chk_exists
if [[ -z "${COREBOOT_DIR}" ]]; then
echo "ERROR: No COREBOOT_DIR variable defined."
exit 1
fi
if [[ ! -f "$me_deguarded" ]] || [ "$retry" = "y" ]; then
download_and_clean "$me_cleaned"
deguard "$me_cleaned" "$me_deguarded"
rm -f "$me_cleaned"
fi
chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded"
exit 0
fi
fi
parse_params "$@"
chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME
chk_exists_and_matches "$tb_flashable" "$TB_BIN_HASH" TB
if [[ -z "$me_exists" ]]; then
download_and_clean "$me_cleaner" "$me_cleaned"
deguard "$me_cleaned" "$me_deguarded"
rm -f "$me_cleaned"
fi
if [[ -z "$tb_exists" ]]; then
download_and_pad_tb "$tb_flashable"
fi
chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded"
chk_sha256sum "$TB_BIN_HASH" "$tb_flashable"
fi

1
blobs/xx80/hashes.txt
View File

@ -1,3 +1,4 @@
d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin
f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin
1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin
3903a93df700dee46ca2ccbb9e70e09f25f372fcfc1d5df7338640748117b964 tb.bin

15
boards/t480-hotp-maximized/t480-hotp-maximized.config
View File

@ -11,6 +11,11 @@
# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions
# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip,
# which is not the same as the 16MB chip to which the heads rom is flashed.
# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip.
# You can find a guide here: https://osresearch.net/T430-maximized-flashing/
#
# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
@ -19,7 +24,6 @@ export CONFIG_COREBOOT_VERSION=24.12
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-t480-maximized.config
# TODO: Make a ThinkPad-common Linux config file.
CONFIG_LINUX_CONFIG=config/linux-t480.config
#On-demand hardware support (modules.cpio)
@ -77,13 +81,12 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output, debug output probably a good idea for first tests TODO:remove prior of merge
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log, not quiet for first test
export CONFIG_QUIET_MODE=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

15
boards/t480-maximized/t480-maximized.config
View File

@ -11,6 +11,11 @@
# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions
# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh)
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip,
# which is not the same as the 16MB chip to which the heads rom is flashed.
# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip.
# You can find a guide here: https://osresearch.net/T430-maximized-flashing/
#
# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
@ -19,7 +24,6 @@ export CONFIG_COREBOOT_VERSION=24.12
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-t480-maximized.config
# TODO: Make a ThinkPad-common Linux config file.
CONFIG_LINUX_CONFIG=config/linux-t480.config
#On-demand hardware support (modules.cpio)
@ -77,13 +81,12 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output, debug output probably a good idea for first tests TODO:remove prior of merge
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log, not quiet for first test
export CONFIG_QUIET_MODE=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

3
config/coreboot-t480-maximized.config
View File

@ -222,7 +222,6 @@ CONFIG_PS2M_EISAID="PNP0F13"
CONFIG_THINKPADEC_HKEY_EISAID="IBM0068"
CONFIG_GFX_GMA_PANEL_1_PORT="eDP"
CONFIG_BOARD_LENOVO_SKLKBL_THINKPAD_COMMON=y
CONFIG_LENOVO_TBFW_BIN=""
# CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set
CONFIG_POWER_STATE_DEFAULT_ON_AFTER_FAILURE=y
CONFIG_D3COLD_SUPPORT=y
@ -707,7 +706,7 @@ CONFIG_VBOOT_LIB=y
CONFIG_TPM2=y
CONFIG_TPM=y
CONFIG_MAINBOARD_HAS_TPM2=y
CONFIG_DEBUG_TPM=y
# CONFIG_DEBUG_TPM is not set
# CONFIG_TPM_LOG_CB is not set
CONFIG_TPM_LOG_TPM2=y
# CONFIG_TPM_HASH_SHA1 is not set

6
initrd/bin/oem-system-info-xx30
View File

@ -12,11 +12,7 @@ export BG_COLOR_MAIN_MENU="normal"
TRACE_FUNC
battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)"
if [ -n "$battery_charge" ] && [ -n "$battery_health" ]; then
battery_status="\nBattery charge: $battery_charge% Battery health: $battery_health%\n"
fi
battery_status="$(print_battery_state)"
usb="$(lsusb)"
pci="$(lspci)"

65
initrd/etc/functions
View File

@ -1190,9 +1190,6 @@ scan_boot_options() {
fi
}
calc() {
awk "BEGIN { print "$*" }"
}
# truncate a file to a size only if it is longer (busybox truncate lacks '<' and
# always sets the file size)
@ -1220,38 +1217,42 @@ fromhex_plain() {
fold -w 60 | xxd -p -r
}
print_battery_health() {
TRACE_FUNC
if ls /sys/class/power_supply/BAT* 1>/dev/null 2>&1; then
for battery in /sys/class/power_supply/BAT*; do
if [ -d "$battery" ]; then
charge_full=$(cat "$battery/charge_full")
charge_full_design=$(cat "$battery/charge_full_design")
battery_health=$(calc "$charge_full / $charge_full_design * 100" | awk -F "." '{print $1}')
DEBUG "Battery $battery health: $battery_health%"
echo "$battery_health"
fi
done
else
DEBUG "No battery found in /sys/class/power_supply/"
fi
print_battery_charge() {
local battery
battery="$1"
echo "$((100*$(cat "${battery}/charge_now")/$(cat "${battery}/charge_full")))"
}
print_battery_charge() {
TRACE_FUNC
if ls /sys/class/power_supply/BAT* 1>/dev/null 2>&1; then
for battery in /sys/class/power_supply/BAT*; do
if [ -d "$battery" ]; then
charge_now=$(cat "$battery/charge_now")
charge_full=$(cat "$battery/charge_full")
battery_charge=$(calc "$charge_now / $charge_full * 100" | awk -F "." '{print $1}')
DEBUG "Battery $battery charge: $battery_charge%"
echo "$battery_charge"
print_battery_health() {
local battery
battery="$1"
echo "$((100*$(cat "${battery}/charge_full")/$(cat "${battery}/charge_full_design")))"
}
print_battery_name() {
local battery
battery="$1"
echo "$(cat "${battery}/manufacturer") $(cat "${battery}/model_name")"
}
# Print the charging and health state for all batteries
# Print the maufacturer and model name for each battery if more than 1
# The printed string contains the full formatting including leading an trailing "\n" strings
print_battery_state() {
local battery_status
battery_status=""
all_batteries=(/sys/class/power_supply/BAT*)
for battery in "${all_batteries[@]}"; do
if [[ -d "${battery}" ]]; then
battery_name="Battery"
if [ "${#all_batteries[@]}" -gt 1 ]; then
battery_name+=" $(print_battery_name "${battery}")"
fi
done
else
DEBUG "No battery found in /sys/class/power_supply/"
fi
battery_status+="\n${battery_name} charge: $(print_battery_charge "${battery}")%"
battery_status+="\n${battery_name} health: $(print_battery_health "${battery}")%"
fi
done
echo "${battery_status:+${battery_status}\n}"
}
generate_random_mac_address() {

6
initrd/etc/gui_functions
View File

@ -165,11 +165,7 @@ file_selector() {
show_system_info() {
TRACE_FUNC
battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)"
if [ -n "$battery_charge" ] && [ -n "$battery_health" ]; then
battery_status="\nBattery charge: $battery_charge%\nBattery health: $battery_health%\n"
fi
battery_status="$(print_battery_state)"
memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ')
memtotal=$((${memtotal} / 1024 / 1024 + 1))

78
patches/coreboot-24.12/0009-lenovo-Add-Kconfig-option-CONFIG_LENOVO_TBFW_BIN.patch
View File

@ -1,78 +0,0 @@
From 35295d97b08ee659b6770ce39003732a4bdfb6a0 Mon Sep 17 00:00:00 2001
From: Leah Rowe <info@minifree.org>
Date: Wed, 18 Dec 2024 02:06:18 +0000
Subject: [PATCH 09/11] lenovo: Add Kconfig option CONFIG_LENOVO_TBFW_BIN
This is used by lbmk to know where a tb.bin file goes,
when extracting and padding TBT.bin from Lenovo ThunderBolt
firmware updates on T480/T480s and other machines, grabbing
Lenovo update files.
Not used in any builds, so it's not relevant for ./mk inject
However, the ThunderBolt firmware is now auto-downloaded on
T480/T480s. This is not inserted, because it doesn't go in
the main flash, but the resulting ROM image can be flashed
on the TB controller's separate flash chip.
Locations are as follows:
vendorfiles/t480s/tb.bin
vendorfiles/t480/tb.bin
This can be used for other affected ThinkPads when they're
added to Libreboot, but note that Lenovo provides different
TB firmware files for each machine.
Since I assume it's the same TB controller on all of those
machines, I have to wonder: what difference is there between
the various TBT.bin files provided by Lenovo, and how do they
differ in terms of actual flashed configuration?
We simply flash the padded TBT.bin when updating the firmware,
flashing externally. That's what this patch is for, so that
lbmk can auto-download them.
Signed-off-by: Leah Rowe <info@minifree.org>
---
src/mainboard/lenovo/Kconfig | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/src/mainboard/lenovo/Kconfig b/src/mainboard/lenovo/Kconfig
index 2ffbaab85f..512b326381 100644
--- a/src/mainboard/lenovo/Kconfig
+++ b/src/mainboard/lenovo/Kconfig
@@ -18,4 +18,30 @@ config MAINBOARD_FAMILY
string
default MAINBOARD_PART_NUMBER
+config LENOVO_TBFW_BIN
+ string "Lenovo ThunderBolt firmware bin file"
+ default ""
+ help
+ ThunderBolt firmware for certain ThinkPad models e.g. T480.
+ Not used in the actual build. Libreboot's build system uses this
+ along with config/vendor/*/pkg.cfg entries defining a URL to the
+ Lenovo download link and hash. The resulting file when processed by
+ lbmk can be flashed to the ThunderBolt firmware's 25XX NOR device.
+ Earlier versions of this firmware had debug commands enabled that
+ sent logs to said flash IC, and it would quickly fill up, bricking
+ the ThunderBolt controller. With these updates, flashed externally,
+ you can fix the issue if present or otherwise prevent it. The benefit
+ here is that you then don't need to use Windows or a boot disk. You
+ can flash the TB firmware while flashing Libreboot firmware. Easy!
+ Look for these variables in lbmk:
+ TBFW_url TBFW_url_bkup TBFW_hash and look at how it handles that and
+ CONFIG_LENOVO_TBFW_BIN, in lbmk's include/vendor.sh file.
+ The path set by CONFIG_LENOVO_TBFW_BIN is used by lbmk when extracting
+ the firmware, putting it at that desired location. In this way, lbmk
+ can auto-download such firmware. E.g. ./mk -d coreboot t480_fsp_16mb
+ and it appears at vendorfiles/t480/tb.bin fully padded and everything!
+
+ Just leave this blank if you don't care about this option. It's not
+ useful for every ThinkPad, only certain models.
+
endif # VENDOR_LENOVO
--
2.39.5

16
targets/xx80_me_blobs.mk
View File

@ -6,14 +6,16 @@
# following to have gbe.bin ifd.bin and me.bin
# - blobs/xx80/download_clean_me_and_deguard.sh
# To download Lenovo original ME binary, neuter+deactivate ME, produce
# reduced IFD ME region and expanded BIOS IFD region.
# - blobs/xx80/extract_and_deguard.sh
# To extract ME binary, GBE and IFD blobs and apply the deguard exploit to the the ME binary.
# reduced IFD ME region and expanded BIOS IFD region.
# Also creates the tb.bin blob to flash the Thunderbolt SPI.
# Make the Coreboot build depend on the following 3rd party blobs:
$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
$(pwd)/blobs/xx80/me.bin
$(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD)/tb.bin
$(pwd)/blobs/xx80/me.bin:
COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
$(pwd)/blobs/xx80/download_clean_deguard_me.sh $(pwd)/blobs/xx80
$(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin &:
$(pwd)/blobs/xx80/download_clean_deguard_me_pad_tb.sh \
-m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80
$(build)/$(BOARD)/tb.bin: $(pwd)/blobs/xx80/tb.bin
cp $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD)