diff --git a/Makefile b/Makefile index 049fa805..a8c2c9f8 100644 --- a/Makefile +++ b/Makefile @@ -503,6 +503,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools bin_modules-$(CONFIG_BASH) += bash bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils +bin_modules-$(CONFIG_IO386) += io386 bin_modules-$(CONFIG_IOPORT) += ioport bin_modules-$(CONFIG_ZSTD) += zstd diff --git a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config index 57cb23d3..51502716 100644 --- a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config +++ b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config @@ -55,6 +55,10 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 1281c444..e9b78273 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index bfbd8171..9f3760b0 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -28,6 +28,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index 5f172eb7..70f8ef8c 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -27,6 +27,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 10d5a235..4983a6c0 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config index b74edef9..247dc8ef 100644 --- a/boards/t440p-maximized/t440p-maximized.config +++ b/boards/t440p-maximized/t440p-maximized.config @@ -20,6 +20,11 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t520-hotp-maximized/t520-hotp-maximized.config b/boards/t520-hotp-maximized/t520-hotp-maximized.config index 7de13744..7d3ea1b3 100644 --- a/boards/t520-hotp-maximized/t520-hotp-maximized.config +++ b/boards/t520-hotp-maximized/t520-hotp-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t520-maximized/t520-maximized.config b/boards/t520-maximized/t520-maximized.config index 4589ec21..35f55ff7 100644 --- a/boards/t520-maximized/t520-maximized.config +++ b/boards/t520-maximized/t520-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config index 364e49b7..e0412ef3 100644 --- a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config +++ b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config index ef7877b5..4d1c756e 100644 --- a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config +++ b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 9f9c00e0..8a4209fb 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 0bc59d86..3fa20c29 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config index f3dab011..396639cc 100644 --- a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config +++ b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config index 6a7bd1f1..822c91f7 100644 --- a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config +++ b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config index b5e45aa6..968cce2b 100644 --- a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config +++ b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config index edb50cb3..9a374c4d 100644 --- a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config +++ b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index a01a98d8..5e38664b 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index a2583297..fdd1c0c2 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 69531e65..ba46fb41 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 611dc3a8..d4df3a84 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index cb5daa6b..377e91f1 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index a8dca850..df4e8a45 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 47a4133a..5cd7cfc2 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -30,6 +30,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index eda0d3a4..1db26bcc 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7d385a3f..e8f78e79 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config index 2fb5b5b7..2b3b7be3 100644 --- a/config/coreboot-p8z77-m_pro-tpm1.config +++ b/config/coreboot-p8z77-m_pro-tpm1.config @@ -1,17 +1,28 @@ -CONFIG_USE_BLOBS=y CONFIG_VENDOR_ASUS=y CONFIG_CBFS_SIZE=0x7E7000 CONFIG_BOARD_ASUS_P8Z77_M_PRO=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y CONFIG_NO_GFX_INIT=y -CONFIG_TPM_MEASURED_BOOT=y -CONFIG_TPM1=y +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM1=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y +CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" diff --git a/config/coreboot-qemu-tpm1.config b/config/coreboot-qemu-tpm1.config index 2c6ad5fa..0378328b 100644 --- a/config/coreboot-qemu-tpm1.config +++ b/config/coreboot-qemu-tpm1.config @@ -1,19 +1,27 @@ CONFIG_CCACHE=y # CONFIG_INCLUDE_CONFIG_FILE is not set -CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_CBFS_SIZE=0x980000 -# CONFIG_POST_IO is not set -# CONFIG_POST_DEVICE is not set -CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y # CONFIG_CONSOLE_SERIAL is not set +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +# CONFIG_POST_DEVICE is not set +# CONFIG_POST_IO is not set +CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_PCIEXP_HOTPLUG_BUSES=32 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_TPM_MEASURED_BOOT=y CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" CONFIG_COREBOOT_ROMSIZE_KB_10240=y CONFIG_PCIEXP_ASPM=y CONFIG_PCIEXP_COMMON_CLOCK=y -CONFIG_UART_PCI_ADDR=0 +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_USER_TPM1=y -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_TPM1=y +CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config index 455aa803..ebc93fca 100644 --- a/config/coreboot-t420-maximized.config +++ b/config/coreboot-t420-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T420=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config index 190ac0fb..ae701a37 100644 --- a/config/coreboot-t430-maximized.config +++ b/config/coreboot-t430-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T430=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config index c70c0e6a..a14496ba 100644 --- a/config/coreboot-t440p.config +++ b/config/coreboot-t440p.config @@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T440P=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0" CONFIG_TPM_MEASURED_BOOT=y CONFIG_HAVE_MRC=y CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y -CONFIG_NO_GFX_INIT=y +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config index 0665a395..6830c102 100644 --- a/config/coreboot-t520-maximized.config +++ b/config/coreboot-t520-maximized.config @@ -1,23 +1,21 @@ # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set -CONFIG_USE_BLOBS=y -CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF -CONFIG_ONBOARD_VGA_IS_PRIMARY=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin" -CONFIG_BOARD_LENOVO_T520=y -CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_NO_POST=y CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_T520=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t530-dgpu-hotp-maximized.config b/config/coreboot-t530-dgpu-hotp-maximized.config index b1f84b7a..7b1ca684 100644 --- a/config/coreboot-t530-dgpu-hotp-maximized.config +++ b/config/coreboot-t530-dgpu-hotp-maximized.config @@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config index fd236eea..d1933646 100644 --- a/config/coreboot-t530-dgpu-maximized.config +++ b/config/coreboot-t530-dgpu-maximized.config @@ -1,28 +1,27 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0def" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0def" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config index 41569924..3d245dcf 100644 --- a/config/coreboot-t530-maximized.config +++ b/config/coreboot-t530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config index 64a2f3ec..245a5c56 100644 --- a/config/coreboot-w530-dgpu-K1000m-maximized.config +++ b/config/coreboot-w530-dgpu-K1000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config index ab1ea461..dc2f561c 100644 --- a/config/coreboot-w530-dgpu-K2000m-maximized.config +++ b/config/coreboot-w530-dgpu-K2000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config index daf91635..3adb53d3 100644 --- a/config/coreboot-w530-maximized.config +++ b/config/coreboot-w530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config index 934ff13f..3b2a6223 100644 --- a/config/coreboot-x220-maximized.config +++ b/config/coreboot-x220-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X220=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config index 231c24a4..837d8a6a 100644 --- a/config/coreboot-x230-maximized-fhd_edp.config +++ b/config/coreboot-x230-maximized-fhd_edp.config @@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230_EDP=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config index dedeed36..f5780fe7 100644 --- a/config/coreboot-x230-maximized.config +++ b/config/coreboot-x230-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index bc67dad5..e6a892c8 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -30,7 +30,9 @@ while true; do # Re-source config because we change it when an option is toggled . /tmp/config - dynamic_config_options=() + dynamic_config_options=( + 'b' ' Change the /boot device' + ) # Options that don't apply to basic mode [ "$CONFIG_BASIC" != "y" ] && dynamic_config_options+=( @@ -63,19 +65,31 @@ while true; do 'N' " $(get_config_display_action "$CONFIG_AUTOMATIC_POWERON") automatic power-on" ) + [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ] && dynamic_config_options+=( + 't' ' Deactivate Platform Locking to permit OS write access to firmware' + ) + + dynamic_config_options+=( + 's' ' Save the current configuration to the running BIOS' \ + 'x' ' Return to Main Menu' + ) + unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ - 'b' ' Change the /boot device' \ "${dynamic_config_options[@]}" \ - 's' ' Save the current configuration to the running BIOS' \ - 'x' ' Return to Main Menu' \ 2>/tmp/whiptail || recovery "GUI menu failed" menu_choice=$(cat /tmp/whiptail) fi case "$menu_choice" in + "t" ) + unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + combine_configs + . /tmp/config + ;; "x" ) exit 0 ;; diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index e9ced869..66f649ce 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -158,5 +158,9 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + lock_chip +fi + echo "Starting the new kernel" exec kexec -e diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip new file mode 100755 index 00000000..8bf316b7 --- /dev/null +++ b/initrd/bin/lock_chip @@ -0,0 +1,23 @@ +#!/bin/sh +# For this to work: +# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) +# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. +# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly + +#include ash shell functions (TRACE requires it) +. /etc/ash_functions + +TRACE "Under /bin/lock_chip" +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + APM_CNT=0xb2 + FIN_CODE=0xcb +fi + +if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then + echo "Finalizing chipset" + io386 -o b -b x $APM_CNT $FIN_CODE +else + echo "NOT Finalizing chipset" + echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." +fi diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 963c5cc1..1c5aaf0b 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -57,6 +57,7 @@ recovery() { # ensure /tmp/config exists for recovery scripts that depend on it touch /tmp/config + . /tmp/config if [ "$CONFIG_TPM" = "y" ]; then tpmr extend -ix 4 -ic recovery diff --git a/modules/io386 b/modules/io386 new file mode 100644 index 00000000..5ee33e63 --- /dev/null +++ b/modules/io386 @@ -0,0 +1,31 @@ +modules-$(CONFIG_IO386) += io386 + +io386_depends := $(musl_dep) + +io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1 +io386_dir := io386-$(io386_version) +io386_tar := io386-$(io386_version).tar.gz +io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz +io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06 + +io386_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + CFLAGS="-Os" \ + SHARED=yes \ + PREFIX="/" \ + && \ + $(MAKE) \ + -C $(build)/$(io386_dir) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + DESTDIR="$(INSTALL)" \ + install \ + +io386_output := \ + io386 + +io386_libraries := + +io386_configure :=