From 3f1c76ce116a283850cde032711a7b76bcad69bb Mon Sep 17 00:00:00 2001 From: persmule Date: Wed, 17 Jan 2018 16:16:18 +0800 Subject: [PATCH 1/7] Introduce io386 to heads and use it to finalize chipset at runtime On some newer platforms of intel (confirmed on nehalem, sandy/ivy bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd) registers an SMI to lockdown some registers on the chipset, as well as access to the SPI flash, optionally. The SMI will always be triggered by coreboot during S3 resume, but can be triggered by either coreboot or the payload during normal boot path. Enabling lockdown access to SPI flash will effectly write-protect it, but there is no runtime option for coreboot to control it, so letting coreboot to trigger such SMI will leave the owner of the machine lost any possibility to program the SPI flash with its own OS, and becomes a nightmare if the machine is uneasy to disassemble, so a scheme could be implement, in which the SMI to lockdown chipset and SPI flash is left for a payload to trigger, and temporarily disabling such triggering in order to program the SPI flash needs authentication. I have implemented a passcode-protected runtime-disableable lockdown with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for Heads, I wrote [io386](https://github.com/hardenedlinux/io386). With this commit, io386 will be called before entering boot routine to trigger the SMI to finalize the chipset and write protect the SPI flash at the same time. Entering recovery shell will leave the flash writable. (The authentication routine implemented in previous revisions has been split as an independent commit.) Originally proposed under PR#326 --- Makefile | 1 + initrd/bin/generic-init | 11 +++++++++++ initrd/bin/lock_chip | 15 +++++++++++++++ modules/io386 | 28 ++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+) create mode 100755 initrd/bin/lock_chip create mode 100644 modules/io386 diff --git a/Makefile b/Makefile index 33bb8901..85cda083 100644 --- a/Makefile +++ b/Makefile @@ -499,6 +499,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools bin_modules-$(CONFIG_BASH) += bash bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils +bin_modules-$(CONFIG_IO386) += io386 $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index 438f29d9..cd07049a 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -41,12 +41,18 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi exec /bin/usb-init continue fi if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -m -b /boot -c "grub.cfg" continue @@ -54,11 +60,16 @@ while true; do if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi + + done recovery "Something failed during boot" diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip new file mode 100755 index 00000000..1331aebf --- /dev/null +++ b/initrd/bin/lock_chip @@ -0,0 +1,15 @@ +#!/bin/sh +# For this to work: +# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) +# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. +# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly + +#include ash shell functions (TRACE requires it) +. /etc/ash_functions + +TRACE "Under /bin/lock_chip" +APM_CNT=0xb2 +FIN_CODE=0xcb +echo "Finalizing chipset" +io386 -o b -b x $APM_CNT $FIN_CODE diff --git a/modules/io386 b/modules/io386 new file mode 100644 index 00000000..6829c7ea --- /dev/null +++ b/modules/io386 @@ -0,0 +1,28 @@ +modules-$(CONFIG_IO386) += io386 + +io386_depends := $(musl_dep) + +io386_version := git +io386_repo := https://github.com/hardenedlinux/io386 +io386_dir := io386-$(io386_version) + +io386_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + && \ + $(MAKE) \ + -C $(build)/$(io386_dir) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + DESTDIR="$(INSTALL)" \ + install \ + +io386_output := \ + io386 + +io386_libraries := + +io386_configure := From 699a9613818932669330af842457352b2e6ef97b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 12 Apr 2023 15:04:05 -0400 Subject: [PATCH 2/7] io386: replace check for io386 to call lock_chip by a single common call from kexec-boot prior of real kexec --- initrd/bin/generic-init | 11 ----------- initrd/bin/kexec-boot | 4 ++++ 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index cd07049a..438f29d9 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -41,18 +41,12 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi exec /bin/usb-init continue fi if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi mount_boot kexec-select-boot -m -b /boot -c "grub.cfg" continue @@ -60,16 +54,11 @@ while true; do if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi mount_boot kexec-select-boot -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi - - done recovery "Something failed during boot" diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index d25b0482..dfbfccd9 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -150,5 +150,9 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi +if [ -x /bin/io386 ]; then + lock_chip +fi + echo "Starting the new kernel" exec kexec -e From a598ba6e57e22ae60773b69ca745440f06e1be51 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 13 Apr 2023 09:21:26 -0400 Subject: [PATCH 3/7] modules/io386: fixate to latest commit id and optimize for space --- modules/io386 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/io386 b/modules/io386 index 6829c7ea..5ee33e63 100644 --- a/modules/io386 +++ b/modules/io386 @@ -2,13 +2,16 @@ modules-$(CONFIG_IO386) += io386 io386_depends := $(musl_dep) -io386_version := git -io386_repo := https://github.com/hardenedlinux/io386 +io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1 io386_dir := io386-$(io386_version) +io386_tar := io386-$(io386_version).tar.gz +io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz +io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06 io386_target := \ $(MAKE_JOBS) \ $(CROSS_TOOLS) \ + CFLAGS="-Os" \ SHARED=yes \ PREFIX="/" \ && \ From 9830c6c4ed14dcfc161517c8dae6310284c32860 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 12 Apr 2023 15:08:49 -0400 Subject: [PATCH 4/7] io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs --- .../p8z77-m_pro-tpm1-maximized.config | 4 +++ .../t420-hotp-maximized.config | 5 +++ boards/t420-maximized/t420-maximized.config | 4 +++ .../t430-hotp-maximized.config | 4 +++ boards/t430-maximized/t430-maximized.config | 5 +++ boards/t440p-maximized/t440p-maximized.config | 5 +++ .../t520-hotp-maximized.config | 5 +++ boards/t520-maximized/t520-maximized.config | 5 +++ .../t530-dgpu-hotp-maximized.config | 5 +++ .../t530-dgpu-maximized.config | 5 +++ .../t530-hotp-maximized.config | 5 +++ boards/t530-maximized/t530-maximized.config | 5 +++ .../w530-dgpu-K1000m-hotp-maximized.config | 5 +++ .../w530-dgpu-K1000m-maximized.config | 5 +++ .../w530-dgpu-K2000m-hotp-maximized.config | 5 +++ .../w530-dgpu-K2000m-maximized.config | 5 +++ .../w530-hotp-maximized.config | 5 +++ boards/w530-maximized/w530-maximized.config | 5 +++ .../x220-hotp-maximized.config | 5 +++ boards/x220-maximized/x220-maximized.config | 5 +++ .../x230-hotp-maximized-fhd_edp.config | 5 +++ .../x230-hotp-maximized.config | 5 +++ .../x230-hotp-maximized_usb-kb.config | 5 +++ .../x230-maximized-fhd_edp.config | 5 +++ boards/x230-maximized/x230-maximized.config | 5 +++ config/coreboot-p8z77-m_pro-tpm1.config | 23 +++++++++---- config/coreboot-t420-maximized.config | 4 ++- config/coreboot-t430-maximized.config | 4 ++- config/coreboot-t440p.config | 9 +++++- config/coreboot-t520-maximized.config | 20 ++++++------ .../coreboot-t530-dgpu-hotp-maximized.config | 2 ++ config/coreboot-t530-dgpu-maximized.config | 31 +++++++++--------- config/coreboot-t530-maximized.config | 21 ++++++------ ...coreboot-w530-dgpu-K1000m-maximized.config | 32 +++++++++---------- ...coreboot-w530-dgpu-K2000m-maximized.config | 32 +++++++++---------- config/coreboot-w530-maximized.config | 19 +++++------ config/coreboot-x220-maximized.config | 2 ++ config/coreboot-x230-maximized-fhd_edp.config | 2 ++ config/coreboot-x230-maximized.config | 2 ++ 39 files changed, 236 insertions(+), 89 deletions(-) diff --git a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config index 57cb23d3..51502716 100644 --- a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config +++ b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config @@ -55,6 +55,10 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 1281c444..e9b78273 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index bfbd8171..9f3760b0 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -28,6 +28,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index 5f172eb7..70f8ef8c 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -27,6 +27,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 10d5a235..4983a6c0 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config index b74edef9..247dc8ef 100644 --- a/boards/t440p-maximized/t440p-maximized.config +++ b/boards/t440p-maximized/t440p-maximized.config @@ -20,6 +20,11 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t520-hotp-maximized/t520-hotp-maximized.config b/boards/t520-hotp-maximized/t520-hotp-maximized.config index 7de13744..7d3ea1b3 100644 --- a/boards/t520-hotp-maximized/t520-hotp-maximized.config +++ b/boards/t520-hotp-maximized/t520-hotp-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t520-maximized/t520-maximized.config b/boards/t520-maximized/t520-maximized.config index 4589ec21..35f55ff7 100644 --- a/boards/t520-maximized/t520-maximized.config +++ b/boards/t520-maximized/t520-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config index 364e49b7..e0412ef3 100644 --- a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config +++ b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config index ef7877b5..4d1c756e 100644 --- a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config +++ b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 9f9c00e0..8a4209fb 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 0bc59d86..3fa20c29 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config index f3dab011..396639cc 100644 --- a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config +++ b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config index 6a7bd1f1..822c91f7 100644 --- a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config +++ b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config index b5e45aa6..968cce2b 100644 --- a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config +++ b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config index edb50cb3..9a374c4d 100644 --- a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config +++ b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index a01a98d8..5e38664b 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index a2583297..fdd1c0c2 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 69531e65..ba46fb41 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 611dc3a8..d4df3a84 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index cb5daa6b..377e91f1 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index a8dca850..df4e8a45 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 47a4133a..5cd7cfc2 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -30,6 +30,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index eda0d3a4..1db26bcc 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7d385a3f..e8f78e79 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config index 2fb5b5b7..2b3b7be3 100644 --- a/config/coreboot-p8z77-m_pro-tpm1.config +++ b/config/coreboot-p8z77-m_pro-tpm1.config @@ -1,17 +1,28 @@ -CONFIG_USE_BLOBS=y CONFIG_VENDOR_ASUS=y CONFIG_CBFS_SIZE=0x7E7000 CONFIG_BOARD_ASUS_P8Z77_M_PRO=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y CONFIG_NO_GFX_INIT=y -CONFIG_TPM_MEASURED_BOOT=y -CONFIG_TPM1=y +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM1=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y +CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config index 455aa803..ebc93fca 100644 --- a/config/coreboot-t420-maximized.config +++ b/config/coreboot-t420-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T420=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config index 190ac0fb..ae701a37 100644 --- a/config/coreboot-t430-maximized.config +++ b/config/coreboot-t430-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T430=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config index c70c0e6a..a14496ba 100644 --- a/config/coreboot-t440p.config +++ b/config/coreboot-t440p.config @@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T440P=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0" CONFIG_TPM_MEASURED_BOOT=y CONFIG_HAVE_MRC=y CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y -CONFIG_NO_GFX_INIT=y +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config index 0665a395..6830c102 100644 --- a/config/coreboot-t520-maximized.config +++ b/config/coreboot-t520-maximized.config @@ -1,23 +1,21 @@ # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set -CONFIG_USE_BLOBS=y -CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF -CONFIG_ONBOARD_VGA_IS_PRIMARY=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin" -CONFIG_BOARD_LENOVO_T520=y -CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_NO_POST=y CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_T520=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t530-dgpu-hotp-maximized.config b/config/coreboot-t530-dgpu-hotp-maximized.config index b1f84b7a..7b1ca684 100644 --- a/config/coreboot-t530-dgpu-hotp-maximized.config +++ b/config/coreboot-t530-dgpu-hotp-maximized.config @@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config index fd236eea..d1933646 100644 --- a/config/coreboot-t530-dgpu-maximized.config +++ b/config/coreboot-t530-dgpu-maximized.config @@ -1,28 +1,27 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0def" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0def" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config index 41569924..3d245dcf 100644 --- a/config/coreboot-t530-maximized.config +++ b/config/coreboot-t530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config index 64a2f3ec..245a5c56 100644 --- a/config/coreboot-w530-dgpu-K1000m-maximized.config +++ b/config/coreboot-w530-dgpu-K1000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config index ab1ea461..dc2f561c 100644 --- a/config/coreboot-w530-dgpu-K2000m-maximized.config +++ b/config/coreboot-w530-dgpu-K2000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" +CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" +CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" -CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" -CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" -CONFIG_VGA_BIOS=y -CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config index daf91635..3adb53d3 100644 --- a/config/coreboot-w530-maximized.config +++ b/config/coreboot-w530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config index 934ff13f..3b2a6223 100644 --- a/config/coreboot-x220-maximized.config +++ b/config/coreboot-x220-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X220=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config index 231c24a4..837d8a6a 100644 --- a/config/coreboot-x230-maximized-fhd_edp.config +++ b/config/coreboot-x230-maximized-fhd_edp.config @@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230_EDP=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config index dedeed36..f5780fe7 100644 --- a/config/coreboot-x230-maximized.config +++ b/config/coreboot-x230-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" From 39bb6ea313b37e182635c5010b15c69d91d74c08 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 20 Jun 2023 12:40:00 -0400 Subject: [PATCH 5/7] lock_chip: parametrize locking in function of board config exported config option kexec-boot: depend on io386 presence and board config option to call lock_chip --- initrd/bin/kexec-boot | 2 +- initrd/bin/lock_chip | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index dfbfccd9..de59db6e 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -150,7 +150,7 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi -if [ -x /bin/io386 ]; then +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then lock_chip fi diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 1331aebf..8bf316b7 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -9,7 +9,15 @@ . /etc/ash_functions TRACE "Under /bin/lock_chip" -APM_CNT=0xb2 -FIN_CODE=0xcb -echo "Finalizing chipset" -io386 -o b -b x $APM_CNT $FIN_CODE +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + APM_CNT=0xb2 + FIN_CODE=0xcb +fi + +if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then + echo "Finalizing chipset" + io386 -o b -b x $APM_CNT $FIN_CODE +else + echo "NOT Finalizing chipset" + echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." +fi From 995a6931f1471565b293bf1799c7ff91fd310ee3 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 18 Jun 2023 17:08:45 -0400 Subject: [PATCH 6/7] config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime ash_functions: make sure /tmp/config is sourced before going to recovery shell TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on --- initrd/bin/config-gui.sh | 25 +++++++++++++++++++++---- initrd/etc/ash_functions | 1 + 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 071248ba..4f6ea91c 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -10,6 +10,20 @@ TRACE "Under /bin/config-gui.sh" param=$1 while true; do + dynamic_config_options=( + 'b' ' Change the /boot device' + 's' ' Save the current configuration to the running BIOS' \ + 'r' ' Clear GPG key(s) and reset all user settings' \ + ) + if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ];then + dynamic_config_options+=( + 't' ' Deactivate Platform Locking to permit OS write access to firmware' + ) + fi + dynamic_config_options+=( + 'x' ' Return to Main Menu' + ) + if [ ! -z "$param" ]; then # use first char from parameter menu_choice=${param::1} @@ -18,16 +32,19 @@ while true; do unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ - 'b' ' Change the /boot device' \ - 's' ' Save the current configuration to the running BIOS' \ - 'r' ' Clear GPG key(s) and reset all user settings' \ - 'x' ' Return to Main Menu' \ + "${dynamic_config_options[@]}" \ 2>/tmp/whiptail || recovery "GUI menu failed" menu_choice=$(cat /tmp/whiptail) fi case "$menu_choice" in + "t" ) + unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + combine_configs + . /tmp/config + ;; "x" ) exit 0 ;; diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index ffe88ec3..a26823fd 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -57,6 +57,7 @@ recovery() { # ensure /tmp/config exists for recovery scripts that depend on it touch /tmp/config + . /tmp/config if [ "$CONFIG_TPM" = "y" ]; then tpmr extend -ix 4 -ic recovery From 2dcf7fbd775859092f7840df5bb4cb3d9546aac9 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 21 Jun 2023 11:19:43 -0400 Subject: [PATCH 7/7] coreboot-qemu-tpm1.config: TPM1 coreboot activation got lost in last commit. Sorry --- config/coreboot-qemu-tpm1.config | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/config/coreboot-qemu-tpm1.config b/config/coreboot-qemu-tpm1.config index 2c6ad5fa..0378328b 100644 --- a/config/coreboot-qemu-tpm1.config +++ b/config/coreboot-qemu-tpm1.config @@ -1,19 +1,27 @@ CONFIG_CCACHE=y # CONFIG_INCLUDE_CONFIG_FILE is not set -CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_CBFS_SIZE=0x980000 -# CONFIG_POST_IO is not set -# CONFIG_POST_DEVICE is not set -CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y # CONFIG_CONSOLE_SERIAL is not set +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +# CONFIG_POST_DEVICE is not set +# CONFIG_POST_IO is not set +CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_PCIEXP_HOTPLUG_BUSES=32 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_TPM_MEASURED_BOOT=y CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" CONFIG_COREBOOT_ROMSIZE_KB_10240=y CONFIG_PCIEXP_ASPM=y CONFIG_PCIEXP_COMMON_CLOCK=y -CONFIG_UART_PCI_ADDR=0 +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_USER_TPM1=y -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_TPM1=y +CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"