Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-06-21 15:15:23 -04:00
commit 89858f52a9
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
46 changed files with 329 additions and 100 deletions

View File

@ -503,6 +503,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl
bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
bin_modules-$(CONFIG_BASH) += bash
bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils
bin_modules-$(CONFIG_IO386) += io386
bin_modules-$(CONFIG_IOPORT) += ioport
bin_modules-$(CONFIG_ZSTD) += zstd

View File

@ -55,6 +55,10 @@ CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
# for a console-based menu.
CONFIG_CAIRO=y

View File

@ -29,6 +29,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,10 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -27,6 +27,10 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -27,6 +27,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -20,6 +20,11 @@ CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
# for a console-based menu.
CONFIG_CAIRO=y

View File

@ -25,6 +25,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -25,6 +25,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -28,6 +28,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -29,6 +29,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -29,6 +29,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -39,6 +39,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -27,6 +27,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -30,6 +30,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -39,6 +39,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -27,6 +27,11 @@ CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y

View File

@ -1,17 +1,28 @@
CONFIG_USE_BLOBS=y
CONFIG_VENDOR_ASUS=y
CONFIG_CBFS_SIZE=0x7E7000
CONFIG_BOARD_ASUS_P8Z77_M_PRO=y
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin"
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
CONFIG_HAVE_IFD_BIN=y
CONFIG_PCIEXP_HOTPLUG_BUSES=8
CONFIG_PCIEXP_HOTPLUG_MEM=0x800000
CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000
CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"
CONFIG_UART_PCI_ADDR=0x0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_NO_GFX_INIT=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_TPM1=y
CONFIG_PCIEXP_HOTPLUG_IO=0x2000
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM1=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
CONFIG_POST_IO_PORT=0x80
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"

View File

@ -1,19 +1,27 @@
CONFIG_CCACHE=y
# CONFIG_INCLUDE_CONFIG_FILE is not set
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
CONFIG_CBFS_SIZE=0x980000
# CONFIG_POST_IO is not set
# CONFIG_POST_DEVICE is not set
CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
# CONFIG_POST_DEVICE is not set
# CONFIG_POST_IO is not set
CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
CONFIG_PCIEXP_HOTPLUG_BUSES=32
CONFIG_PCIEXP_HOTPLUG_MEM=0x800000
CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty"
CONFIG_COREBOOT_ROMSIZE_KB_10240=y
CONFIG_PCIEXP_ASPM=y
CONFIG_PCIEXP_COMMON_CLOCK=y
CONFIG_UART_PCI_ADDR=0
CONFIG_PCIEXP_HOTPLUG_IO=0x2000
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_USER_TPM1=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_TPM1=y
CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -1,6 +1,6 @@
# CONFIG_USE_BLOBS is not set
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
# CONFIG_USE_BLOBS is not set
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_CBFS_SIZE=0x7E7FFF
@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_T420=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -1,6 +1,6 @@
# CONFIG_USE_BLOBS is not set
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
# CONFIG_USE_BLOBS is not set
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_CBFS_SIZE=0xBE4FFF
@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_THINKPAD_T430=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_THINKPAD_T440P=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_HAVE_MRC=y
CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"
CONFIG_UART_PCI_ADDR=0x0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_NO_GFX_INIT=y
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"

View File

@ -1,23 +1,21 @@
# CONFIG_INCLUDE_CONFIG_FILE is not set
# CONFIG_COLLECT_TIMESTAMPS is not set
CONFIG_USE_BLOBS=y
CONFIG_MEASURED_BOOT=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_CBFS_SIZE=0x7E7FFF
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin"
CONFIG_BOARD_LENOVO_T520=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_NO_POST=y
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin"
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_T520=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_DEBUG_SMM_RELOCATION=y

View File

@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y

View File

@ -1,28 +1,27 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_VGA_BIOS=y
CONFIG_CBFS_SIZE=0xBE4FFF
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom"
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom"
CONFIG_VGA_BIOS=y
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
# CONFIG_VGA_BIOS_SECOND is not set
CONFIG_VGA_ROM_RUN_DEFAULT=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_T530=y
CONFIG_NO_POST=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

View File

@ -1,23 +1,24 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_CBFS_SIZE=0xBE4FFF
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_T530=y
CONFIG_NO_POST=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

View File

@ -1,30 +1,28 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_VGA_BIOS=y
CONFIG_CBFS_SIZE=0xBE4FFF
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom"
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom"
CONFIG_VGA_BIOS=y
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
# CONFIG_VGA_BIOS_SECOND is not set
CONFIG_VGA_ROM_RUN_DEFAULT=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_W530=y
CONFIG_NO_POST=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

View File

@ -1,30 +1,28 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_VGA_BIOS=y
CONFIG_CBFS_SIZE=0xBE4FFF
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom"
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb"
CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom"
CONFIG_VGA_BIOS=y
CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom"
# CONFIG_VGA_BIOS_SECOND is not set
CONFIG_VGA_ROM_RUN_DEFAULT=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_W530=y
CONFIG_NO_POST=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_VGA_BIOS_DGPU=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

View File

@ -1,23 +1,24 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y
CONFIG_VENDOR_LENOVO=y
CONFIG_NO_POST=y
CONFIG_CBFS_SIZE=0xBE4FFF
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin"
CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin"
CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin"
CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_W530=y
CONFIG_NO_POST=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_CONSOLE_SERIAL is not set
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
CONFIG_USE_OPTION_TABLE=y
CONFIG_STATIC_OPTION_TABLE=y

View File

@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_X220=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_NO_GFX_INIT=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_X230_EDP=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y
CONFIG_BOARD_LENOVO_X230=y
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_UART_PCI_ADDR=0
# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_NO_GFX_INIT=y
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"

View File

@ -30,7 +30,9 @@ while true; do
# Re-source config because we change it when an option is toggled
. /tmp/config
dynamic_config_options=()
dynamic_config_options=(
'b' ' Change the /boot device'
)
# Options that don't apply to basic mode
[ "$CONFIG_BASIC" != "y" ] && dynamic_config_options+=(
@ -63,19 +65,31 @@ while true; do
'N' " $(get_config_display_action "$CONFIG_AUTOMATIC_POWERON") automatic power-on"
)
[ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ] && dynamic_config_options+=(
't' ' Deactivate Platform Locking to permit OS write access to firmware'
)
dynamic_config_options+=(
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu'
)
unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
'b' ' Change the /boot device' \
"${dynamic_config_options[@]}" \
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
menu_choice=$(cat /tmp/whiptail)
fi
case "$menu_choice" in
"t" )
unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE
replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n"
combine_configs
. /tmp/config
;;
"x" )
exit 0
;;

View File

@ -158,5 +158,9 @@ if [ "$CONFIG_TPM" = "y" ]; then
tpmr kexec_finalize
fi
if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
lock_chip
fi
echo "Starting the new kernel"
exec kexec -e

23
initrd/bin/lock_chip Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# For this to work:
# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work)
# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly
#include ash shell functions (TRACE requires it)
. /etc/ash_functions
TRACE "Under /bin/lock_chip"
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
APM_CNT=0xb2
FIN_CODE=0xcb
fi
if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
echo "Finalizing chipset"
io386 -o b -b x $APM_CNT $FIN_CODE
else
echo "NOT Finalizing chipset"
echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
fi

View File

@ -57,6 +57,7 @@ recovery() {
# ensure /tmp/config exists for recovery scripts that depend on it
touch /tmp/config
. /tmp/config
if [ "$CONFIG_TPM" = "y" ]; then
tpmr extend -ix 4 -ic recovery

31
modules/io386 Normal file
View File

@ -0,0 +1,31 @@
modules-$(CONFIG_IO386) += io386
io386_depends := $(musl_dep)
io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1
io386_dir := io386-$(io386_version)
io386_tar := io386-$(io386_version).tar.gz
io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz
io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06
io386_target := \
$(MAKE_JOBS) \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
SHARED=yes \
PREFIX="/" \
&& \
$(MAKE) \
-C $(build)/$(io386_dir) \
$(CROSS_TOOLS) \
SHARED=yes \
PREFIX="/" \
DESTDIR="$(INSTALL)" \
install \
io386_output := \
io386
io386_libraries :=
io386_configure :=