Remove CONFIG_NO_GFX_INIT from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Add CONFIG_BOOTSPLASH_IMAGE from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Add CONFIG_LINEAR_FRAMEBUFFER from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Set BOOTSPLASH parameters to match bootsplash and jpeg requirements
+CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT=768
+CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH=1024
+CONFIG_BOOTSPLASH=y
Others paramaters defined per board default setting with coreboot.save_oldconfig_in_place helper
both linux/coreboot:
- save_in_defconfig_format_in_place : takes whatever coreboot config file for a make BOARD=xyz statement and saves it in defconfig
- save_in_oldefconfig_format_in_place : takes whatever coreboot config file for a make BOARD=xyz statement and saves it in oldefconfig
linux:
- linux.prompt_for_new_config_options_for_kernel_version_bump:
- The most useful helper as of now when doing kernel version bump.
- Requires to save current kernel config in oldconfig (make BOARD=xyz linux.save_in_oldefconfig_format_in_place) first, then bump kernel version in board config and then use that helper to review new options and save in tree.
- add additional kernel boot params for i915 where needed:
- adds : drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0 ( to permit kexec into vesa fb of kexec'ed kernel for i915 driven gpus without framebuffer compression, leaking smem fbdev address for kexec to pickup )
advanced qemu-coreboot-*-tpm*-* boards enables virtio qemu/kvm through command line option.
qemu-coreboot-* (whiptail or fbwhiptail) basic boards are using bochs gpu emulation, provided through qemu
linux-qemu.config, if shared as of now, needs to provide both virtio (no need of FB_SIMPLE because DRM) and BOCHS+SIMPLE_FB
It was impossible to use directly 4.14 defconfig and apply it to 5.10.
Saving 4.14 in oldconfig, then editing in 5.10 was necessary.
- E1000E module (as kernel module support...) was lost in conversion and needed to be added back.
Also tuned things up:
- legacy-flash has no RETPOLINE, no security policy at all. Has expected usb controllers modules, exFAT and bare minimal support for flashrom.
- IMPORTANT: CONFIG_X86_IOPL_IOPERM kernel option is required by flashrom
- legacy adds sata, retpoline, additional modules (ethernet), security policy related material on top of legacy-flash config
- maximized adds MMC card support, mousedev+synaptic (to report presence through oem-system-info-xx30), thin provisioning+snapshot support
- tuned with linux.prompt_for_new_config_options_for_kernel_version_bump
Current storage format is oldconfig from now on for proper analysis. If needed, once can save back in defconfig prior of bumping to newer version.
On some newer platforms of intel (confirmed on nehalem, sandy/ivy
bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd)
registers an SMI to lockdown some registers on the chipset, as well
as access to the SPI flash, optionally. The SMI will always be triggered
by coreboot during S3 resume, but can be triggered by either coreboot
or the payload during normal boot path.
Enabling lockdown access to SPI flash will effectly write-protect it,
but there is no runtime option for coreboot to control it, so letting
coreboot to trigger such SMI will leave the owner of the machine lost
any possibility to program the SPI flash with its own OS, and becomes
a nightmare if the machine is uneasy to disassemble, so a scheme could
be implement, in which the SMI to lockdown chipset and SPI flash is left
for a payload to trigger, and temporarily disabling such triggering in
order to program the SPI flash needs authentication.
I have implemented a passcode-protected runtime-disableable lockdown
with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for
Heads, I wrote [io386](https://github.com/hardenedlinux/io386).
With this commit, io386 will be called before entering boot routine
to trigger the SMI to finalize the chipset and write protect the SPI
flash at the same time. Entering recovery shell will leave the flash
writable.
(The authentication routine implemented in previous revisions has been
split as an independent commit.)
Originally proposed under PR#326
* Properly initialize sensor IDs of 2nd CPU to fix fan control.
* Use 2s delay for I2C communications with TPM in OPAL (configured in
device tree).
* Stop building unused parts of skiboot using host GCC.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
It only extends PCR10 and logs it separately.
Added entries are to compensate disabling IMA which selects those config
options.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Updated to reproducible version of fbwhiptail.
Added flags to remove debug info.
Updated url to current one instead of going through redirect.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
