This commit adds explanatory notes and updates existing t530 and w530 boards to generally align them with the dGPU points and provide signposting for those with and those without dGPU boards. It also adds an additional README in the blobs directory to explain the vbios extraction and building process.
This commit adds support for the t530 and w530 boards to enable dGPUs. dGPU's are required for DisplayPort external displays in the t530 dgpu model, and for both the VGA dn DisplayPort external displays in the W530 (which has two dGPUs, the K1000M and K2000M, hence two boards). The commit does the following:
1. Adds automated extraction scripts for vbios modelled on the me script in the blobs directory (one per board is necessary as it is based on board-specific bios updates).
2. Adds specific boards for the various dGPU models and corresponding coreboot configs.
3. Updates circleci config.yaml to run scripts and test boards.
Tested and working on T530 dgpu and W530 K1000M. dGPU scripts tested on Debian 10 and Ubuntu 21.04
Unify the CONFIG_BOOT_KERNEL_ADD/REOVE parameters for all
Librem boards. Ensure IOMMU disabled for the GPU, and that
duplicated IOMMU params are not passed to the kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update all Purism Librem boards except the L1UM server
to coreboot 4.15:
- update coreboot version from 4.8.1/4.13 to 4.15
- use purism_blobs module (if not already)
- update board coreboot defconfig files (Librem 13/15)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
-CircleCI addition.
-Removal of t530-flash, w530-flash boards, flash scripts and associated coreboot configs (no more legacy boards additions)
This is a merger of #1071, #1072 and #1073 so that test builds are available over CircleCI until osresearch/master CircleCI gets unlocked.
- xx30 legacy boards (x230, x230-flash, t430, t430-flash) now rely also on coreboot 4.13
- DOWNSIDE: x230 and t430 legacy boards now rely on WHIPTAIL (NOT FBWhiptail) to have enough space to fit under 7mb)
- xx20 boards moved to 4.13 (no need of xx20-flash boards here since single SPI boards with 7.5mb useable since blobs scripts are required)
- DOWNSIDE: all xx20 boards now have dropbear deactivated, while still having ethernet driver in.
- qemu-coreboot and qemu-coreboot-fbwhiptail switched to coreboot 4.13 WITHOUT TPM SUPPORT (with cryptsetup 2.x support)
- DOWNSIDE:
- coreboot-qemu board CBFS_SIZE=0x700000 -> 0x750000
- coreboot-qemu-fbwhiptail CBFS_SIZE=0x750000 -> 0x780000
- CircleCi build recipe removes 4.8.1 boards altogether
- KGPE-D16 workstation is used as new base build to save workspace layer (we removed one workspace layer)
- Removing one workspace layer will save approx 2 hours of build time on fresh builds
- Removing one coreboot version will save us approx 2 hours of build time on fresh builds
- KGPE-D16 will stay to coreboot 4.11 until forward notice.
- All other board configs SHOULD be built on latest coreboot versions
- all: coreboot NO_POST for all boards
- all: coreboot NO_GFX_INIT (linux payload does the graphic init)
- all: coreboot TPM_MEASURED_BOOT (no more patches under Heads for measured boot)
- all: coreboot DRIVERS_PS2_KEYBOARD (fixes no keyboard on soft reboot and potentially xx30t xx20t fix for random raw keyboard (to be tested)
- all: coreboot removal of DEFAULT_CONSOLE_LOGLEVEL_5 under some boards
- all: coreboot removal of "loglevel=3" under some linux command line options booting Heads kernel
- all: coreboot removal of DEBUG_SMM_RELOCATION (unneeded)
- all: coreboot INCLUDE_CONFIG_FILE and COLLECT_TIMESTAMPS for all boards
- all: coreboot CONSOLE_SERIAL present on all boards
- all: coreboot add VBT
- all: board configs switch to cryptsetup2
xx20 hotp-maximized boards:
- removal of dropbear (not enough space to have htop + dropbear)
txx0 boards coreboot:
- USE_OPTION_TABLE and STATIC_OPTION_TABLE added (todo: check T430 boards optimization and find issue/PR and ammend this commit)
We use 'iommu=igfx_off' for booting the Heads kernel, so use the same for
booting the OS to ensure consistency when kexecing
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Added note to KGPE-D16 configs about the current microcode bug, why microcode is not included and encouraging AMD Opteron 6300 series users to make sure their operating system loads microcode.
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER https://github.com/osresearch/heads/pull/703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations.
* Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!)
* xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME
extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin.
download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place.
Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space.
* CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit).
cp config/linux.. ./build/linux*/.config
cd build/linux*
make savedefconfig
cp defconfig ../../config/linux..
Resulting in only linux-kgpe-d16_workstation.config being updated.
For KGPE-D16 workstation boards:
Remove `console=tty0` from `CONFIG_BOOT_KERNEL_ADD` as was blocking Qubes graphical installer (CLI installer was launched).
Comment out `export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"` to provide a more desktop like experience.
Removed 0001-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch as already exists as 0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch
Added 0020-kgpe-d16_measured-boot-support.patch for coreboot 4.11
Fix TPM errors when microcode is measured by initialising TPM earlier and loading the microcode later.
Thanks to Michał Żygowski <miczyg1> for condition suggestion: `if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM) && boot_cpu())`
Locate bootblock location and size with CBFS API. Credit to: Michał Żygowski <miczyg1>
Bring patches/coreboot-4.11 on par with master
Removed patches/coreboot-4.11/0020-kgpe-d16-vboot.patch
Removed Vboot options from KGPE-D16 coreboot configs
Enabled TPM in kgpe-d16 board configs
Enabled measured boot in kgpe-d16 coreboot configs.
Added support for video cards that require nouveau, radeon and amdgpu drivers in linux-kgpe-d16_workstation.config
`nouveau.config=NvForcePost=1` to be added to kexec'd kernels for better Nvidia card support.
Changing CONFIG_USB_BOOT_DEV to sdc1, adding back CONFIG_BOOT_STATIC_IP to 192.168.2.3, adding dual console to OpenBMC and tty0 in attempt to have QubesOS graphic installer which complains with no networking when attempting to start VNC
Adding dual console to OpenBmc and tty0
putting kgpe-d16-coreboot.conf in defconfig format
NO_HZ wasn't included in kernel config. Adding it.
Wasn't able to have both console firing up QubesOS gui installer, complaining about hvc1 console errors. Splitting up Workstation and server config. This one works for Worstation
Removing serial configuration and static IP stuff since we have a workstation here.
Seperate Workstation and Server board configurations until dual console truely works through QubesOS gui installation. kgpe-d16 board config removed until then.
Placing files in good directories
Corrrect flashrom options for kgpe-d16 server and workstation boards
kgpe-d16 linux: NO_HZ_IDLE instead of NO_HZ
kgpe-d16: seperate board for workstation to be AST and gui-init based, while kgpe-d16-> kgpe-d16_server
kgpe-d16_server: boots, shows ASpeed text on VGA, controllable through BMC via SSH.
kgpe-d16_workstation on ASpeed console. WIP. (Includes CIs configs to build server and workstation)
kgpe-d16_workstation in defconfig format
kgpe-d16 boards: pass from GPG to GPG2 board definitions
kgpe-d16_workstation : Adding Cairo and FbWhpitail in board config for gui-init to work in FB mode
kgpe-d16: removing plymouth.ignore-serial-consoles to fix server terminal output
kgpe-d16: bring par with staging branch https://gitlab.com/tlaurion/heads/commits/kgpe-d16_staging
kgpe-d16 : expressively export CONFIG_TPM=n
kgpe-d16_wokstation gui-init variables were missing
kgpe-d16 boards: add CONFIG_LINUX_USB_COMPANION_CONTROLLER so that usb is recognized
linux-kgpe-d16*: add support for Pike
kgpe-d16_workstation-usb_keyboard board support addition
kgpe-d16_server-whiptail: Add board and dependencies to have gui-init in whiptail (console mode, not FbWhiptail based
GitlabCI: kgpe-d16 fixes and upstream merge of change
kgpe-d16* board: add statement to fixate coreboot version to 4.8.1 for the moment
kgpe-d16: add missing config/linux-kgpe-d16_server-whiptail.config file
KGPE-D16: community work migration to coreboot 4.11 to fix issue #740
KGPE-D16 boards: Adding VBOOT+measured boot, musl-cross patch and 4.11 patch brought up per https://github.com/osresearch/heads/pull/709
kgpe-d16* boards: add VBOOT Kconfig patch per @miczyg1 recommendation under https://github.com/osresearch/heads/pull/795#issuecomment-671214637
KGPE-D16* coreboot configs: Add S3NV as a Runtime data whitelist (so that it is not measured at term) per @miczyg1 recommendation under https://github.com/osresearch/heads/pull/795#issuecomment-671214637
kgpe-d16 coreboot 4.11: add https://review.coreboot.org/c/coreboot/+/36908 patch
kgpe-d16 boards: add Linux kernel version where missing.
CircleCI: Add debug output on fail for kgpe-d16 board builds to bring par with upstream after rebasing on master
coreboot module: typo correction (tabs vs spaces)
CircleCI: trying to address "g++: fatal error: Killed signal terminated program cc1plus." happening under coreboot 4.11 and coreboot 4.12 builds
CircleCI: remove past addition to test recommendation from CircleCI: "resource_class: large"
CircleCi: Ok.... lets output dmesg content prior of other logs.... I'm out of ideas. Next step, ask CircleCI for support
At this stage:
- job's "make --load" is supposed to guarantee that the number of thread doesn't exhaust pass of a load of 2 (medium, free class, CircleCI has 32 cores so possibility of a load of 32)
- "--max_old_space_size=4096" in CircleCI environement is supposed to limit memory consumption to 4096Mb of memory, the max of a medium class free tier CircleCI node
CircleCI: remove verbose build (no more V=1), in case of failed build, find all logs modified in last minute and output each of them on console.
coreboot module: implement load average respect inside of problematic CI build for coreboot 4.11+ being killed in the action (32 cores with 4Gb ram get gcc OOM)
coreboot module: replace nproc by number of Gb actually available as number of CPUs, since each thread is expected to have 1Gb of ram.
CircleCI & coreboot config: fix merge conflict rebasing on master
coreboot 4.11 kgpe-d16 vboot patches addendum, credits goes to @Tonux599
Fix merge conflicts and make sure all boards are inside of CircleCI builds. PoC build for #867
Add CONFIG_AUTO_BOOT_TIMEOUT=5 to Librem board configs, to
enable automatic booting of default boot target after successful
HOTP verifcation via a Librem Key
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This will allow it to be used elsewhere within the UI.
Rename CONFIG_BOOT_GUI_MENU_NAME to better indicate use/function.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Force use of hardware sequencing for internal flashing to avoid
needing to specify the chip to be flashed.
Addresses #870
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: add support for building with kernel 5.4.69
Add support to module, port patches from 4.19.139.
Needed for newer platforms not supported by 4.19 kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add rysnc dependency for building kernel 5.x
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Migrate all Librem boards to kernel 5.x, common config
Update linux-librem_common.config from 4.x to 5.x, and add
CONFIG items needed to support the librem_l1um (AST DRM drivers,
serial port output).
Tested on Librem 13v4, Librem Mini, and Librem Server L1UM.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* config/coreboot-*: drop CONFIG_LOCALVERSION
Will be injected as part of the build using $(HEADS_GIT_VERSION)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: inject $(HEADS_GIT_VERSION) as CONFIG_LOCALVERSION
Needed for fwupd to handle board updates
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: override SMBIOS ProductName with $(BOARD)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Use $(BOARD)-$(HEADS_GIT_VERSION) as basis for output filename
makes builds uniquely identifiable based on board and version.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* x230-hotp-verification: revert to coreboot "CONFIG_CBFS_SIZE=0x700000" by disabling board "CONFIG_DROPBEAR=y" and "CONFIG_LINUX_E1000E" to save space per @alex-nitrokey test under #770 to fix#608
* x230-htop-verification board: add clarifications on x230 board differences. Fixes#737#770#608
* X230 board & coreboot config: Fix x230 board, removing dropbear and e1000e driver.
* t430: board and coreboot config par with x230 to circumvent CBFS linked suspend/resume issues.
* add x230-nkstorecli board;
* add modules: nkstorecli, libnk, libhidapi-libusb
* version bump nkstorecli; related minor in libnk
* upd. libnk module version bump to 3.6; remove 3.5 patch
* modules/coreboot: add option to use coreboot 4.11
Port patches from coreboot 4.8.1 to 4.11:
* 0000-measure-boot -> 0001
* 0010-cross-compiler-support
All other patches for coreboot 4.8.1 have either already been
integrated, or are for platforms which do not need to be migrated
to coreboot 4.11 (they will move to 4.12 or newer).
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add Broadwell-DE platform patch
Add a patch for FSP Broadwell-DE to make use of Heads' measured boot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add patch to read serial # from CBFS
Will be used by multiple Librem boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: add board support for Librem Server L1UM
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Librem Server L1UM: add new board
Add board config, coreboot config, kernel config files.
Add conditional purism-blobs dependency to coreboot-4.11 module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* flash.sh: add special handling for librem_l1um board
Add support for persisting PCIe config via PCHSTRP9 in flash descriptor.
This is needed to support multiple variants of the L1UM server which
use the same firmware but differ in PCIe lane configuration via the
PCH straps configuration in the flash descriptor.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add 'Use PRIxPTR to print uintptr_t' patch
Cherry-picked from upstream coreboot (post-4.11), fixes compilation issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add target to build board librem_l1um
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
There's only one Librem Mini board, it doesn't use a TPM,
no reason to unnecesarily lengthen the board name.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: readd librem_mini while making sure that if a board build fails, all logfile modified in the last minute are outputted on the CircleCI console prior to really failing and exiting
* librem_mini-NoTPM: addition of board config, distinctive coreboot config (required per Heads build system) to construct a ROM without TPM requirement.
* librem_mini: deletion of board and coreboot relative config, keeping librem_mini-NoTPM and coreboot config only. Removed librem_mini board build under CircleCI, keeping only librem_mini-NoTPM
* patches/coreboot-4.12: Add patch for Cannonlake ME status
Add patch print ME status regardless of enablement state
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules: add purism-blobs module
Rather than require users to manually run a script to download the required
blobs to build Purism Librem boards, automate it so the correct version
is automatically downloaded/extracted. Restrict to coreboot 4.12 for now
since 4.8.1 still needs FSP blobs, which are not in module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* configs/linux-librem13v2: unset CONFIG_RETPOLINE
Fixes compilation issue with newer kernels, ignored by older ones
which don't need it
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add new board: Librem Mini
Add Librem Mini board patch for coreboot 4.12, board config and
coreboot config. Continue reusing existing librem13v2 Linux config,
same as all other Librem boards currently. Use new purism-blobs module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* board/librem*: rename for consistency
Use 'librem_<board>' notation for consistency across all models.
Rename linux config file since used by multiple Librem models.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add librem_mini board to test
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add support for multiple kernel versions
Follow same pattern as used for coreboot. Add existing kernel version
as default for all existing boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add option to use 4.19 LTS kernel
Add option to use kernel 4.19.139 (current LTS version).
Duplicate existing patches from 4.14.62 as they all apply cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add CONFIG_TPM_NO_LUKS_DISK_UNLOCK to allow Librem boards to opt
out of using TPM to store LUKS key, and use it to guard the user
option to add the disk encryption key to the TPM.
Select this option for all Librem boards; all other boards which
select CONFIG_TPM=y will have no change in functionality.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
since it's no longer needed.
- Migrate kgpe-d16 patch.
The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:
- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
mount-usb switched to dynamic USB device detection a while back,
so eliminate instances of CONFIG_BOOT_USB_DEV, and derive the
mounted USB device from /etc/mtab in the one place where it's
actually needed (usb-scan). Clean up areas around calls to
mount-usb for clarity/readability.
Addresses issue #673
Test: Build Librem 13v4, boot ISO file on USB
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add support for the Lenovo ThinkPad T420 and X220.
* Fix the autodetection of ifdtool and me_cleaner.
* Enable FBWhiptail mode for X220 and T420
* Decreased CBFS size to fix 50 seconds boot delay problems
The error/warning background gradient colors were defined
for the librem 13 boards, but not for the librem 15 ones.
Add the missing exports.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
With addition of IOMMU/RMRR patches, passthru is no longer needed
for proper IOMMU functionality
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This changes Heads' bootscript for the x230 to gui-init and adds config
options needed for it. The config is very similar to the librem13v2 config.
My comparison of startup-time from a power-button press shows 2.5 seconds
more with these changes applied.
That said, the experience is smooth, the GUI is beautiful and easier to use
than the shell and text menu, especially during setup. That's what we
buy with startup time here.
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.
Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.
This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
The bios regions of the 12M coreboot image is 7M: 4M and 3 of the 8M split
image. The rest of the 8M image _generated_ with fake data and not usable
on real systems! It's dangerous to create them and suggest flashing them
externally.
That's exactly why the x230-flash build target is there: To
have a self-contained 4M image and enable easy unlocking of the 8M image
using the _original_ data.
the heads-wiki project is updated accordingly.
Closes#307Closes#302
