From 646ddee74874c584ad09bcd699593716006f751c Mon Sep 17 00:00:00 2001 From: Tom Hiller Date: Fri, 27 Nov 2020 22:31:53 -0500 Subject: [PATCH 1/4] blobs: add blobs/xx20 --- blobs/xx20/download_parse_me.sh | 35 ++ blobs/xx20/gbe.bin | Bin 0 -> 8192 bytes blobs/xx20/hashes.txt | 3 + blobs/xx20/ifd.bin | Bin 0 -> 4096 bytes blobs/xx20/layout.txt | 4 + blobs/xx20/me7_update_parser.py | 616 ++++++++++++++++++++++++++++++++ blobs/xx20/readme.md | 59 +++ 7 files changed, 717 insertions(+) create mode 100755 blobs/xx20/download_parse_me.sh create mode 100644 blobs/xx20/gbe.bin create mode 100644 blobs/xx20/hashes.txt create mode 100644 blobs/xx20/ifd.bin create mode 100644 blobs/xx20/layout.txt create mode 100644 blobs/xx20/me7_update_parser.py create mode 100644 blobs/xx20/readme.md diff --git a/blobs/xx20/download_parse_me.sh b/blobs/xx20/download_parse_me.sh new file mode 100755 index 000000000..ff6bee9f1 --- /dev/null +++ b/blobs/xx20/download_parse_me.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +FINAL_ME_BIN_SHA256SUM="1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 $BLOBDIR/me.bin" +ME_EXE_SHA256SUM="48f18d49f3c7c79fa549a980f14688bc27c18645f64d9b6827a15ef5c547d210 83rf46ww.exe" +ME7_5M_UPD_PRODUCTION_SHA256SUM="760b0776b99ba94f56121d67c1f1226c77f48bd3b0799e1357a51842c79d3d36 app/ME7_5M_UPD_Production.bin" + + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Downloading https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe..." +wget https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe || ( echo "ERROR: wget not found" && exit 1 ) +echo "### Verifying expected hash of 83rf46ww.exe" +echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 ) + + +echo "### Extracting 83rf46ww.exe..." +innoextract -I app/ME7_5M_UPD_Production.bin 83rf46ww.exe || ( echo "Failed calling innoextract. Tool installed on host?" && exit 1) +echo "### Verifying expected hash of app/ME7_5M_UPD_Production.bin" +echo "$ME7_5M_UPD_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 ) + + +echo "###Generating neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " +python3 "$BLOBDIR/me7_update_parser.py" -O "$BLOBDIR/me.bin" app/ME7_5M_UPD_Production.bin || ( echo "Failed to generate ME binary..." && exit 1 ) + +echo "### Verifying expected hash of me.bin" +echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 ) + + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/blobs/xx20/gbe.bin b/blobs/xx20/gbe.bin new file mode 100644 index 0000000000000000000000000000000000000000..0c9dfa1df053c351547cf46596df7cab4c9e8500 GIT binary patch literal 8192 zcmeI#F$%&k6vpw-6lsSJrII@oU3!E!-0)5t^vFN47m21kbJ3=A`o#p{?M zJSHGDSo}k(J3u}lRnMsU(GVC7fzc2c4S~@R7!85Z5Eu=C(GVC7fuRushZMvaSQS_m z-aA0({i@y!yb8Pu@*WHfq6(r43WX5yLvdnIbr4#i5Xv`z$PW$Q;& +# Copyright (C) 2016-2018 Nicola Corna +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +# Based on the amazing me_cleaner, https://github.com/corna/me_cleaner, parses +# the required signed partition from an ME update file to generate a valid +# flashable ME binary. +# +# This was written for Heads ROM, https://github.com/osresearch/heads +# to allow continuous integration reproducible builds for Lenovo xx20 models +# (X220, T420, T520, etc). +# +# A full model list can be found: +# https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.txt + + +from struct import pack, unpack +from typing import List +import argparse +import sys +import hashlib +import binascii +import os.path + +############################################################################# + +FTPR_END = 0x76000 +MINIFIED_FTPR_OFFSET = 0x400 # offset start of Factory Partition (FTPR) +ORIG_FTPR_OFFSET = 0xCC000 +PARTITION_HEADER_OFFSET = 0x30 # size of partition header + +DEFAULT_OUTPUT_FILE_NAME = "flashregion_2_intel_me.bin" + +############################################################################# + + +class EntryFlags: + """EntryFlag bitmap values.""" + + ExclBlockUse = 8192 + WOPDisable = 4096 + Logical = 2048 + Execute = 1024 + Write = 512 + Read = 256 + DirectAccess = 128 + Type = 64 + + +def generateHeader() -> bytes: + """Generate Header.""" + ROM_BYPASS_INSTR_0 = binascii.unhexlify("2020800F") + ROM_BYPASS_INSTR_1 = binascii.unhexlify("40000010") + ROM_BYPASS_INSTR_2 = pack(" bytes: + """Partition table entry.""" + ENTRY_NAME = binascii.unhexlify("46545052") + ENTRY_OWNER = binascii.unhexlify("FFFFFFFF") # "None" + ENTRY_OFFSET = binascii.unhexlify("00040000") + ENTRY_LENGTH = binascii.unhexlify("00600700") + ENTRY_START_TOKENS = pack(" bytes: + """Copy data of a given size from FTPR starting from offset.""" + offset_end = offset + size + return self.ftpr[offset:offset_end] + + def unpack_next_int(self, offset: int) -> int: + """Sugar syntax for unpacking a little-endian UINT at offset.""" + return self.unpack_val(self.slice(offset, 4)) + + def unpack_val(self, data: bytes) -> int: + """Sugar syntax for unpacking a little-endian unsigned integer.""" + return unpack(" str: + """Decode bytes into ASCII.""" + return data.rstrip(b"\x00").decode("ascii") + + def clear_ftpr_data(self, start: int, end: int) -> None: + """Replace values in range with 0xFF.""" + empty_data = bytes() + + for i in range(0, end - start): + empty_data += b"\xff" + self.write_ftpr_data(start, empty_data) + + def write_ftpr_data(self, start: int, data: bytes) -> None: + """Replace data in FTPR starting at a given offset.""" + end = len(data) + start + + new_partition = self.ftpr[:start] + new_partition += data + + if end != FTPR_END: + new_partition += self.ftpr[end:] + + self.ftpr = new_partition + + ###################################################################### + # FTPR cleanig/checking functions + ###################################################################### + def get_chunks_offsets(self, llut: bytes): + """Calculate Chunk offsets from LLUT.""" + chunk_count = self.unpack_val(llut[0x04:0x08]) + huffman_stream_end = sum(unpack(" int: + """Relocate partition.""" + new_offset = MINIFIED_FTPR_OFFSET + name = self.bytes_to_ascii(self.slice(PARTITION_HEADER_OFFSET, 4)) + + old_offset, partition_size = unpack( + "> 4) & 7 == 0x01: + llut_start = self.unpack_val(mod_header[0x38:0x3C]) + llut_start += old_offset + break + + if self.mod_headers and llut_start != 0: + # Bytes 0x9:0xb of the LLUT (bytes 0x1:0x3 of the AddrBase) are + # added to the SpiBase (bytes 0xc:0x10 of the LLUT) to compute the + # final start of the LLUT. Since AddrBase is not modifiable, we can + # act only on SpiBase and here we compute the minimum allowed + # new_offset. + llut_start_corr = unpack(" int: + """Remove modules.""" + unremovable_huff_chunks = [] + chunks_offsets = [] + base = 0 + chunk_size = 0 + end_addr = 0 + + for mod_header in self.mod_headers: + name = self.bytes_to_ascii(mod_header[0x04:0x14]) + offset = self.unpack_val(mod_header[0x38:0x3C]) + size = self.unpack_val(mod_header[0x40:0x44]) + flags = self.unpack_val(mod_header[0x50:0x54]) + comp_type = (flags >> 4) & 7 + comp_type_name = self.COMPRESSION_TYPE_NAME[comp_type] + + print(" {:<16} ({:<7}, ".format(name, comp_type_name), end="") + + # If compresion type uncompressed or LZMA + if comp_type == 0x00 or comp_type == 0x02: + offset_end = offset + size + range_msg = "0x{:06x} - 0x{:06x} ): " + print(range_msg.format(offset, offset_end), end="") + + if name in self.UNREMOVABLE_MODULES: + end_addr = max(end_addr, offset + size) + print("NOT removed, essential") + else: + offset_end = min(offset + size, FTPR_END) + self.clear_ftpr_data(offset, offset_end) + print("removed") + + # Else if compression type huffman + elif comp_type == 0x01: + if not chunks_offsets: + # Check if Local Look Up Table (LLUT) is present + if self.slice(offset, 4) == b"LLUT": + llut = self.slice(offset, 0x40) + + chunk_count = self.unpack_val(llut[0x4:0x8]) + base = self.unpack_val(llut[0x8:0xC]) + 0x10000000 + chunk_size = self.unpack_val(llut[0x30:0x34]) + + llut = self.slice(offset, (chunk_count * 4) + 0x40) + + # calculate offsets of chunks from LLUT + chunks_offsets = self.get_chunks_offsets(llut) + else: + no_llut_msg = "Huffman modules found," + no_llut_msg += "but LLUT is not present." + sys.exit(no_llut_msg) + + module_base = self.unpack_val(mod_header[0x34:0x38]) + module_size = self.unpack_val(mod_header[0x3C:0x40]) + first_chunk_num = (module_base - base) // chunk_size + last_chunk_num = first_chunk_num + module_size // chunk_size + huff_size = 0 + + chunk_length = last_chunk_num + 1 + for chunk in chunks_offsets[first_chunk_num:chunk_length]: + huff_size += chunk[1] - chunk[0] + + size_in_kiB = "~" + str(int(round(huff_size / 1024))) + " KiB" + print( + "fragmented data, {:<9}): ".format(size_in_kiB), + end="", + ) + + # Check if module is in the unremovable list + if name in self.UNREMOVABLE_MODULES: + print("NOT removed, essential") + + # add to list of unremovable chunks + for x in chunks_offsets[first_chunk_num:chunk_length]: + if x[0] != 0: + unremovable_huff_chunks.append(x) + else: + print("removed") + + # Else unknown compression type + else: + unkwn_comp_msg = " 0x{:06x} - 0x{:06x}): " + unkwn_comp_msg += "unknown compression, skipping" + print(unkwn_comp_msg.format(offset, offset + size), end="") + + if chunks_offsets: + removable_huff_chunks = [] + + for chunk in chunks_offsets: + # if chunk is not in a unremovable chunk, it must be removable + if all( + not ( + unremovable_chk[0] <= chunk[0] < unremovable_chk[1] + or unremovable_chk[0] < chunk[1] <= unremovable_chk[1] + ) + for unremovable_chk in unremovable_huff_chunks + ): + removable_huff_chunks.append(chunk) + + for removable_chunk in removable_huff_chunks: + if removable_chunk[1] > removable_chunk[0]: + chunk_start = removable_chunk[0] - ORIG_FTPR_OFFSET + chunk_end = removable_chunk[1] - ORIG_FTPR_OFFSET + self.clear_ftpr_data(chunk_start, chunk_end) + + end_addr = max( + end_addr, max(unremovable_huff_chunks, key=lambda x: x[1])[1] + ) + end_addr -= ORIG_FTPR_OFFSET + + return end_addr + + def find_mod_header_size(self) -> None: + """Find module header size.""" + self.mod_header_size = 0 + data = self.slice(0x290, 0x84) + + # check header size + if data[0x0:0x4] == b"$MME": + if data[0x60:0x64] == b"$MME" or self.num_modules == 1: + self.mod_header_size = 0x60 + elif data[0x80:0x84] == b"$MME": + self.mod_header_size = 0x80 + + def find_mod_headers(self) -> None: + """Find module headers.""" + data = self.slice(0x290, self.mod_header_size * self.num_modules) + + for i in range(0, self.num_modules): + header_start = i * self.mod_header_size + header_end = (i + 1) * self.mod_header_size + self.mod_headers.append(data[header_start:header_end]) + + def resize_partition(self, end_addr: int) -> None: + """Resize partition.""" + spared_blocks = 4 + if end_addr > 0: + end_addr = (end_addr // 0x1000 + 1) * 0x1000 + end_addr += spared_blocks * 0x1000 + + # partition header not added yet + # remove trailing data the same size as the header. + end_addr -= MINIFIED_FTPR_OFFSET + + me_size_msg = "The ME minimum size should be {0} " + me_size_msg += "bytes ({0:#x} bytes)" + print(me_size_msg.format(end_addr)) + print("Truncating file at {:#x}...".format(end_addr)) + self.ftpr = self.ftpr[:end_addr] + + def check_and_clean_ftpr(self) -> None: + """Check and clean FTPR (factory partition).""" + self.num_modules = self.unpack_next_int(0x20) + self.find_mod_header_size() + + if self.mod_header_size != 0: + self.find_mod_headers() + + # ensure all of the headers begin with b'$MME' + if all(hdr.startswith(b"$MME") for hdr in self.mod_headers): + end_addr = self.remove_modules() + new_offset = self.relocate_partition() + end_addr += new_offset + + self.resize_partition(end_addr) + + # flip bit + # XXX: I have no idea why this works and passes RSA signiture + self.write_ftpr_data(0x39, b"\x00") + else: + sys.exit( + "Found less modules than expected in the FTPR " + "partition; skipping modules removal and exiting." + ) + else: + sys.exit( + "Can't find the module header size; skipping modules" + "removal and exiting." + ) + + +########################################################################## + + +def check_partition_signature(f, offset) -> bool: + """check_partition_signature copied/shamelessly stolen from me_cleaner.""" + f.seek(offset) + header = f.read(0x80) + modulus = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + public_exponent = unpack(" None: + """Generate ME blob.""" + print("Starting ME 7.x Update parser.") + + orig_f = open(input_file, "rb") + cleaned_ftpr = clean_ftpr(orig_f.read(FTPR_END)) + orig_f.close() + + fo = open(output_file, "wb") + fo.write(generateHeader()) + fo.write(generateFtpPartition()) + fo.write(cleaned_ftpr.ftpr) + fo.close() + + +def verify_output(output_file: str) -> None: + """Verify Generated ME file.""" + file_verifiy = open(output_file, "rb") + + if check_partition_signature(file_verifiy, MINIFIED_FTPR_OFFSET): + print(output_file + " is VALID") + file_verifiy.close() + else: + print(output_file + " is INVALID!!") + file_verifiy.close() + sys.exit("The FTPR partition signature is not valid.") + + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="Tool to remove as much code " + "as possible from Intel ME/TXE 7.x firmware " + "update and create paratition for a flashable ME parition." + ) + + +parser.add_argument("file", help="ME/TXE image or full dump") +parser.add_argument( + "-O", + "--output", + metavar="output_file", + help="save " + "save file name other than the default '" + DEFAULT_OUTPUT_FILE_NAME + "'", +) + +args = parser.parse_args() + +output_file_name = DEFAULT_OUTPUT_FILE_NAME if not args.output else args.output + +# Check if output file exists, ask to overwrite or exit +if os.path.isfile(output_file_name): + input_msg = output_file_name + input_msg += " exists. Do you want to overwrite? [y/N]: " + if not str(input(input_msg)).lower().startswith("y"): + sys.exit("Not overwriting file. Exiting.") + +generate_me_blob(args.file, output_file_name) +verify_output(output_file_name) diff --git a/blobs/xx20/readme.md b/blobs/xx20/readme.md new file mode 100644 index 000000000..001ed5c52 --- /dev/null +++ b/blobs/xx20/readme.md @@ -0,0 +1,59 @@ +To build for X220 we need to have the following files in this folder: +* `me.bin` - ME binary that has been stripped and truncated with me7_update_parser +* `gbe.bin` - Network card blob from the original firmware +* `ifd.bin` - Flash layout file has been provided as text + +The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x220/downloads/driver-list/component?name=Chipset + +This provides latest ME version 7.1.91.3272, for which only the BUP region will be kept as non-removable: +Here is what Lenovo provides as a Summary of Changes: +<7.1.91.3272> (83RF46WW) +- (Fix) Fixed CVE-2017-5689: Escalation of privilege vulnerability in Intel(R) + Active Management Technology (AMT), Intel(R) Standard Manageability + (ISM), and Intel(R) Small Business Technology. + + +1.0:Automatically extract and neuter me update then add partition table to me.bin +download_parse_me.sh : Downloads latest ME update from lenovo verify checksum, extract ME, neuters ME, add partition table relocate and trim it and place it into me.bin + +sha256sum: +1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 blobs/xx20/me.bin + + +1.1: Manually generating blobs +-------------------- +Manually generate me.bin: +You can arrive to the same result of the following me.bin by doing the following manually: +wget https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe && innoextract 83rf46ww.exe && python3 blobs/xx20/me7_update_parser.py -O blobs/xx20/me.bin app/ME7_5M_UPD_Production.bin + +sha256sums: +48f18d49f3c7c79fa549a980f14688bc27c18645f64d9b6827a15ef5c547d210 83rf46ww.exe +760b0776b99ba94f56121d67c1f1226c77f48bd3b0799e1357a51842c79d3d36 app/ME7_5M_UPD_Production.bin +1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 blobs/xx20/me.bin + +ifd.bin is from an X220 and already ME partition resided to the new minimized size. The layout.txt has these updated sized and can be used with ifdtool to modify partition if needed. + +sha256sum: +c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin + +ls -al blobs/xx20/*.bin +-rw-r--r-- 1 tom users 8192 Nov 23 18:40 gbe.bin +-rw-r--r-- 1 tom users 4096 Nov 23 18:58 ifd.bin +-rw-r--r-- 1 tom users 86016 Nov 26 17:04 me.bin + +Manually regenerate gbe.bin: +blobs/x220/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510 +And then by following those instructions: +# Use this target to generate GbE for X220/x230 +gen-gbe-82579LM: + cd build/coreboot-4.8.1/util/bincfg/ + make + ./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin + # duplicate binary as per spec + cat gbe1.bin gbe1.bin > ../../../../blobs/xx20/gbe.bin + rm -f gbe1.bin + cd - + +sha256sum: +9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 blobs/xx20/gbe.bin +------------------------ From d7ccd87d490495f7a3017a40a55f7f1cfbe23071 Mon Sep 17 00:00:00 2001 From: Tom Hiller Date: Wed, 2 Dec 2020 19:33:03 -0500 Subject: [PATCH 2/4] boards: add x220-maximized --- boards/x220-maximized/x220-maximized.config | 67 +++++++++++++++++++++ config/coreboot-x220-maximized.config | 24 ++++++++ 2 files changed, 91 insertions(+) create mode 100644 boards/x220-maximized/x220-maximized.config create mode 100644 config/coreboot-x220-maximized.config diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config new file mode 100644 index 000000000..85f4d91b8 --- /dev/null +++ b/boards/x220-maximized/x220-maximized.config @@ -0,0 +1,67 @@ +# Configuration for a X220 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expended consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-x220-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="ThinkPad X220-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq" + +# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx20/download_parse_me.sh +# To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region. diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config new file mode 100644 index 000000000..0a7b71020 --- /dev/null +++ b/config/coreboot-x220-maximized.config @@ -0,0 +1,24 @@ +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x750000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" +CONFIG_BOARD_LENOVO_X220=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" +#CONFIG_DEBUG_TPM=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x220-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +CONFIG_LINUX_INITRD="../../build/x220-maximized/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y From 5b898e369c322892a798cc9d180f5a609d8ea5c9 Mon Sep 17 00:00:00 2001 From: Tom Hiller Date: Wed, 2 Dec 2020 19:33:18 -0500 Subject: [PATCH 3/4] boards: add t420-maximized --- boards/t420-maximized/t420-maximized.config | 67 +++++++++++++++++++++ config/coreboot-t420-maximized.config | 24 ++++++++ 2 files changed, 91 insertions(+) create mode 100644 boards/t420-maximized/t420-maximized.config create mode 100644 config/coreboot-t420-maximized.config diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config new file mode 100644 index 000000000..fc8378186 --- /dev/null +++ b/boards/t420-maximized/t420-maximized.config @@ -0,0 +1,67 @@ +# Configuration for a T420 running Qubes and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expended consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx20/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes NKSTORECLI to support Nitrokey Storage administrative tool +# - Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code from +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t420-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=y + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="ThinkPad T420-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq" + +# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin +# - blobs/xx20/download_parse_me.sh +# To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region. diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config new file mode 100644 index 000000000..b7f5bd312 --- /dev/null +++ b/config/coreboot-t420-maximized.config @@ -0,0 +1,24 @@ +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x750000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/xx20/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx20/me.bin" +CONFIG_BOARD_LENOVO_T420=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/xx20/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t420-maximized/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +CONFIG_LINUX_INITRD="../../build/t420-maximized/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y From 75e11cbb8d67bcfface1c2061767efc30cfca866 Mon Sep 17 00:00:00 2001 From: Tom Hiller Date: Wed, 2 Dec 2020 19:37:34 -0500 Subject: [PATCH 4/4] circleci: add xx20 maximized builds --- .circleci/config.yml | 64 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 56 insertions(+), 8 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 14a0168a4..2e50225bb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ jobs: name: Install dependencies command: | apt update - apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract - checkout - run: @@ -76,7 +76,7 @@ jobs: tar zcvf build/kgpe-d16_workstation/logs.tar.gz build/log/* - store-artifacts: path: build/kgpe-d16_workstation - + - run: name: kgpe-d16_workstation-usb_keyboard command: | @@ -136,7 +136,7 @@ jobs: rm -rf build/librem_l1um/* build/log/* && make CPUS=4 V=1 BOARD=librem_l1um || touch /tmp/failed_build no_output_timeout: 3h - run: - name: Output build failing logs + name: Output build failing logs command: | if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi \ - run: @@ -190,6 +190,54 @@ jobs: - store-artifacts: path: build/librem_mini_v2 + - run: + name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx20/download_parse_me.sh + - run: + name: x220-maximized + command: | + rm -rf build/x220-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x220-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi \ + - run: + name: Output x220-maximized hashes + command: | + cat build/x220-maximized/hashes.txt \ + - run: + name: Archiving build logs for x220-maximized + command: | + tar zcvf build/x220-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x220-maximized + + - run: + name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) + command: | + ./blobs/xx20/download_parse_me.sh + - run: + name: t420-maximized + command: | + rm -rf build/t420-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t420-maximized || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output t420-maximized hashes + command: | + cat build/t420-maximized/hashes.txt \ + - run: + name: Archiving build logs for t420-maximized + command: | + tar zcvf build/t420-maximized/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/t420-maximized + - run: name: x230-flash command: | @@ -311,7 +359,7 @@ jobs: path: build/x230-nkstorecli - run: - name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) command: | ./blobs/xx30/download_clean_me.sh - run: @@ -335,7 +383,7 @@ jobs: path: build/x230-maximized - run: - name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) command: | ./blobs/xx30/download_clean_me.sh - run: @@ -359,7 +407,7 @@ jobs: path: build/t430-hotp-maximized - run: - name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) command: | ./blobs/xx30/download_clean_me.sh - run: @@ -383,7 +431,7 @@ jobs: path: build/x230-maximized - run: - name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) command: | ./blobs/xx30/download_clean_me.sh - run: @@ -408,7 +456,7 @@ jobs: - run: - name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) + name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree) command: | ./blobs/xx30/download_clean_me.sh - run: