diff --git a/blobs/t430s/download_clean_me.sh b/blobs/t430s/download_clean_me.sh new file mode 100755 index 000000000..fec0f1458 --- /dev/null +++ b/blobs/t430s/download_clean_me.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -m (optional)" +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":m:" opt; do + case $opt in + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + esac +done + +FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin" +ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe" +ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin" + + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..." +wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || { echo "ERROR: wget not found" && exit 1; } +echo "### Verifying expected hash of g1rg24ww.exe" +echo "$ME_EXE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; } + +echo "### Extracting g1rg24ww.exe..." +innoextract ./g1rg24ww.exe || { echo "Failed calling innoextract. Tool installed on host?" && exit 1;} +echo "### Verifying expected hash of app/ME8_5M_Production.bin" +echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; } + +echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " +$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin +echo "### Verifying expected hash of me.bin" +echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; } + + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/blobs/t430s/extract.sh b/blobs/t430s/extract.sh new file mode 100755 index 000000000..f63c4d31e --- /dev/null +++ b/blobs/t430s/extract.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -f -m (optional) -i (optional)" + exit 0 +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":f:m:i:" opt; do + case $opt in + f) + FILE="$OPTARG" + ;; + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + i) + if [ -x "$OPTARG" ]; then + IFDTOOL="$OPTARG" + fi + ;; + esac +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +if [ -z "$IFDTOOL" ]; then + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` + if [ -z "$IFDTOOL" ]; then + echo "ifdtool required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "FILE: $FILE" +echo "ME: $MECLEAN" +echo "IFD: $IFDTOOL" + +bioscopy=$(mktemp) +extractdir=$(mktemp -d) + +echo "###Copying $FILE under $bioscopy" +cp "$FILE" $bioscopy + +cd "$extractdir" +echo "###Unlocking $bioscopy IFD..." +$IFDTOOL -u $bioscopy +echo "###Extracting regions from ROM..." +$IFDTOOL -x $bioscopy +echo "###Copying GBE region under $BLOBDIR/gbe.bin..." +cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" +echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... " +$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy" + +echo "###Cleaning up..." +rm "$bioscopy" +rm -r "$extractdir" diff --git a/blobs/t430s/gbe.bin b/blobs/t430s/gbe.bin new file mode 100644 index 000000000..0c9dfa1df Binary files /dev/null and b/blobs/t430s/gbe.bin differ diff --git a/blobs/t430s/ifd.bin b/blobs/t430s/ifd.bin new file mode 100644 index 000000000..e08f7fea8 Binary files /dev/null and b/blobs/t430s/ifd.bin differ diff --git a/boards/t430s-maximized/t430s-maximized.config b/boards/t430s-maximized/t430s-maximized.config new file mode 100644 index 000000000..cd9960689 --- /dev/null +++ b/boards/t430s-maximized/t430s-maximized.config @@ -0,0 +1,71 @@ +# Configuration for a T430s running Qubes 4.1 and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.13 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t430s-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad T430s-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -c MX25L12835F/MX25L12845E/MX25L12865E -p internal" + +# xx30-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. + diff --git a/config/coreboot-t430s-maximized.config b/config/coreboot-t430s-maximized.config new file mode 100644 index 000000000..185dc9dfc --- /dev/null +++ b/config/coreboot-t430s-maximized.config @@ -0,0 +1,21 @@ +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set +CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_IFD_BIN_PATH="../../blobs/t430s/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/t430s/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/t430s/gbe.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_T430S=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_UART_PCI_ADDR=0 +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430s-maximized/bzImage" +CONFIG_LINUX_INITRD="../../build/t430s-maximized/initrd.cpio.xz"