linuxboot · tlaurion · Apr 11, 2023 · Mar 30, 2023 · Mar 31, 2023 · Mar 31, 2023
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -519,6 +519,20 @@ workflows:
           requires:
             - librem_14
 
+      - build:
+          name: p8z77-m_pro-tpm1-maximized
+          target: p8z77-m_pro-tpm1-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
+      - build:
+          name: p8z77-m_pro-tpm1-hotp-maximized
+          target: p8z77-m_pro-tpm1-hotp-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
 #      - build:
 #          name: kgpe-d16_workstation-usb_keyboard
 #          target: kgpe-d16_workstation-usb_keyboard

diff --git a/blobs/p8z77-m_pro/download_BIOS_clean.sh b/blobs/p8z77-m_pro/download_BIOS_clean.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+# P7 ASUS
+
+function printusage {
+  echo "Usage: $0 -m <me_cleaner> -c <COREBOOT_DIR>"
+}
+
+BLOB_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":m:c:" opt; do
+  case $opt in
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+    c)
+      if [ -x "$OPTARG" ]; then
+        COREBOOT_DIR="$OPTARG"
+      fi
+      ;;
+  esac
+
+done
+
+
+if [[ -z "${COREBOOT_DIR}" ]]; then
+	COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+	if [[ -z "${COREBOOT_DIR}" ]]; then
+		echo "ERROR: No COREBOOT_DIR variable defined, and no coreboot path found automagically."
+		exit 1
+	fi
+fi
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $COREBOOT_DIR/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+CAP_ZIP_SHA256SUM="baf7f513227542c507e46735334663f63a0df5be9f6632d7b0f0cca5d3b9f980  P8Z77-M-PRO-ASUS-2203.zip"
+CAP_FILE_SHA256SUM="d9bf292778655d4e20f5db2154cd6a2229e42b60ce670a68d759f1dac757aaf0  P8Z77-M-PRO-ASUS-2203.CAP"
+FINAL_IFD_SHA256SUM="702570d59c11b9b70ab9d54b26ff0906a07edf15eebe63f40bcecb04b955969f  ifd.bin"
+FINAL_ME_SHA256SUM="8dda1e8360fbb2da05bfcd187f6e7b8a272a67d66bc0074bbfd1410eb35e3e17  me.bin"
+ZIPURL="https://dlcdnets.asus.com/pub/ASUS/mb/LGA1155/P8Z77-M_PRO/P8Z77-M-PRO-ASUS-2203.zip"
+
+ZIPFILENAME=`echo $ZIPURL | sed 's/.*\///'`
+ROMFILENAME=`echo $ZIPFILENAME | sed 's/\.zip$/\.ROM/'`
+
+extractdir=$(mktemp -d)
+echo "### Creating temp dir $extractdir "
+cd "$extractdir"
+
+echo "### Downloading $ZIPURL"
+wget $ZIPURL || { echo "ERROR: wget failed $ZIPURL" && exit 1; }
+echo "### Verifying expected hash of $ZIPFILENAME"
+echo "$CAP_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
+
+echo "### Extracting Archives"
+unzip $ZIPFILENAME || { echo "Failed unzipping $ZIPFILENAME - Tool installed on host?" && exit 1;}
+
+echo "### Verifying expected hash of $ROMFILENAME"
+echo "$CAP_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
+
+echo "### extracing BIOS from Capsule"
+dd bs=1024 skip=2 if=P8Z77-M-PRO-ASUS-2203.CAP of=P8Z77-M-PRO-ASUS-2203.ROM || { echo "Failed to de-cap the ROM..." && exit 1; }
+
+echo "### Applying me_cleaner to neuter and truncate."
+$MECLEAN -S -r -t -d -O  /tmp/unneeded.bin -D "ifd.bin" -M "me.bin" P8Z77-M-PRO-ASUS-2203.ROM
+
+if [[ "${CONFIG_ZERO_IFD_VSCC}" =~ ^(Y|y)$ ]]; then
+	FINAL_IFD_SHA256SUM="092caeee117de27c0eb30587defcb6449a33c7c325b6f3c47b5a7a79670b5c3f  ifd.bin"
+	echo "### Modifying VSCC length and identifiers"
+	printf '\x00' | dd of=ifd.bin bs=1 seek=3837 count=1 conv=notrunc
+	printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of=ifd.bin bs=1 seek=3568 count=32 conv=notrunc
+	echo "### Verifying expected hashes"
+else
+	echo "###  Skipping VSCC modification by config"
+fi
+echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated IFD bin..." && exit 1; }
+mv ifd.bin $BLOB_DIR/ifd.bin
+echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated ME binary..." && exit 1; }
+mv me.bin $BLOB_DIR/me.bin
+
+echo "###Cleaning up..."
+cd -
+rm -r "$extractdir"
diff --git a/boards/p8z77-m_pro-tpm1-hotp-maximized/p8z77-m_pro-tpm1-hotp-maximized.config b/boards/p8z77-m_pro-tpm1-hotp-maximized/p8z77-m_pro-tpm1-hotp-maximized.config
@@ -0,0 +1,6 @@
+# Inherit the rest from the base Asus P8Z77-M Pro config.
+include $(pwd)/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config
+
+CONFIG_HOTPKEY=y
+
+export CONFIG_BOARD_NAME="P8Z77-M PRO-HOTP"
diff --git a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config
@@ -0,0 +1,87 @@
+# Configuration for Asus P8Z77-M Pro
+#This board is a better choice over the P8H61 for a cost effective Heads + QubesOS desktop with ME neuter+disable compatibility. 
+#The P8H61 ecosystem was complex with multiple variants 
+#(some not even having a TPM header, and others having RamInit issues with some memory sticks), 
+##while less feature rich than the P8Z77 family. The P8H61s that were compatible still required 
+#some ME #sections (FCRS,EFFS) to be whitelisted in order to post, which introduced unknowns. 
+#The P8H61s #also needed a larger flash chip to work with heads than the manufacturer supplied 
+#4M, which add#ed complexity for the average user.
+#
+#The P8Z77-M Pro is able to offer more SATA connectors (2x 6Gb, 4x 3Gb, 2x eSATA) as well as 
+#more full size expansion ports. The board has a PS/2 keyboard port as recommended for QubesOS. 
+##The board comes with 8M flash chip as standard.
+#
+#The i7-3770 is the best CPU available for the board, with VT-x & VT-d both present
+
+#ME & ROM
+#The board supports Intel LGA1155, which allow for ME removal (both neuter+disable work), ME 
+#region resize/shrinking (aka 'maximized' board), as well as VSCC table modification..
+#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary 
+#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC 
+#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download 
+#script also resizes the rom layout and minimizes ME while maximizing space.
+#The P8Z77-M Pro comes as standard with an 8Mb Flash chip, which means that no modification is 
+#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by 
+#default, leaving just 335396 bytes available.
+#The P8Z77-M Pro has both TPM1 and TPM2 modules available, though at time of writing only the 
+#TPM1 module would be usable with heads until the TPM2 work is completed. All testing was done 
+#with a TPM1 module
+#
+#Test platform
+#BOARD: Asus P8Z77-M Pro
+#RAM: 32Gb - 4x TimeTec DDRL3 75TT16NUL2R8-8G
+#CPU: Intel i7 3770
+#TPM: Modules tested: Asus branded TPM 1.02H & Foxconn TPM Krypton Rev 1.0
+#
+# note: nohz=off is an optional CONFIG_LINUX_COMMAND_LINE parameter to supress repeated NOHZ: local_softirq_pending console output
+#
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-p8z77-m_pro-tpm1.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
+# for a console-based menu.
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="P8Z77-M PRO"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+#Set this option to zero out the VSCC table https://github.com/osresearch/heads/pull/1358#discussion_r1153251399 
+export CONFIG_ZERO_IFD_VSCC=y
+
+# Make the Coreboot build depend on the following 3rd party blobs:
+$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
+    $(pwd)/blobs/p8z77-m_pro/me.bin $(pwd)/blobs/p8z77-m_pro/ifd.bin
+
+$(pwd)/blobs/p8z77-m_pro/me.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/p8z77-m_pro/download_BIOS_clean.sh
+
+$(pwd)/blobs/p8z77-m_pro/ifd.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/p8z77-m_pro/download_BIOS_clean.sh
diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config
@@ -0,0 +1,17 @@
+CONFIG_USE_BLOBS=y
+CONFIG_VENDOR_ASUS=y
+CONFIG_CBFS_SIZE=0x7E7000
+CONFIG_BOARD_ASUS_P8Z77_M_PRO=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin"
+CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin"
+CONFIG_NO_GFX_INIT=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_TPM1=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"