diff --git a/.circleci/config.yml b/.circleci/config.yml index 09c87ae50..d490b970a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -533,6 +533,20 @@ workflows: requires: - librem_14 + - build: + name: p8z77-v-tpm1-maximized + target: p8z77-v-tpm1-maximized + subcommand: "" + requires: + - librem_14 + + - build: + name: p8z77-v-tpm1-hotp-maximized + target: p8z77-v-tpm1-hotp-maximized + subcommand: "" + requires: + - librem_14 + # - build: # name: kgpe-d16_workstation-usb_keyboard # target: kgpe-d16_workstation-usb_keyboard diff --git a/blobs/p8z77-v/download_BIOS_clean.sh b/blobs/p8z77-v/download_BIOS_clean.sh new file mode 100755 index 000000000..6406e7672 --- /dev/null +++ b/blobs/p8z77-v/download_BIOS_clean.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# P7 ASUS + +function printusage { + echo "Usage: $0 -m (optional)" +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":m:i:" opt; do + case $opt in + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + esac + +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +CAP_ZIP_SHA256SUM="06c034597edeeaaeace86d8b5d4780d1ac9e510b4736f7259cea83bface8fc51 P8Z77-V-ASUS-2104.zip" +CAP_FILE_SHA256SUM="bd60e7b7d5227147a47509979a748316dd30b314266a92bd8105984f6d540ba4 P8Z77-V-ASUS-2104.CAP" +#FINAL_IFD_SHA256SUM="f076be608c189da9532484b8152bc34029d1b1a8e28f630799fd474c47cb3f88 $BLOBDIR/ifd.bin" +FINAL_IFD_SHA256SUM="62a080f5e94c9366ae2f341a03a82c6e1b3fd18c223f250290312c08efd1db06 $BLOBDIR/ifd.bin" +FINAL_ME_SHA256SUM="8dda1e8360fbb2da05bfcd187f6e7b8a272a67d66bc0074bbfd1410eb35e3e17 $BLOBDIR/me.bin" +ZIPURL="https://dlcdnets.asus.com/pub/ASUS/mb/LGA1155/P8Z77-V/P8Z77-V-ASUS-2104.zip" + +ZIPFILENAME=`echo $ZIPURL | sed 's/.*\///'` +ROMFILENAME=`echo $ZIPFILENAME | sed 's/\.zip$/\.ROM/'` + +extractdir=$(mktemp -d) +echo "### Creating temp dir $extractdir " +cd "$extractdir" + +echo "### Downloading $ZIPURL" +wget $ZIPURL || { echo "ERROR: wget failed $ZIPURL" && exit 1; } +echo "### Verifying expected hash of $ZIPFILENAME" +echo "$CAP_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; } + +echo "### Extracting Archives" +unzip $ZIPFILENAME || { echo "Failed unzipping $ZIPFILENAME - Tool installed on host?" && exit 1;} + +echo "### Verifying expected hash of $ROMFILENAME" +echo "$CAP_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; } + +echo "### extracing BIOS from Capsule" +dd bs=1024 skip=2 if=P8Z77-V-ASUS-2104.CAP of=P8Z77-V-ASUS-2104.ROM || { echo "Failed to de-cap the ROM..." && exit 1; } + +echo "### Applying me_cleaner to neuter and truncate. EFFS,FCRS whitelisted" +$MECLEAN -S -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" P8Z77-V-ASUS-2104.ROM + +#echo "### Modifying VSCC length and identifiers" + +#printf '\x00' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3837 count=1 conv=notrunc +#printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3568 count=32 conv=notrunc + +echo "### Verifying expected hashes" +echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated IFD bin..." && exit 1; } +echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated ME binary..." && exit 1; } + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/boards/p8z77-v-tpm1-hotp-maximized/p8z77-v-tpm1-hotp-maximized.config b/boards/p8z77-v-tpm1-hotp-maximized/p8z77-v-tpm1-hotp-maximized.config new file mode 100644 index 000000000..0fe5e95c0 --- /dev/null +++ b/boards/p8z77-v-tpm1-hotp-maximized/p8z77-v-tpm1-hotp-maximized.config @@ -0,0 +1,6 @@ +# Inherit the rest from the base Asus P8Z77-V config. +include $(pwd)/boards/p8z77-v-tpm1-maximized/p8z77-v-tpm1-maximized.config + +CONFIG_HOTPKEY=y + +export CONFIG_BOARD_NAME="P8Z77-V-HOTP" diff --git a/boards/p8z77-v-tpm1-maximized/p8z77-v-tpm1-maximized.config b/boards/p8z77-v-tpm1-maximized/p8z77-v-tpm1-maximized.config new file mode 100644 index 000000000..0e5ad71bf --- /dev/null +++ b/boards/p8z77-v-tpm1-maximized/p8z77-v-tpm1-maximized.config @@ -0,0 +1,81 @@ +# Configuration for Asus P8Z77-V +#This board is a better choice over the P8H61 for a cost effective Heads + QubesOS desktop with ME neuter+disable compatibility. +#The P8H61 ecosystem was complex with multiple variants +#(some not even having a TPM header, and others having RamInit issues with some memory sticks), +##while less feature rich than the P8Z77 family. The P8H61s that were compatible still required +#some ME #sections (FCRS,EFFS) to be whitelisted in order to post, which introduced unknowns. +#The P8H61s #also needed a larger flash chip to work with heads than the manufacturer supplied +#4M, which add#ed complexity for the average user. +# +#The P8Z77-V is able to offer more SATA connectors (2x 6Gb, 4x 3Gb, 2x eSATA) as well as +#more full size expansion ports. The board has a PS/2 keyboard port as recommended for QubesOS. +##The board comes with 8M flash chip as standard. +# +#The i7-3770 is the best CPU available for the board, with VT-x & VT-d both present + +#ME & ROM +#The board supports Intel LGA1155, which allow for ME removal (both neuter+disable work), ME +#region resize/shrinking (aka 'maximized' board), as well as VSCC table modification.. +#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary +#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC +#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download +#script also resizes the rom layout and minimizes ME while maximizing space. +#The P8Z77-V comes as standard with an 8Mb Flash chip, which means that no modification is +#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by +#default, leaving just 335396 bytes available. +#The P8Z77-V has both TPM1 and TPM2 modules available, though at time of writing only the +#TPM1 module would be usable with heads until the TPM2 work is completed. All testing was done +#with a TPM1 module +# +#Test platform +#BOARD: Asus P8Z77-V +#RAM: +#CPU: Intel E3-1275v2 +#TPM: Modules tested: - +# +# note: nohz=off is an optional CONFIG_LINUX_COMMAND_LINE parameter to supress repeated NOHZ: local_softirq_pending console output +# +CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config +CONFIG_COREBOOT_CONFIG=config/coreboot-p8z77-v-tpm1.config + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.17 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y + +# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead +# for a console-based menu. +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="P8Z77-V" +export CONFIG_FLASHROM_OPTIONS="-p internal" + +# Make the Coreboot build depend on the following 3rd party blobs: +$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ + $(pwd)/blobs/p8z77-v/me.bin $(pwd)/blobs/p8z77-v/ifd.bin + +$(pwd)/blobs/p8z77-v/me.bin: + COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \ + $(pwd)/blobs/p8z77-v/download_BIOS_clean.sh diff --git a/config/coreboot-p8z77-v-tpm1.config b/config/coreboot-p8z77-v-tpm1.config new file mode 100644 index 000000000..42fe91f91 --- /dev/null +++ b/config/coreboot-p8z77-v-tpm1.config @@ -0,0 +1,17 @@ +CONFIG_VENDOR_ASUS=y +CONFIG_CBFS_SIZE=0x7E7000 +CONFIG_BOARD_ASUS_P8Z77_V=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-v/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-v/me.bin" +CONFIG_NO_GFX_INIT=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_TPM1=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" +CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off nohz=off" +CONFIG_ONBOARD_VGA_IS_PRIMARY=y \ No newline at end of file diff --git a/config/linux-x230-maximized.config b/config/linux-x230-maximized.config index c886b9695..a6c6702a3 100644 --- a/config/linux-x230-maximized.config +++ b/config/linux-x230-maximized.config @@ -330,3 +330,4 @@ CONFIG_CRC8=m CONFIG_XZ_DEC_TEST=m CONFIG_CORDIC=m CONFIG_IRQ_POLL=y +CONFIG_BLK_DEV_NVME=y