add Nitropad NV41/NS50 TPM2 boards (2nd)

.circleci/config.yml

@@ -215,23 +215,35 @@ workflows:
 # version. The last board in the sequence is the dependency
 # for the parallel boards built at the end, and also save_cache.
 
-      # Coreboot 4.19
+      # coreboot 4.19
       - build_and_persist:
           name: x230-hotp-maximized
           target: x230-hotp-maximized
           subcommand: ""
           requires:
             - prep_env
 
-      # Coreboot 4.17
+      # coreboot-git librems
       - build_and_persist:
           name: librem_14
           target: librem_14
           subcommand: ""
           requires:
             - x230-hotp-maximized
 
-      # Coreboot for Talos (PPC)
+      # coreboot-git Nitropads depending on x230-hotp-maximized cache
+      # since kernel is 6.x and coreboot is git is unshared
+      # We use nitropad's coreboot's fork crossgcc
+      # No need to wait further for other board's cache.
+      # We reuse built modules from x230-hotp-maximized cache only
+      - build_and_persist:
+          name: nitropad-nv41
+          target: nitropad-nv41
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      # coreboot-git Talos II (PPC)
       - build_and_persist:
           name: talos-2
           arch: ppc64
@@ -243,10 +255,9 @@ workflows:
       #Cache one workspace per architecture. Make sure workspace caches are chainloaded and the last in chain for an arch is saved.
       - save_cache:
           requires:
-            - librem_14
             - talos-2
+            - nitropad-nv41
 
-#
 #
 # Those onboarding new boards should add their entries below.
 #
@@ -498,7 +509,7 @@ workflows:
           requires:
             - x230-hotp-maximized
 
-#Coreboot 4.17 boards
+#coreboot-git librem boards
       - build:
           name: librem_13v2
           target: librem_13v2
@@ -541,6 +552,14 @@ workflows:
           requires:
             - librem_14
 
+#coreboot-git dasharo clevo_release + staging IASL patch
+      - build:
+          name: nitropad-ns50
+          target: nitropad-ns50
+          subcommand: ""
+          requires:
+            - nitropad-nv41
+
 #      - build:
 #          name: UNTESTED_kgpe-d16_workstation-usb_keyboard
 #          target: UNTESTED_kgpe-d16_workstation-usb_keyboard

Makefile

@@ -304,11 +304,17 @@ define define_module =
 		echo -n '$($1_repo)|$($1_commit_hash)' > "$$@"; \
 	elif [ "$$$$(cat "$$@")" != '$($1_repo)|$($1_commit_hash)' ]; then \
 		echo "Switching $1 to $($1_repo) at $($1_commit_hash)" && \
-		git -C "$(build)/$($1_base_dir)" fetch $($1_repo) $($1_commit_hash) && \
+		git -C "$(build)/$($1_base_dir)" reset --hard HEAD^ && \
+		echo "git fetch $($1_repo) $($1_commit_hash) --recurse-submodules=no" && \
+		git -C "$(build)/$($1_base_dir)" fetch $($1_repo) $($1_commit_hash) --recurse-submodules=no && \
+		echo "git reset --hard $($1_commit_hash)" && \
 		git -C "$(build)/$($1_base_dir)" reset --hard $($1_commit_hash) && \
+		echo "git clean" && \
 		git -C "$(build)/$($1_base_dir)" clean -df && \
 		git -C "$(build)/$($1_base_dir)" clean -dffx payloads util/cbmem && \
+		echo "git submodule sync" && \
 		git -C "$(build)/$($1_base_dir)" submodule sync && \
+		echo "git submodule update" && \
 		git -C "$(build)/$($1_base_dir)" submodule update --init --checkout && \
 		echo -n '$($1_repo)|$($1_commit_hash)' > "$$@"; \
 	fi
@@ -527,6 +533,7 @@ bin_modules-$(CONFIG_KBD) += kbd
 bin_modules-$(CONFIG_ZSTD) += zstd
 bin_modules-$(CONFIG_E2FSPROGS) += e2fsprogs
 bin_modules-$(CONFIG_EXFATPROGS) += exfatprogs
+bin_modules-$(CONFIG_IOTOOLS) += iotools
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \

boards/nitropad-ns50/nitropad-ns50.config

@@ -0,0 +1,55 @@
+# Nitrokey Nitropad NS51 board configuration
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=nitrokey
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-ns50.config
+CONFIG_LINUX_CONFIG=config/linux-nitropad-x.config
+
+CONFIG_NITROKEY_BLOBS=y
+
+CONFIG_KEXEC=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_POPT=y
+CONFIG_FLASHTOOLS=y
+CONFIG_FLASHROM=y
+CONFIG_PCIUTILS=y
+CONFIG_UTIL_LINUX=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_GPG2=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+
+CONFIG_IOTOOLS=y
+
+CONFIG_DROPBEAR=y
+
+CONFIG_MSRTOOLS=y
+CONFIG_HOTPKEY=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+CONFIG_LINUX_E1000=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+
+# TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+
+export CONFIG_BOOT_DEV="/dev/nvme0n1"
+export CONFIG_BOARD_NAME="Nitropad NS50"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+

boards/nitropad-nv41/nitropad-nv41.config

@@ -0,0 +1,55 @@
+# Nitrokey Nitropad NV41 board configuration
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=nitrokey
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-nv41.config
+CONFIG_LINUX_CONFIG=config/linux-nitropad-x.config
+
+CONFIG_NITROKEY_BLOBS=y
+
+CONFIG_KEXEC=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_POPT=y
+CONFIG_FLASHTOOLS=y
+CONFIG_FLASHROM=y
+CONFIG_PCIUTILS=y
+CONFIG_UTIL_LINUX=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_GPG2=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+
+CONFIG_IOTOOLS=y
+
+CONFIG_DROPBEAR=y
+
+CONFIG_MSRTOOLS=y
+CONFIG_HOTPKEY=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+CONFIG_LINUX_E1000=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+
+# TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+
+export CONFIG_BOOT_DEV="/dev/nvme0n1"
+export CONFIG_BOARD_NAME="Nitropad NV41"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+

create-npf.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -exuo pipefail
+HEADS_GIT_VERSION=$(git describe --tags)
+BOARD=$1
+cd ./build/x86/${BOARD}/
+sha256sum heads-${BOARD}-${HEADS_GIT_VERSION}.rom > sha256sum.txt
+sed -ie 's@  @  /tmp/verified_rom/@g' sha256sum.txt
+zip heads-${BOARD}-${HEADS_GIT_VERSION}.npf heads-${BOARD}-${HEADS_GIT_VERSION}.rom sha256sum.txt

initrd/bin/flash-gui.sh

@@ -33,14 +33,35 @@ while true; do
           --yesno "You will need to insert a USB drive containing your BIOS image (*.rom or *.tgz).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
         mount_usb
         if grep -q /media /proc/mounts ; then
-          find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' \) | sort > /tmp/filelist.txt
+          find /media ! -path '*/\.*' -type f \( -name '*.rom' -o -name '*.tgz' -o -type f -name '*.npf' \) | sort > /tmp/filelist.txt
           file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
           if [ "$FILE" == "" ]; then
             return
           else
             ROM=$FILE
           fi
 
+          # is a .npf provided?
+          if [ -z "${ROM##*.npf}" ]; then
+            # unzip to /tmp/verified_rom
+            mkdir /tmp/verified_rom
+            unzip $ROM -d /tmp/verified_rom
+            # check file integrity
+            if (cd /tmp/verified_rom/ && sha256sum -cs /tmp/verified_rom/sha256sum.txt) ; then
+              ROM="$(head -n1 /tmp/verified_rom/sha256sum.txt | cut -d ' ' -f 3)"
+            else
+              whiptail --title 'ROM Integrity Check Failed! ' \
+                --msgbox "$ROM integrity check failed. Did not flash.\n\nPlease check your file (e.g. re-download).\n" 16 60
+              exit
+            fi
+          else
+            # exit if we shall not proceed
+            if ! (whiptail $CONFIG_ERROR_BG_COLOR --title 'Flash ROM without integrity check?' \
+                --yesno "You have provided a *.rom file. The integrity of the file can not be\nchecked for this file.\nIf you do not know how to check the file integrity yourself,\nyou should use a *.npf file instead.\n\nIf the file is damaged, you will not be able to boot anymore.\nDo you want to proceed flashing without file integrity check?" 16 60) then
+              exit
+            fi
+          fi
+
           if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
               --yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 0 80) then
             if [ "$menu_choice" == "c" ]; then

initrd/bin/nitropad-shutdown.sh

@@ -0,0 +1,36 @@
+#!/bin/ash
+
+# Method to access IT5570 IO Depth 2 registers
+it5570_i2ec() {
+  # TODO: Use /dev/port instead of iotools
+
+  # Address high byte
+  iotools io_write8 0x2e 0x2e
+  iotools io_write8 0x2f 0x11
+  iotools io_write8 0x2e 0x2f
+  iotools io_write8 0x2f $(($2>>8 & 0xff))
+
+  # Address low byte
+  iotools io_write8 0x2e 0x2e
+  iotools io_write8 0x2f 0x10
+  iotools io_write8 0x2e 0x2f
+  iotools io_write8 0x2f $(($2 & 0xff))
+
+  # Data
+  iotools io_write8 0x2e 0x2e
+  iotools io_write8 0x2f 0x12
+  iotools io_write8 0x2e 0x2f
+
+  case $1 in
+    "r")
+      iotools io_read8 0x2f
+      ;;
+    "w")
+      iotools io_write8 0x2f "$3"
+      ;;
+  esac
+}
+
+# shut down using EC external watchdog reset
+it5570_i2ec w 0x1f01 0x20
+it5570_i2ec w 0x1f07 0x01

initrd/bin/poweroff

@@ -8,6 +8,11 @@ if [ "$CONFIG_TPM" = "y" ]; then
 	tpmr shutdown
 fi
 
+# Run special EC-based poweroff for Nitropad-Nxx
+if [ "${CONFIG_BOARD%_*}" = nitropad-nv41 || "${CONFIG_BOARD%_*}" = nitropad-ns51 ]; then
+	/bin/nitropad-shutdown.sh
+fi
+
 # Sync all mounted filesystems
 echo s > /proc/sysrq-trigger
 

initrd/bin/reboot

@@ -8,6 +8,11 @@ if [ "$CONFIG_TPM" = "y" ]; then
 	tpmr shutdown
 fi
 
+# Run special EC-based poweroff for Nitropad-Nxx
+if [ "${CONFIG_BOARD%_*}" = nitropad-nv41 || "${CONFIG_BOARD%_*}" = nitropad-ns51 ]; then
+	/bin/nitropad-shutdown.sh
+fi
+
 # Sync all mounted filesystems
 echo s > /proc/sysrq-trigger
 

modules/coreboot

@@ -85,6 +85,14 @@ coreboot-purism_repo := https://source.puri.sm/firmware/coreboot.git
 coreboot-purism_commit_hash := a899f08d2789db1dd9b02cff34179c4d38e6d0e3
 $(eval $(call coreboot_module,purism,))
 
+#Nitrokey nv41/ns50 are based on Dasharo coreboot port,
+# with patches staging under coreboot-clevo_release
+coreboot-nitrokey_repo := https://github.com/dasharo/coreboot
+coreboot-nitrokey_commit_hash := ae10b20f5c6abc9c23f709b65c46be6525da8c13
+coreboot-nitrokey_patch_version := clevo_release
+#We use clevo_release's crossgcc for now, unshared but between nitropad nv41/ns50
+$(eval $(call coreboot_module,nitrokey,))
+
 # Check that the board configured the coreboot version correctly
 ifeq "$(CONFIG_COREBOOT_VERSION)" ""
 	$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION")
@@ -99,6 +107,7 @@ coreboot_dir := $($(coreboot_module)_dir)
 coreboot_base_dir := $($(coreboot_module)_base_dir)
 
 $(coreboot_module)_depends += $(if $(CONFIG_PURISM_BLOBS), purism-blobs)
+$(coreboot_module)_depends += $(if $(CONFIG_NITROKEY_BLOBS), nitrokey-blobs)
 
 # coreboot builds are specialized on a per-target basis.
 # The builds are done in a per-target subdirectory

modules/iotools

@@ -0,0 +1,22 @@
+modules-$(CONFIG_IOTOOLS) += iotools
+
+iotools_depends := pciutils $(musl_dep)
+
+iotools_version := 18949fdc4dedb1da3f51ee83a582b112fb9f2c71
+iotools_dir := iotools-$(iotools_version)
+iotools_tar := $(iotools_dir).tar.gz
+iotools_url := https://github.com/adurbin/iotools/archive/$(iotools_version).tar.gz
+iotools_hash := 8df266f55cd8e79328faa0e274edc082de3f6c240617a28ace93abdace324ec2
+
+iotools_cfg := \
+
+iotools_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+
+iotools_output := \
+	iotools
+
+iotools_libraries := \
+
+iotools_configure := 

modules/nitrokey-blobs

@@ -0,0 +1,12 @@
+modules-$(CONFIG_NITROKEY_BLOBS) += nitrokey-blobs
+
+nitrokey-blobs_base_dir := nitrokey-blobs
+nitrokey-blobs_version := c9e2a556508518d54cd57f8c7a440cb370f69de1
+nitrokey-blobs_tar := nitrokey-blobs-${nitrokey-blobs_version}.tar.gz
+nitrokey-blobs_tar_opt := --strip 1
+nitrokey-blobs_url := https://github.com/Nitrokey/firmware-blobs/archive/${nitrokey-blobs_version}.tar.gz
+nitrokey-blobs_hash := 1458798fa774e43ab2e6cf5cff875f4b3628c5dc1926bf9ec65051964b1a4854
+
+## there is nothing to be built
+nitrokey-blobs_output := .built
+nitrokey-blobs_configure := echo -e 'all:\n\ttouch .built' > Makefile

patches/coreboot-nitrokey-clevo_release/0001-change_acpica-unix2_location_to_a_mirror.patch

@@ -0,0 +1,23 @@
+From 6328eebb101fd0ded7168e1377da6a1a82a8e2da Mon Sep 17 00:00:00 2001
+From: Markus Meissner <coder@safemailbox.de>
+Date: Wed, 19 Jul 2023 20:36:57 +0200
+Subject: [PATCH] change acpica-unix2 location to a mirror
+
+---
+ util/crossgcc/buildgcc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/crossgcc/buildgcc b/util/crossgcc/buildgcc
+index 03c24da1be9..8880c89ea66 100755
+--- a/util/crossgcc/buildgcc
++++ b/util/crossgcc/buildgcc
+@@ -52,7 +52,7 @@ MPFR_ARCHIVE="https://ftpmirror.gnu.org/mpfr/mpfr-${MPFR_VERSION}.tar.xz"
+ MPC_ARCHIVE="https://ftpmirror.gnu.org/mpc/mpc-${MPC_VERSION}.tar.gz"
+ GCC_ARCHIVE="https://ftpmirror.gnu.org/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.xz"
+ BINUTILS_ARCHIVE="https://ftpmirror.gnu.org/binutils/binutils-${BINUTILS_VERSION}.tar.xz"
+-IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz"
++IASL_ARCHIVE="https://gsdview.appspot.com/chromeos-localmirror/distfiles/acpica-unix2-${IASL_VERSION}.tar.gz"
+ # CLANG toolchain archive locations
+ LLVM_ARCHIVE="https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/llvm-${CLANG_VERSION}.src.tar.xz"
+ CLANG_ARCHIVE="https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/clang-${CLANG_VERSION}.src.tar.xz"
+