Dell Optiplex 7019/9010 SFF (and DT form factor) + TXT inclusion based on coreboot master 24.02.01 for now

[tlaurion]

This pull request includes various updates and additions to support the Dell Optiplex 7010/9010 systems, including new workflows, configuration files, and scripts for handling firmware blobs. The most important changes include updating the Docker image version, adding new jobs and workflows in the CircleCI configuration, and introducing new configuration files and scripts for the Optiplex 7010/9010 systems.

CircleCI Configuration Updates:

• Updated Docker image version to tlaurion/heads-dev-env:v0.2.3 in multiple jobs (prep_env, build_and_persist, build, save_cache). [1] [2] [3] [4]
• Added a new job to download Optiplex 7010/9010 blobs.
• Introduced new workflows for building various configurations of the Optiplex 7010/9010.

New Configuration Files:

• Added configuration files for different Optiplex 7010/9010 builds (optiplex-7010_9010-hotp-maximized.config, optiplex-7010_9010-maximized.config, optiplex-7010_9010_TXT-hotp-maximized.config, optiplex-7010_9010_TXT-maximized.config). [1] [2] [3] [4]

New Scripts and Documentation:

• Added a script to download and verify required blobs for Optiplex 7010/9010 (optiplex_7010_9010.sh).
• Added README and layout files for Optiplex 9010 blobs. (README.md, layout.txt). [1] [2]

Other Changes:

• Updated .gitignore to include new blob files.
• Updated flake.nix to include new dependencies and ensure root entries in /etc/passwd and /etc/group. [1] [2]
• Added makefile targets for downloading Optiplex 7010/9010 blobs. (optiplex_blobs.mk).

---

This is PoC state. Please comment.

• Download extracts and use automatically:
  • IFD maximized size from xx30 blobs extraction script
  • ME neutered with minimal size per xx30 blobs extraction script
  • TXT variant only: ACM (IVB_BIOSAC_PRODUCTION.bin) + SINIT (SNB_IVB_SINIT_20190708_PW.bin)
    • TXT versioning taken from https://github.com/Dasharo/coreboot/blob/7226ebce6e8479b9aef6d4e4ea2420fffa5f75a6/configs/config.dell_optiplex_9010_sff_txt#L10C1-L10C31
  • EC firmware (sch5545_ecfw.bin)
  • Needs to be flashed through recovery method as all maximized boards

Let's see if that works. Optiplex board owners out here?

---

At completion, will fix #1739, possibly moving to dasharo fork (doesn't build with novacusstom nv41 fork today) to be evaluated (v0.2.0 older then 0.1.0? Confused by versioning of fork: was told to use coreboot master since no change and should work)

---

Next steps

• Create blobs extraction scripts automating https://docs.dasharo.com/variants/dell_optiplex/initial-deployment/#firmware-preparation: done
• Iterate to enabling TXT with another download/extraction blobs (ACM/sINIT): done
• Testing for what is expected to work by Dasharo team @macpijan @pietrushnic
  • test https://docs.dasharo.com/variants/dell_optiplex/recovery/
    • Unfortunately I do not own a SOIC-16 clip So I cannot recover from a brick : EDIT I have DT variant: 2xsoic8
  • Iterate until working as expected
  • Put PR back to ready for review
  • Have review+approval from at least one of @macpijan @pietrushnic @miczyg1
  • Merge
  • Update latest docker image -> v0.2.3

[tlaurion]

Duh. f2e0553 doesn't contain new flake.nix requirements for blobs extraction. Pushing new docker image in new commit e0c4fcb using it, per README.md maintainership instructions.

[tlaurion]

Tested: https://output.circle-artifacts.com/output/job/07b661b2-b859-4f40-8fd0-8d3586da733f/artifacts/0/build/x86/optiplex-7010_9010_TXT-maximized/heads-optiplex-7010_9010_TXT-maximized-v0.2.0-2334-ge2ad897.rom

Note:

• boots (efifb+bootsplash after hard reboot) but symbols missing.
• kernel works but mostly everything depending on initrd (and libc) is corrupt.
  Seems like I missed cleaning up ifd to make its region match expected ones or something, relaunching build without cache to compare roms produced.

Some notes: my 9010 had service jumper slot easily availabe without needing to disassemble anything other then opening the chassis. DTS then was able to take a backup and flash through internal flashing of flashrom through DTS booted from USB.

Putting in draft until

• comparing roms produces by CI on clean build (ongoing) and https://output.circle-artifacts.com/output/job/07b661b2-b859-4f40-8fd0-8d3586da733f/artifacts/0/build/x86/optiplex-7010_9010_TXT-maximized/heads-optiplex-7010_9010_TXT-maximized-v0.2.0-2334-ge2ad897.rom
• verifying IFD regions match actual regions occupied by IFD, BIOS, ME and GBE (bluntly trusted coreboot stitching but should have verified).

[tlaurion]

Damn. IFD extracted from board's ME region doesn't match ME region from backup :/ More work needed

Log https://app.circleci.com/pipelines/github/tlaurion/heads/2880/workflows/ff9dee9b-9e99-4514-afa6-db3a82e60b08/jobs/54332?invite=true#step-106-1831079_85 :
Region Intel ME is 94208(0x17000) bytes. File is 98304(0x18000) bytes. Not injecting.

Smaller ME in 9010?!

[tlaurion]

Notes: my 9010 board is way different then 7010 board pictures under Dasharo docs
EDIT: this is DT variant, not SFF. Same silicon, but PCI IDs will be different.

• Service jumper easily accessible (red)
• Soic8 SPI flash chips also easily accessible (green)

Pictures:

[tlaurion]

Installing QubesOS on the Optiplex, externally flashed local build rom, booted from detached signed ISO: ok.

[tlaurion]

• HOTP variants seal HOTP secret on usb security dongle and enforces automatic boot of default entry
• TPM DUK unseals secret and boots into QubesOS

[tlaurion]

@miczyg1 please test internal firmware upgrade and approve this PR upon successful testing

[miczyg1]

Okay, will try to do this ASAP.

[miczyg1]

@miczyg1 please test internal firmware upgrade and approve this PR upon successful testing

Heads firmware update using the ZIP from Circle CI (commit d3d4247) worked like a charm.

[tlaurion]

Well, archive.org has hiccups after being hacked...

[miczyg1]

@tlaurion I am unable to resolve conversations on my own here. Please feel free to resolve the comments

[tlaurion]

@tlaurion I am unable to resolve conversations on my own here. Please feel free to resolve the comments

Seems like https://github.com/linuxboot/heads/compare/c5bbbe38fa8f6d4e5e92f7199dda7191245815a7..2424067203617b23f10ed48b65b8dea037e7b58b should be preferred. Commented in previous discussions. Please thumb up there and I will resolve associated comment threads.