(WiP) X200-maximized board addition

[tlaurion]

-Without TPM nor HOTP support. Basically useable to boot Tails from USB SDCARD adapter, with SDCARD set in read only mode. Based on past work https://github.com/tlaurion/heads/tree/x200_readd

Keep in mind limitations og GM45 based laptops: QubesOS/qubes-issues#1594 (comment) which lead to Heads project (Read down from this referred post.)

Adds:

• gbe.bin in tree (generated with bincfg)
• unlocked ifd.bin in tree (generated by bincfg and unlucked with ifdtool)
• extract.sh script (which extracts gbe.bin from backup with ifdtool and replaced gbe.bin in tree)

Fixes #878 upon merge. (and partly #925)

Todo:

• Keep an eye on Use a USB security key as a TPM work-alike in the absence of a physical TPM #836 for followup on Use a USB security key as a TPM work-alike in the absence of a physical TPM #836 (comment) so that additional x200-hotp-maximized can be added once that PR is merged.

Based on :

• https://www.coreboot.org/Board:lenovo/x200
• https://libreboot.org/docs/hardware/gm45_remove_me.html#demefactory
• (where blobtool -> bincfg and other tools were upstreamed under coreboot)

[tlaurion]

@fhvyhjriur Can you test this?

[fhvyhjriur]

I would have to buy a x200 and then test this. Does it already work on your x200 or didnt you have the time/ability/... to test this on your device?

[irelativism]

I have a T400 and X200 for testing. Also DYNE.org TBM project should also be considered. Especially now that mxm amd gpus have been added makes for this machines still very usable today until RISC-V is ready.

[tlaurion]

What is the device you own? This was the fulfill your issue. Thought you had x200.

On December 31, 2020 1:32:58 PM UTC, fhvyhjriur ***@***.***> wrote: I would have to buy a x200 and then test this. Does it already work on your x200 or didnt you have the time/ability/... to test this on your device? -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #934 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[tlaurion]

@fhvyhjriur @irelativism added you under #692

[tlaurion]

@irelativism :
x200-maximized: build, direct link to rom automatically build for commit associated with this PR per automatic Ci builds (where commit is in ROM's filename).

[fhvyhjriur]

What is the device you own? This was the fulfill your issue. Thought you had x200.

For example the T400 i have with a 8mb SPI chip i can test quickly. I also have a T500 and R500 here. The R400 does not have to be extra tested because its equal T400. Also The W500 have not to be extra tested because its a T500.
Otherwise i would buy the x200 and in case it have a 4mb chip, i would order some 16mb chips. Until i receive those i would remove the 8mb spi chip from the T400 and insert it into the x200.

[tlaurion]

Needs #954 related changes

[tlaurion]

@fhvyhjriur t400 is #953

[tlaurion]

Interestingly enough, since x200 doesn't have TPM, that Heads code is now dynamically deactivating TPM codepaths when no TPM is detected, and that https://github.com/Dasharo/flashrom/ now supports WP bits on external flash, we might arrive to a point where if there is community interest, some documentation and additioanl testing after rebasing on master might make gm45 based boards interesting targets, only based on the fact that having boot binaries and detached signature with hte help of a USB Security dongle would increase usability of those platforms for amnesiac boards

Heads on a diskless x200 would permit to boot from USB to tails without issue.
HOTP support without TPM would also be interesting to reinvestigate, since USB-HID is now decoupled (no rubber ducky attacks possible on TPM less hardware anymore).

This is a brain dump since I did some cleanup of old and now irrelevant PR closure.