diff --git a/.circleci/config.yml b/.circleci/config.yml index 760094f5e..5e286a1a4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -280,6 +280,30 @@ jobs: - store-artifacts: path: build/t420-hotp-maximized + - run: + name: Download and neuter Parrot ME (keep extracted IFD in tree) + command: | + ./blobs/parrot/download_clean_me.sh + - run: + name: Parrot + command: | + rm -rf build/Parrot/* build/log/* && make CPUS=4 V=1 BOARD=Parrot || touch /tmp/failed_build + no_output_timeout: 3h + - run: + name: Output build failing logs + command: | + if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi + - run: + name: Output Parrot hashes + command: | + cat build/Parrot/hashes.txt \ + - run: + name: Archiving build logs for Parrot + command: | + tar zcvf build/Parrot/logs.tar.gz ./build/log/* + - store-artifacts: + path: build/Parrot + - run: name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree) command: | diff --git a/blobs/parrot/download_clean_me.sh b/blobs/parrot/download_clean_me.sh new file mode 100755 index 000000000..4d41767c5 --- /dev/null +++ b/blobs/parrot/download_clean_me.sh @@ -0,0 +1,48 @@ +function printusage { + echo "Usage: $0 -m (optional)" +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":m:" opt; do + case $opt in + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + esac +done + +FINAL_ME_BIN_SHA256SUM="e985feb4a2879a99fb792f2d425c17a68ee07ba8bc0fd39a7f9eb65d8c6d5f11 $BLOBDIR/me.bin" +ME_SHA256SUM="1790fabc16afc36ab1bcfd52e10b805855d5e2a4eb96ea78781ffb60a0941928 me.bin" + + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Downloading: https://github.com/coreboot/blobs/raw/master/mainboard/google/parrot/me.bin..." +wget https://github.com/coreboot/blobs/raw/353f2469be53919b6b359148469485a9040e5a8b/mainboard/google/parrot/me.bin || ( echo "ERROR: wget not found" && exit 1 ) +echo "### Verifying expected hash of me.bin" +echo "$ME_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 ) + +echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " +$MECLEAN -r -t -O "$BLOBDIR/me.bin" me.bin +echo "### Verifying expected hash of me.bin" +echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 ) + + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/blobs/parrot/ifd_shrinked.bin b/blobs/parrot/ifd_shrinked.bin new file mode 100644 index 000000000..ab3b21b11 Binary files /dev/null and b/blobs/parrot/ifd_shrinked.bin differ diff --git a/boards/Parrot/Parrot.config b/boards/Parrot/Parrot.config new file mode 100644 index 000000000..e90ceb34b --- /dev/null +++ b/boards/Parrot/Parrot.config @@ -0,0 +1,51 @@ +# Configuration for a Parrot running Other OSes, No QubesOS support since no vt-d support! +# +# +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.13 +export CONFIG_LINUX_VERSION=5.4.69 + +CONFIG_COREBOOT_CONFIG=config/coreboot-parrot.config +CONFIG_LINUX_CONFIG=config/linux-parrot_common.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y + +#CONFIG_SLANG=y +#CONFIG_NEWT=y +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y + +#SSH client/server +CONFIG_DROPBEAR=n +#Ethernet driver (Heads only) +CONFIG_LINUX_E1000E=n + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda2" +export CONFIG_BOARD_NAME="Parrot" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" + +# This board has one SPI flash chip an 8 MB that holds the IFD, +# the ME image and part of the coreboot image and bios +# +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing diff --git a/config/coreboot-parrot.config b/config/coreboot-parrot.config new file mode 100644 index 000000000..15cf9181b --- /dev/null +++ b/config/coreboot-parrot.config @@ -0,0 +1,18 @@ +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_VENDOR_GOOGLE=y +CONFIG_BOARD_GOOGLE_PARROT=y +CONFIG_CBFS_SIZE=0x780000 +CONFIG_BOARD_GOOGLE_PARROT=y +CONFIG_IFD_BIN_PATH="../../blobs/parrot/ifd_shrinked.bin" +CONFIG_ME_BIN_PATH="../../blobs/parrot/me.bin" +CONFIG_NATIVE_RAMINIT_IGNORE_MAX_MEM_FUSES=y +CONFIG_NO_POST=y +CONFIG_TPM_RDRESP_NEED_DELAY=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_NO_GFX_INIT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/Parrot/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/Parrot/initrd.cpio.xz" diff --git a/config/linux-parrot_common.config b/config/linux-parrot_common.config new file mode 100644 index 000000000..6da53525e --- /dev/null +++ b/config/linux-parrot_common.config @@ -0,0 +1,302 @@ +CONFIG_LOCALVERSION="-heads" +# CONFIG_LOCALVERSION_AUTO is not set +CONFIG_KERNEL_XZ=y +# CONFIG_SWAP is not set +# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_PREEMPT_VOLUNTARY=y +CONFIG_LOG_BUF_SHIFT=18 +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="../../../blobs/dev.cpio" +# CONFIG_RD_GZIP is not set +# CONFIG_RD_BZIP2 is not set +# CONFIG_RD_LZMA is not set +# CONFIG_RD_LZO is not set +# CONFIG_RD_LZ4 is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +# CONFIG_SGETMASK_SYSCALL is not set +# CONFIG_SYSFS_SYSCALL is not set +# CONFIG_FHANDLE is not set +# CONFIG_BASE_FULL is not set +# CONFIG_SIGNALFD is not set +# CONFIG_TIMERFD is not set +# CONFIG_EVENTFD is not set +# CONFIG_AIO is not set +# CONFIG_ADVISE_SYSCALLS is not set +CONFIG_EMBEDDED=y +# CONFIG_VM_EVENT_COUNTERS is not set +# CONFIG_SLUB_DEBUG is not set +# CONFIG_COMPAT_BRK is not set +CONFIG_SMP=y +# CONFIG_X86_EXTENDED_PLATFORM is not set +CONFIG_PROCESSOR_SELECT=y +# CONFIG_CPU_SUP_CENTAUR is not set +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +# CONFIG_X86_MCE_AMD is not set +# CONFIG_PERF_EVENTS_INTEL_RAPL is not set +# CONFIG_MICROCODE is not set +CONFIG_X86_PMEM_LEGACY=y +# CONFIG_MTRR is not set +# CONFIG_X86_SMAP is not set +# CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS is not set +# CONFIG_SECCOMP is not set +CONFIG_KEXEC=y +CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_SIG=y +# CONFIG_RELOCATABLE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_MODIFY_LDT_SYSCALL is not set +# CONFIG_SUSPEND is not set +# CONFIG_FIRMWARE_MEMMAP is not set +# CONFIG_DMIID is not set +# CONFIG_VIRTUALIZATION is not set +CONFIG_JUMP_LABEL=y +CONFIG_MODULES=y +# CONFIG_COREDUMP is not set +# CONFIG_SPARSEMEM_VMEMMAP is not set +# CONFIG_COMPACTION is not set +# CONFIG_BOUNCE is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_UNIX=y +CONFIG_INET=y +CONFIG_SYN_COOKIES=y +# CONFIG_INET_DIAG is not set +# CONFIG_IPV6 is not set +# CONFIG_WIRELESS is not set +CONFIG_PCI=y +CONFIG_PCI_MSI=y +CONFIG_PCI_IOV=y +CONFIG_PCI_PRI=y +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_STANDALONE is not set +# CONFIG_ALLOW_DEV_COREDUMP is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_RAM=y +CONFIG_BLK_DEV_RAM_SIZE=65536 +CONFIG_BLK_DEV_NVME=y +CONFIG_EEPROM_93CX6=m +CONFIG_INTEL_MEI_ME=m +CONFIG_INTEL_MEI_TXE=m +# CONFIG_SCSI_PROC_FS is not set +CONFIG_BLK_DEV_SD=y +CONFIG_BLK_DEV_SR=y +CONFIG_CHR_DEV_SG=y +CONFIG_SCSI_SCAN_ASYNC=y +CONFIG_ISCSI_TCP=y +CONFIG_ATA=y +CONFIG_SATA_AHCI=y +# CONFIG_ATA_SFF is not set +CONFIG_MD=y +CONFIG_BLK_DEV_DM=y +CONFIG_DM_CRYPT=y +CONFIG_DM_VERITY=y +CONFIG_DM_VERITY_FEC=y +CONFIG_NETDEVICES=y +# CONFIG_NET_VENDOR_3COM is not set +# CONFIG_NET_VENDOR_ADAPTEC is not set +# CONFIG_NET_VENDOR_AGERE is not set +# CONFIG_NET_VENDOR_ALTEON is not set +# CONFIG_NET_VENDOR_AMAZON is not set +# CONFIG_NET_VENDOR_AMD is not set +# CONFIG_NET_VENDOR_AQUANTIA is not set +# CONFIG_NET_VENDOR_ARC is not set +# CONFIG_NET_VENDOR_ATHEROS is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_TIGON3=y +# CONFIG_NET_VENDOR_BROCADE is not set +# CONFIG_NET_VENDOR_CAVIUM is not set +# CONFIG_NET_VENDOR_CHELSIO is not set +# CONFIG_NET_VENDOR_CISCO is not set +# CONFIG_NET_VENDOR_DEC is not set +# CONFIG_NET_VENDOR_DLINK is not set +# CONFIG_NET_VENDOR_EMULEX is not set +# CONFIG_NET_VENDOR_EZCHIP is not set +# CONFIG_NET_VENDOR_HP is not set +# CONFIG_NET_VENDOR_I825XX is not set +CONFIG_E1000=m +CONFIG_E1000E=m +# CONFIG_NET_VENDOR_MARVELL is not set +# CONFIG_NET_VENDOR_MELLANOX is not set +# CONFIG_NET_VENDOR_MICREL is not set +# CONFIG_NET_VENDOR_MYRI is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +# CONFIG_NET_VENDOR_NETRONOME is not set +# CONFIG_NET_VENDOR_NVIDIA is not set +# CONFIG_NET_VENDOR_OKI is not set +# CONFIG_NET_VENDOR_QLOGIC is not set +# CONFIG_NET_VENDOR_QUALCOMM is not set +# CONFIG_NET_VENDOR_RDC is not set +# CONFIG_NET_VENDOR_REALTEK is not set +# CONFIG_NET_VENDOR_RENESAS is not set +# CONFIG_NET_VENDOR_ROCKER is not set +# CONFIG_NET_VENDOR_SAMSUNG is not set +# CONFIG_NET_VENDOR_SEEQ is not set +# CONFIG_NET_VENDOR_SILAN is not set +# CONFIG_NET_VENDOR_SIS is not set +# CONFIG_NET_VENDOR_SMSC is not set +# CONFIG_NET_VENDOR_STMICRO is not set +# CONFIG_NET_VENDOR_SUN is not set +# CONFIG_NET_VENDOR_SYNOPSYS is not set +# CONFIG_NET_VENDOR_TEHUTI is not set +# CONFIG_NET_VENDOR_TI is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_NET_VENDOR_WIZNET is not set +# CONFIG_USB_NET_DRIVERS is not set +# CONFIG_WLAN is not set +# CONFIG_INPUT_MOUSE is not set +# CONFIG_SERIO_SERPORT is not set +# CONFIG_UNIX98_PTYS is not set +# CONFIG_LEGACY_PTYS is not set +CONFIG_SERIAL_8250=y +# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set +# CONFIG_SERIAL_8250_PNP is not set +# CONFIG_SERIAL_8250_PCI is not set +# CONFIG_SERIAL_8250_LPSS is not set +# CONFIG_SERIAL_8250_MID is not set +CONFIG_TTY_PRINTK=y +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_TIMERIOMEM=m +CONFIG_HW_RANDOM_INTEL=m +CONFIG_HW_RANDOM_AMD=m +CONFIG_HW_RANDOM_VIA=m +CONFIG_TCG_TPM=y +CONFIG_TCG_TIS=y +CONFIG_TCG_TIS_I2C_NUVOTON=y +# CONFIG_I2C_COMPAT is not set +CONFIG_I2C_MUX=m +CONFIG_I2C_MUX_PCA9541=m +CONFIG_I2C_MUX_REG=m +# CONFIG_I2C_HELPER_AUTO is not set +CONFIG_I2C_SLAVE=y +# CONFIG_HWMON is not set +# CONFIG_X86_PKG_TEMP_THERMAL is not set +CONFIG_MFD_SYSCON=y +CONFIG_DRM=y +CONFIG_DRM_I915=y +CONFIG_DRM_AST=y +CONFIG_FB_VESA=y +# CONFIG_BACKLIGHT_GENERIC is not set +CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_USB=y +CONFIG_USB_XHCI_HCD=m +CONFIG_USB_XHCI_PLATFORM=m +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_EHCI_HCD_PLATFORM=m +CONFIG_USB_STORAGE=m +CONFIG_RTC_CLASS=y +# CONFIG_X86_PLATFORM_DEVICES is not set +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_GENERIC_PHY=y +# CONFIG_BLK_DEV_PMEM is not set +# CONFIG_ND_BLK is not set +# CONFIG_BTT is not set +CONFIG_EXT4_FS=y +# CONFIG_DNOTIFY is not set +# CONFIG_INOTIFY_USER is not set +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +CONFIG_MSDOS_FS=y +CONFIG_VFAT_FS=y +# CONFIG_PROC_SYSCTL is not set +# CONFIG_PROC_PAGE_MONITOR is not set +# CONFIG_MISC_FILESYSTEMS is not set +CONFIG_NLS_DEFAULT="utf8" +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_NLS_UTF8=y +CONFIG_HARDENED_USERCOPY=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_CCM=m +CONFIG_CRYPTO_GCM=m +CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=m +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_KEYWRAP=m +CONFIG_CRYPTO_CMAC=m +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=m +CONFIG_CRYPTO_VMAC=m +CONFIG_CRYPTO_CRC32C_INTEL=y +CONFIG_CRYPTO_CRC32=m +CONFIG_CRYPTO_CRC32_PCLMUL=m +CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m +CONFIG_CRYPTO_POLY1305_X86_64=m +CONFIG_CRYPTO_MD4=m +CONFIG_CRYPTO_MICHAEL_MIC=m +CONFIG_CRYPTO_RMD128=m +CONFIG_CRYPTO_RMD160=m +CONFIG_CRYPTO_RMD256=m +CONFIG_CRYPTO_RMD320=m +CONFIG_CRYPTO_SHA1_SSSE3=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_TGR192=m +CONFIG_CRYPTO_WP512=m +CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=m +CONFIG_CRYPTO_ARC4=m +CONFIG_CRYPTO_BLOWFISH=m +CONFIG_CRYPTO_BLOWFISH_X86_64=m +CONFIG_CRYPTO_CAMELLIA=m +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m +CONFIG_CRYPTO_CAST5_AVX_X86_64=m +CONFIG_CRYPTO_CAST6_AVX_X86_64=m +CONFIG_CRYPTO_DES3_EDE_X86_64=m +CONFIG_CRYPTO_FCRYPT=m +CONFIG_CRYPTO_KHAZAD=m +CONFIG_CRYPTO_SALSA20=m +CONFIG_CRYPTO_CHACHA20_X86_64=m +CONFIG_CRYPTO_SEED=m +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m +CONFIG_CRYPTO_TEA=m +CONFIG_CRYPTO_TWOFISH=m +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m +CONFIG_CRYPTO_DEFLATE=m +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=m +CONFIG_CRYPTO_LZ4=m +CONFIG_CRYPTO_LZ4HC=m +CONFIG_CRYPTO_ANSI_CPRNG=m +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +CONFIG_CRYPTO_USER_API_RNG=y +CONFIG_CRYPTO_USER_API_AEAD=y +# CONFIG_CRYPTO_HW is not set +CONFIG_CORDIC=m +CONFIG_CRC_CCITT=m +CONFIG_CRC_T10DIF=y +CONFIG_CRC_ITU_T=m +CONFIG_CRC7=m +CONFIG_LIBCRC32C=m +CONFIG_CRC8=m +CONFIG_XZ_DEC_TEST=m +CONFIG_IRQ_POLL=y +CONFIG_PRINTK_TIME=y +CONFIG_BOOT_PRINTK_DELAY=y +CONFIG_DYNAMIC_DEBUG=y +# CONFIG_ENABLE_MUST_CHECK is not set +CONFIG_FRAME_WARN=1024 +CONFIG_DEBUG_FS=y +CONFIG_MAGIC_SYSRQ=y +CONFIG_HARDLOCKUP_DETECTOR=y +CONFIG_WQ_WATCHDOG=y +# CONFIG_SCHED_DEBUG is not set +CONFIG_STACKTRACE=y +# CONFIG_DEBUG_BUGVERBOSE is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_FTRACE is not set +# CONFIG_STRICT_DEVMEM is not set +# CONFIG_X86_VERBOSE_BOOTUP is not set +# CONFIG_DOUBLEFAULT is not set +CONFIG_IO_DELAY_0XED=y +# CONFIG_X86_DEBUG_FPU is not set diff --git a/patches/coreboot-4.13/0002-enable-tpm-parrot.patch b/patches/coreboot-4.13/0002-enable-tpm-parrot.patch new file mode 100644 index 000000000..d0f71a8d7 --- /dev/null +++ b/patches/coreboot-4.13/0002-enable-tpm-parrot.patch @@ -0,0 +1,14 @@ +diff --git a/src/mainboard/google/parrot/devicetree.cb b/src/mainboard/google/parrot/devicetree.cb +index 61e51d0df3..1ac5d6ca60 100644 +--- a/src/mainboard/google/parrot/devicetree.cb ++++ b/src/mainboard/google/parrot/devicetree.cb +@@ -85,6 +85,9 @@ chip northbridge/intel/sandybridge + device pnp ff.1 on # dummy address + end + end ++ chip drivers/pc80/tpm ++ device pnp 0c31.0 on end ++ end + end # LPC bridge + device pci 1f.2 on end # SATA Controller 1 + device pci 1f.3 on end # SMBus