-
-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rebase, chmod +x download_BIOS_clean.sh, config options to enable pla…
…tform locking as defined under https://github.com/osresearch/heads/blob/473c235fbaf56698aa9beefd2684fbf7d4499809/initrd/bin/lock_chip header, Changed description comment lines in the Heads board config file.
- Loading branch information
Showing
6 changed files
with
3,985 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
#!/bin/bash | ||
# Z220 CMT HP | ||
|
||
function printusage { | ||
echo "Usage: $0 -m <me_cleaner>(optional)" | ||
} | ||
|
||
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
||
if [ "$#" -eq 0 ]; then printusage; fi | ||
|
||
while getopts ":m:i:" opt; do | ||
case $opt in | ||
m) | ||
if [ -x "$OPTARG" ]; then | ||
MECLEAN="$OPTARG" | ||
fi | ||
;; | ||
esac | ||
|
||
done | ||
|
||
if [ -z "$MECLEAN" ]; then | ||
MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` | ||
if [ -z "$MECLEAN" ]; then | ||
echo "me_cleaner.py required but not found or specified with -m. Aborting." | ||
exit 1; | ||
fi | ||
fi | ||
|
||
BIN_FILE="DOS Flash/K51_0187.BIN" | ||
BIN_TGZ_SHA256SUM="0102d569239fdc14ca86a7afc4b16d2b12703401890b83e188f34d23844870dc sp97120.tgz" | ||
BIN_FILE_SHA256SUM="cc5a9c2d4827e9b1501c2dc0a464f580d4a2d65e4ff83dbab548e51839339d06 $BIN_FILE" | ||
FINAL_IFD_SHA256SUM="ba7371fcf1c03a999adae66f4a5fccd65ae3429c1aedc0c7b7e11c548363d30e $BLOBDIR/ifd.bin" | ||
FINAL_ME_SHA256SUM="2ee4bbf3e49e0c1f0215d7955d2a7793c7e108014f3aa4592bfa9785c0033d0d $BLOBDIR/me.bin" | ||
TGZURL="https://ftp.hp.com/pub/softpaq/sp97001-97500/sp97120.tgz" | ||
|
||
TGZFILENAME=`echo $TGZURL | sed 's/.*\///'` | ||
ROMFILENAME=`echo $TGZFILENAME | sed 's/\.zip$/\.ROM/'` | ||
|
||
extractdir=$(mktemp -d) | ||
echo "### Creating temp dir $extractdir " | ||
cd "$extractdir" | ||
|
||
echo "### Downloading $TGZURL" | ||
wget $TGZURL || { echo "ERROR: wget failed $TGZURL" && exit 1; } | ||
echo "### Verifying expected hash of $TGZFILENAME" | ||
echo "$BIN_TGZ_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; } | ||
|
||
echo "### Extracting Archives" | ||
tar -xf $TGZFILENAME DOS\ Flash || { echo "Failed unzipping $TGZFILENAME - Tool installed on host?" && exit 1;} | ||
|
||
echo "### Verifying expected hash of $ROMFILENAME" | ||
echo "$BIN_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; } | ||
|
||
echo "### Applying me_cleaner to neuter and truncate. EFFS,FCRS whitelisted" | ||
$MECLEAN -S -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$BIN_FILE" | ||
|
||
printf '\x00' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3837 count=1 conv=notrunc | ||
printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3712 count=40 conv=notrunc | ||
|
||
echo "### Verifying expected hashes" | ||
echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated IFD bin..." && exit 1; } | ||
echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated ME binary..." && exit 1; } | ||
|
||
echo "###Cleaning up..." | ||
cd - | ||
rm -r "$extractdir" |
6 changes: 6 additions & 0 deletions
6
boards/z220-cmt-hotp-maximized/z220-cmt-hotp-maximized.config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Inherit the rest from the base Z220 CMT config. | ||
include $(pwd)/boards/z220-cmt-maximized/z220-cmt-maximized.config | ||
|
||
CONFIG_HOTPKEY=y | ||
|
||
export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower (HOTP)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Configuration for HP Z220 CMT | ||
# | ||
#The board supports Intel LGA1155, which allows for ME removal (both neuter+disable as claimed by me_cleaner) | ||
#, ME region resize/shrinking (aka 'maximized' board), as well as VSCC table modification. | ||
#It is similar to the ASUS P8Z77 motherboards in those respects, but comes with the bonus of ECC RAM compatibility. | ||
# | ||
#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary | ||
#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC | ||
#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download | ||
#script also resizes the rom layout and minimizes ME while maximizing space. | ||
#The Computer comes as standard with an 16MB Flash chip, which means that no modification is | ||
#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by | ||
#default. It is soldered onto the board, as is the TPM1 chip. | ||
# | ||
#Test platform | ||
#BOARD: HP Z220 CMT | ||
#RAM: 16GB - 2x ATP DDR3 ECC | ||
#CPU: Intel E3-1275v2 | ||
#Even though this has been tested with a discrete graphics card installed, like on other Sandy/Ivy Bridge boards Heads is configured to use the iGPU, i.e. to get a display output while running Heads please | ||
#avoid the 1230, 1270v2, etc in favour of 1245v2, 2600k etc. | ||
# | ||
#note: nohz=off is an optional CONFIG_LINUX_COMMAND_LINE parameter to supress repeated NOHZ: local_softirq_pending console output | ||
# | ||
CONFIG_LINUX_CONFIG=config/linux-c216.config | ||
CONFIG_COREBOOT_CONFIG=config/coreboot-z220-cmt.config | ||
|
||
export CONFIG_COREBOOT=y | ||
export CONFIG_COREBOOT_VERSION=4.19 | ||
export CONFIG_LINUX_VERSION=5.10.5 | ||
|
||
CONFIG_CRYPTSETUP2=y | ||
CONFIG_FLASHROM=y | ||
CONFIG_FLASHTOOLS=y | ||
CONFIG_GPG2=y | ||
CONFIG_KEXEC=y | ||
CONFIG_UTIL_LINUX=y | ||
CONFIG_LVM2=y | ||
CONFIG_MBEDTLS=y | ||
CONFIG_PCIUTILS=y | ||
CONFIG_POPT=y | ||
CONFIG_QRENCODE=y | ||
CONFIG_TPMTOTP=y | ||
|
||
#platform locking finalization (PR0) | ||
CONFIG_IO386=y | ||
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y | ||
|
||
# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead | ||
# for a console-based menu. | ||
CONFIG_CAIRO=y | ||
CONFIG_FBWHIPTAIL=y | ||
|
||
CONFIG_LINUX_USB=y | ||
|
||
export CONFIG_TPM=y | ||
export CONFIG_BOOTSCRIPT=/bin/gui-init | ||
export CONFIG_BOOT_REQ_HASH=n | ||
export CONFIG_BOOT_REQ_ROLLBACK=n | ||
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off" | ||
export CONFIG_BOOT_KERNEL_REMOVE="quiet" | ||
export CONFIG_BOOT_DEV="/dev/sda1" | ||
export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower" | ||
export CONFIG_FLASHROM_OPTIONS="-p internal" | ||
|
||
# Make the Coreboot build depend on the following 3rd party blobs: | ||
$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ | ||
$(pwd)/blobs/z220/me.bin $(pwd)/blobs/z220/ifd.bin | ||
|
||
$(pwd)/blobs/z220/me.bin: | ||
COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \ | ||
$(pwd)/blobs/z220/download_BIOS_clean.sh | ||
|
||
$(pwd)/blobs/z220/ifd.bin: | ||
COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \ | ||
$(pwd)/blobs/z220/download_BIOS_clean.sh |
Oops, something went wrong.