Skip to content

Commit

Permalink
Rebase, chmod +x download_BIOS_clean.sh, config options to enable pla…
Browse files Browse the repository at this point in the history
…tform locking as defined under https://github.com/osresearch/heads/blob/473c235fbaf56698aa9beefd2684fbf7d4499809/initrd/bin/lock_chip header, Changed description comment lines in the Heads board config file.
  • Loading branch information
d-wid committed Jul 22, 2023
1 parent 473c235 commit 66ef5c3
Show file tree
Hide file tree
Showing 6 changed files with 3,985 additions and 0 deletions.
14 changes: 14 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -469,6 +469,20 @@ workflows:
requires:
- x230-hotp-maximized

- build:
name: z220-cmt-maximized
target: z220-cmt-maximized
subcommand: ""
requires:
- x230-hotp-maximized

- build:
name: z220-cmt-hotp-maximized
target: z220-cmt-hotp-maximized
subcommand: ""
requires:
- x230-hotp-maximized

- build:
name: UNTESTED_p8z77-m_pro-tpm1-maximized
target: UNTESTED_p8z77-m_pro-tpm1-maximized
Expand Down
68 changes: 68 additions & 0 deletions blobs/z220/download_BIOS_clean.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/bin/bash
# Z220 CMT HP

function printusage {
echo "Usage: $0 -m <me_cleaner>(optional)"
}

BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

if [ "$#" -eq 0 ]; then printusage; fi

while getopts ":m:i:" opt; do
case $opt in
m)
if [ -x "$OPTARG" ]; then
MECLEAN="$OPTARG"
fi
;;
esac

done

if [ -z "$MECLEAN" ]; then
MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
if [ -z "$MECLEAN" ]; then
echo "me_cleaner.py required but not found or specified with -m. Aborting."
exit 1;
fi
fi

BIN_FILE="DOS Flash/K51_0187.BIN"
BIN_TGZ_SHA256SUM="0102d569239fdc14ca86a7afc4b16d2b12703401890b83e188f34d23844870dc sp97120.tgz"
BIN_FILE_SHA256SUM="cc5a9c2d4827e9b1501c2dc0a464f580d4a2d65e4ff83dbab548e51839339d06 $BIN_FILE"
FINAL_IFD_SHA256SUM="ba7371fcf1c03a999adae66f4a5fccd65ae3429c1aedc0c7b7e11c548363d30e $BLOBDIR/ifd.bin"
FINAL_ME_SHA256SUM="2ee4bbf3e49e0c1f0215d7955d2a7793c7e108014f3aa4592bfa9785c0033d0d $BLOBDIR/me.bin"
TGZURL="https://ftp.hp.com/pub/softpaq/sp97001-97500/sp97120.tgz"

TGZFILENAME=`echo $TGZURL | sed 's/.*\///'`
ROMFILENAME=`echo $TGZFILENAME | sed 's/\.zip$/\.ROM/'`

extractdir=$(mktemp -d)
echo "### Creating temp dir $extractdir "
cd "$extractdir"

echo "### Downloading $TGZURL"
wget $TGZURL || { echo "ERROR: wget failed $TGZURL" && exit 1; }
echo "### Verifying expected hash of $TGZFILENAME"
echo "$BIN_TGZ_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }

echo "### Extracting Archives"
tar -xf $TGZFILENAME DOS\ Flash || { echo "Failed unzipping $TGZFILENAME - Tool installed on host?" && exit 1;}

echo "### Verifying expected hash of $ROMFILENAME"
echo "$BIN_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }

echo "### Applying me_cleaner to neuter and truncate. EFFS,FCRS whitelisted"
$MECLEAN -S -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$BIN_FILE"

printf '\x00' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3837 count=1 conv=notrunc
printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3712 count=40 conv=notrunc

echo "### Verifying expected hashes"
echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated IFD bin..." && exit 1; }
echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated ME binary..." && exit 1; }

echo "###Cleaning up..."
cd -
rm -r "$extractdir"
6 changes: 6 additions & 0 deletions boards/z220-cmt-hotp-maximized/z220-cmt-hotp-maximized.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Inherit the rest from the base Z220 CMT config.
include $(pwd)/boards/z220-cmt-maximized/z220-cmt-maximized.config

CONFIG_HOTPKEY=y

export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower (HOTP)"
75 changes: 75 additions & 0 deletions boards/z220-cmt-maximized/z220-cmt-maximized.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Configuration for HP Z220 CMT
#
#The board supports Intel LGA1155, which allows for ME removal (both neuter+disable as claimed by me_cleaner)
#, ME region resize/shrinking (aka 'maximized' board), as well as VSCC table modification.
#It is similar to the ASUS P8Z77 motherboards in those respects, but comes with the bonus of ECC RAM compatibility.
#
#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary
#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC
#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download
#script also resizes the rom layout and minimizes ME while maximizing space.
#The Computer comes as standard with an 16MB Flash chip, which means that no modification is
#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by
#default. It is soldered onto the board, as is the TPM1 chip.
#
#Test platform
#BOARD: HP Z220 CMT
#RAM: 16GB - 2x ATP DDR3 ECC
#CPU: Intel E3-1275v2
#Even though this has been tested with a discrete graphics card installed, like on other Sandy/Ivy Bridge boards Heads is configured to use the iGPU, i.e. to get a display output while running Heads please
#avoid the 1230, 1270v2, etc in favour of 1245v2, 2600k etc.
#
#note: nohz=off is an optional CONFIG_LINUX_COMMAND_LINE parameter to supress repeated NOHZ: local_softirq_pending console output
#
CONFIG_LINUX_CONFIG=config/linux-c216.config
CONFIG_COREBOOT_CONFIG=config/coreboot-z220-cmt.config

export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.19
export CONFIG_LINUX_VERSION=5.10.5

CONFIG_CRYPTSETUP2=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y

# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
# for a console-based menu.
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y

CONFIG_LINUX_USB=y

export CONFIG_TPM=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower"
export CONFIG_FLASHROM_OPTIONS="-p internal"

# Make the Coreboot build depend on the following 3rd party blobs:
$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
$(pwd)/blobs/z220/me.bin $(pwd)/blobs/z220/ifd.bin

$(pwd)/blobs/z220/me.bin:
COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
$(pwd)/blobs/z220/download_BIOS_clean.sh

$(pwd)/blobs/z220/ifd.bin:
COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
$(pwd)/blobs/z220/download_BIOS_clean.sh
Loading

0 comments on commit 66ef5c3

Please sign in to comment.