diff --git a/Makefile b/Makefile index 33bb89013..85cda083c 100644 --- a/Makefile +++ b/Makefile @@ -499,6 +499,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools bin_modules-$(CONFIG_BASH) += bash bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils +bin_modules-$(CONFIG_IO386) += io386 $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config index 57cb23d32..515027166 100644 --- a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config +++ b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config @@ -55,6 +55,10 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 1281c4444..e9b782737 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index bfbd81711..9f3760b03 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -28,6 +28,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index 5f172eb7b..70f8ef8c2 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -27,6 +27,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 10d5a2358..4983a6c05 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config index b74edef93..247dc8ef6 100644 --- a/boards/t440p-maximized/t440p-maximized.config +++ b/boards/t440p-maximized/t440p-maximized.config @@ -20,6 +20,11 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t520-hotp-maximized/t520-hotp-maximized.config b/boards/t520-hotp-maximized/t520-hotp-maximized.config index 7de13744c..7d3ea1b3a 100644 --- a/boards/t520-hotp-maximized/t520-hotp-maximized.config +++ b/boards/t520-hotp-maximized/t520-hotp-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t520-maximized/t520-maximized.config b/boards/t520-maximized/t520-maximized.config index 4589ec212..35f55ff70 100644 --- a/boards/t520-maximized/t520-maximized.config +++ b/boards/t520-maximized/t520-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config index 364e49b7c..e0412ef35 100644 --- a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config +++ b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config index ef7877b5c..4d1c756ef 100644 --- a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config +++ b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 9f9c00e05..8a4209fb5 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 0bc59d862..3fa20c29b 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config index f3dab011b..396639ccd 100644 --- a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config +++ b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config index 6a7bd1f1f..822c91f7d 100644 --- a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config +++ b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config index b5e45aa6d..968cce2bb 100644 --- a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config +++ b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config index edb50cb3d..9a374c4db 100644 --- a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config +++ b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index a01a98d88..5e38664b3 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index a25832975..fdd1c0c29 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 69531e65e..ba46fb41d 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 611dc3a8a..d4df3a843 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index cb5daa6bb..377e91f12 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index a8dca8506..df4e8a454 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 47a4133a2..5cd7cfc23 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -30,6 +30,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index eda0d3a48..1db26bccf 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7d385a3f9..e8f78e796 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config index 2fb5b5b71..2b3b7be30 100644 --- a/config/coreboot-p8z77-m_pro-tpm1.config +++ b/config/coreboot-p8z77-m_pro-tpm1.config @@ -1,17 +1,28 @@ -CONFIG_USE_BLOBS=y CONFIG_VENDOR_ASUS=y CONFIG_CBFS_SIZE=0x7E7000 CONFIG_BOARD_ASUS_P8Z77_M_PRO=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y CONFIG_NO_GFX_INIT=y -CONFIG_TPM_MEASURED_BOOT=y -CONFIG_TPM1=y +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM1=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y +CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config index 455aa803e..ebc93fcad 100644 --- a/config/coreboot-t420-maximized.config +++ b/config/coreboot-t420-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T420=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config index 190ac0fbc..ae701a378 100644 --- a/config/coreboot-t430-maximized.config +++ b/config/coreboot-t430-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T430=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config index c70c0e6a6..a14496bae 100644 --- a/config/coreboot-t440p.config +++ b/config/coreboot-t440p.config @@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T440P=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0" CONFIG_TPM_MEASURED_BOOT=y CONFIG_HAVE_MRC=y CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y -CONFIG_NO_GFX_INIT=y +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config index 0665a3958..6830c1026 100644 --- a/config/coreboot-t520-maximized.config +++ b/config/coreboot-t520-maximized.config @@ -1,23 +1,21 @@ # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set -CONFIG_USE_BLOBS=y -CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF -CONFIG_ONBOARD_VGA_IS_PRIMARY=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T520=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_NO_POST=y -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t530-dgpu-hotp-maximized.config b/config/coreboot-t530-dgpu-hotp-maximized.config index b1f84b7aa..7b1ca6841 100644 --- a/config/coreboot-t530-dgpu-hotp-maximized.config +++ b/config/coreboot-t530-dgpu-hotp-maximized.config @@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config index fd236eea6..d19336467 100644 --- a/config/coreboot-t530-dgpu-maximized.config +++ b/config/coreboot-t530-dgpu-maximized.config @@ -1,28 +1,27 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0def" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config index 415699247..3d245dcf9 100644 --- a/config/coreboot-t530-maximized.config +++ b/config/coreboot-t530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config index 64a2f3ecd..245a5c565 100644 --- a/config/coreboot-w530-dgpu-K1000m-maximized.config +++ b/config/coreboot-w530-dgpu-K1000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config index ab1ea461f..dc2f561cd 100644 --- a/config/coreboot-w530-dgpu-K2000m-maximized.config +++ b/config/coreboot-w530-dgpu-K2000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config index daf91635b..3adb53d31 100644 --- a/config/coreboot-w530-maximized.config +++ b/config/coreboot-w530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config index 934ff13f7..3b2a6223a 100644 --- a/config/coreboot-x220-maximized.config +++ b/config/coreboot-x220-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X220=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config index 231c24a4d..837d8a6ad 100644 --- a/config/coreboot-x230-maximized-fhd_edp.config +++ b/config/coreboot-x230-maximized-fhd_edp.config @@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230_EDP=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config index dedeed36a..f5780fe77 100644 --- a/config/coreboot-x230-maximized.config +++ b/config/coreboot-x230-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 071248ba1..4f6ea91c7 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -10,6 +10,20 @@ TRACE "Under /bin/config-gui.sh" param=$1 while true; do + dynamic_config_options=( + 'b' ' Change the /boot device' + 's' ' Save the current configuration to the running BIOS' \ + 'r' ' Clear GPG key(s) and reset all user settings' \ + ) + if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ];then + dynamic_config_options+=( + 't' ' Deactivate Platform Locking to permit OS write access to firmware' + ) + fi + dynamic_config_options+=( + 'x' ' Return to Main Menu' + ) + if [ ! -z "$param" ]; then # use first char from parameter menu_choice=${param::1} @@ -18,16 +32,19 @@ while true; do unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ - 'b' ' Change the /boot device' \ - 's' ' Save the current configuration to the running BIOS' \ - 'r' ' Clear GPG key(s) and reset all user settings' \ - 'x' ' Return to Main Menu' \ + "${dynamic_config_options[@]}" \ 2>/tmp/whiptail || recovery "GUI menu failed" menu_choice=$(cat /tmp/whiptail) fi case "$menu_choice" in + "t" ) + unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + combine_configs + . /tmp/config + ;; "x" ) exit 0 ;; diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index d25b04829..de59db6ef 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -150,5 +150,9 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + lock_chip +fi + echo "Starting the new kernel" exec kexec -e diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip new file mode 100755 index 000000000..8bf316b71 --- /dev/null +++ b/initrd/bin/lock_chip @@ -0,0 +1,23 @@ +#!/bin/sh +# For this to work: +# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) +# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. +# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly + +#include ash shell functions (TRACE requires it) +. /etc/ash_functions + +TRACE "Under /bin/lock_chip" +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + APM_CNT=0xb2 + FIN_CODE=0xcb +fi + +if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then + echo "Finalizing chipset" + io386 -o b -b x $APM_CNT $FIN_CODE +else + echo "NOT Finalizing chipset" + echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." +fi diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index ffe88ec3a..a26823fdc 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -57,6 +57,7 @@ recovery() { # ensure /tmp/config exists for recovery scripts that depend on it touch /tmp/config + . /tmp/config if [ "$CONFIG_TPM" = "y" ]; then tpmr extend -ix 4 -ic recovery diff --git a/modules/io386 b/modules/io386 new file mode 100644 index 000000000..5ee33e630 --- /dev/null +++ b/modules/io386 @@ -0,0 +1,31 @@ +modules-$(CONFIG_IO386) += io386 + +io386_depends := $(musl_dep) + +io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1 +io386_dir := io386-$(io386_version) +io386_tar := io386-$(io386_version).tar.gz +io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz +io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06 + +io386_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + CFLAGS="-Os" \ + SHARED=yes \ + PREFIX="/" \ + && \ + $(MAKE) \ + -C $(build)/$(io386_dir) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + DESTDIR="$(INSTALL)" \ + install \ + +io386_output := \ + io386 + +io386_libraries := + +io386_configure :=