linuxboot · tlaurion · Dec 2, 2020 · Apr 12, 2020 · Apr 16, 2020 · Apr 16, 2020
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,7 +8,7 @@ jobs:
           name: Install dependencies
           command: |
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract
       - checkout
 
       - run:
@@ -121,7 +121,6 @@ jobs:
 
       - run:
           name: x230-flash
-          #We delete build/make-4.2.1/ directory until issue #799 is fixed.
           command: |
             rm -rf build/x230-flash/* build/log/* && make CPUS=4 V=1 BOARD=x230-flash || touch /tmp/failed_build
           no_output_timeout: 3h
@@ -240,6 +239,127 @@ jobs:
       - store-artifacts:
           path: build/x230-nkstorecli
 
+      - run:
+          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)  
+          command: |
+            ./blobs/xx30/download_clean_me.sh
+      - run:
+          name: x230-maximized
+          command: |
+            rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output x230-maximized hashes
+          command: |
+            cat build/x230-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for x230-maximized
+          command: |
+            tar zcvf build/x230-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/x230-maximized
+
+      - run:
+          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)  
+          command: |
+            ./blobs/xx30/download_clean_me.sh
+      - run:
+          name: t430-hotp-maximized
+          command: |
+            rm -rf build/t430-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-hotp-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output t430-hotp-maximized hashes
+          command: |
+            cat build/t430-hotp-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for t430-hotp-maximized
+          command: |
+            tar zcvf build/t430-hotp-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/t430-hotp-maximized
+
+      - run:
+          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)  
+          command: |
+            ./blobs/xx30/download_clean_me.sh
+      - run:
+          name: x230-maximized
+          command: |
+            rm -rf build/x230-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output x230-maximized hashes
+          command: |
+            cat build/x230-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for x230-maximized
+          command: |
+            tar zcvf build/x230-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/x230-maximized
+
+      - run:
+          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)  
+          command: |
+            ./blobs/xx30/download_clean_me.sh
+      - run:
+          name: x230-hotp-maximized
+          command: |
+            rm -rf build/x230-hotp-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x230-hotp-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output x230-hotp-maximized hashes
+          command: |
+            cat build/x230-hotp-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for x230-hotp-maximized
+          command: |
+            tar zcvf build/x230-hotp-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/x230-hotp-maximized
+
+
+      - run:
+          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)  
+          command: |
+            ./blobs/xx30/download_clean_me.sh
+      - run:
+          name: t430-maximized
+          command: |
+            rm -rf build/t430-maximized/* build/log/* && make CPUS=4 V=1 BOARD=t430-maximized || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Output t430-maximized hashes
+          command: |
+            cat build/t430-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for t430-maximized
+          command: |
+            tar zcvf build/t430-maximized/logs.tar.gz ./build/log/*
+      - store-artifacts:
+          path: build/t430-maximized
+
       - run:
           name: qemu-coreboot
           command: |

diff --git a/.gitlab-ci.yml.deprecated b/.gitlab-ci.yml.deprecated
@@ -19,6 +19,7 @@ build:
     - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
     - git fetch origin 
     - git reset --hard origin/$CI_COMMIT_REF_NAME
+
     - echo "Removing old x230-flash artifacts..."
     - rm -rf ./build/x230-flash/*
     - rm -rf ./build/log/*
@@ -28,6 +29,7 @@ build:
     - cat ./build/x230-flash/hashes.txt
     - echo "Archiving x230-flash logs..."
     - tar zcvf ./build/x230-flash/logs.tar.gz ./build/log/*
+
     - echo "Removing old t430-flash artifacts..."
     - rm -rf ./build/t430-flash/*
     - rm -rf ./build/log/*
@@ -37,6 +39,17 @@ build:
     - cat ./build/t430-flash/hashes.txt
     - echo "Archiving t430-flash logs..."
     - tar zcvf ./build/t430-flash/logs.tar.gz ./build/log/*
+
+    - echo "Removing old x230-external-flash artifacts..."
+    - rm -rf ./build/x230-external-flash/*
+    - rm -rf ./build/log/*
+    - echo "Building BOARD=x230-external-flash board..."
+    - make BOARD=x230-external-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1)
+    - echo "x230-external-flash hashes:"
+    - cat ./build/x230-external-flash/hashes.txt
+    - echo "Archiving x230-external-flash logs..."
+
+    - tar zcvf ./build/x230-external-flash/logs.tar.gz ./build/log/*
     - echo "Removing old x230-hotp-verification artifacts..."
     - rm -rf ./build/x230-hotp-verification/*
     - rm -rf ./build/log/*
@@ -46,6 +59,7 @@ build:
     - cat ./build/x230-hotp-verification/hashes.txt
     - echo "Archiving x230-hotp-verification logs..."
     - tar zcvf ./build/x230-hotp-verification/logs.tar.gz ./build/log/*
+
     - echo "Removing old x230 artifacts..."
     - rm -rf ./build/x230/*
     - rm -rf ./build/log/*
@@ -75,6 +89,7 @@ build:
     - cat ./build/qemu-coreboot/hashes.txt
     - echo "Archiving qemu-coreboot logs..."
     - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
+
     - echo "Calculate used space for cache"
     - du -shc packages crossgcc build
   artifacts:
@@ -83,5 +98,6 @@ build:
       - ./build/x230-flash
       - ./build/t430-flash
       - ./build/x230-hotp-verification
+      - ./build/x230-external-flash
       - ./build/x230
       - ./build/t430
diff --git a/blobs/xx30/README b/blobs/xx30/README
@@ -0,0 +1,70 @@
+The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t430/downloads/DS032435
+
+This provides latest ME version 8.1.72.3002, for which only BUP and ROMP regions will be kept as non-removable:
+Here is what Lenovo provides as a Summary of Changes:
+Version 8.1.72.3002 (G1RG24WW)
+
+  (Fix) Fixed the following security vulnerabilites: CVE-2017-5711, CVE-2017-5712, CVE-2017-13077, CVE-2017-13078, CVE-2017-13080.
+
+1.0.0:Automatically extract and neuter me.bin
+download_clean_me.sh : Downloads latest ME from lenovo verify checksum, extract ME, neuters ME, relocate and trim it and place it into me.bin
+
+sha256sum:
+c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4  blobs/xx30/me.bin
+
+1.0.1: Extract blobs from rom original and updated to 2.76 BIOS version:
+extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim it, modify BIOS and ME region of IFD and place output files into this dir.
+
+sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent.
+
+
+
+
+1.1: Manually generating blobs
+--------------------
+Manually generate me.bin:
+You can arrive to the same result of the following me.bin by doing the following manually:
+wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe && innoextract g1rg24ww.exe && python ~/me_cleaner/me_cleaner.py -r -t -O ~/heads/blobs/xx30/me.bin app/ME8_5M_Production.bin
+
+sha256sums:
+f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153  g1rg24ww.exe
+821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa  app/ME8_5M_Production.bin
+c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4  blobs/xx30/me.bin
+
+ifd.bin was extracted from sacrificed X230 (dead motherboard) fron an external flashrom backup (no way found to be able to extract it from Lenovo firmware upgrades as of now):
+python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/xx30/ifd.bin -M /tmp/temporary_me.bin dead_serving_a_purpose_x230_bottom_spi_backup.rom
+
+sha256sum:
+c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b  ifd.bin
+
+ls -al blobs/xx30/*.bin
+-rw-r--r-- 1 user user  8192 Oct 25 14:07 gbe.bin
+-rw-r--r-- 1 user user  4096 Oct 28 16:19 ifd.bin
+-rw-r--r-- 1 user user 98304 Oct 28 16:15 me.bin
+
+
+Manually regenerate gbe.bin:
+blobs/x230/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510 
+And then by following those instructions:
+# Use this target to generate GbE for X220/x230
+gen-gbe-82579LM:
+	cd build/coreboot-*/util/bincfg/
+	make	
+	./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin
+	# duplicate binary as per spec
+	cat gbe1.bin gbe1.bin > ../../../../blobs/xx30/gbe.bin
+	rm -f gbe1.bin
+	cd -
+
+sha256sum:
+9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5  blobs/xx30/gbe.bin
+------------------------
+
+Notes: as specified in first link, this ME can be deployed to:
+    Helix (Type 3xxx)
+    T430, T430i, T430s, T430si, T431s
+    T530, T530i
+    W530
+    X1 Carbon (Type 34xx), X1 Helix (Type 3xxx), X1 Helix (Type 3xxx) 3G
+    X230, X230i, X230 Tablet, X230i Tablet, X230s
+
diff --git a/blobs/xx30/download_clean_me.sh b/blobs/xx30/download_clean_me.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+function printusage {
+  echo "Usage: $0 -m <me_cleaner>(optional)"
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":m:" opt; do
+  case $opt in
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+  esac
+done
+
+FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4  $BLOBDIR/me.bin"
+ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153  g1rg24ww.exe"
+ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa  app/ME8_5M_Production.bin"
+
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+echo "### Creating temp dir"
+extractdir=$(mktemp -d)
+cd "$extractdir"
+
+echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..."
+wget  https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || ( echo "ERROR: wget not found" && exit 1 ) 
+echo "### Verifying expected hash of g1rg24ww.exe"
+echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 )
+
+echo "### Extracting g1rg24ww.exe..."
+innoextract ./g1rg24ww.exe || exit 1 "Failed calling innoextract. Tool installed on host?"
+echo "### Verifying expected hash of app/ME8_5M_Production.bin"
+echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 )
+
+echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
+$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin
+echo "### Verifying expected hash of me.bin"
+echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 )
+
+
+echo "###Cleaning up..."
+cd - 
+rm -r "$extractdir"
diff --git a/blobs/xx30/extract.sh b/blobs/xx30/extract.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+function printusage {
+  echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
+  exit 0
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":f:m:i:" opt; do
+  case $opt in
+    f)
+      FILE="$OPTARG"
+      ;;
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+    i)
+      if [ -x "$OPTARG" ]; then
+        IFDTOOL="$OPTARG"
+      fi
+      ;;
+  esac
+done
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+if [ -z "$IFDTOOL" ]; then
+  IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
+  if [ -z "$IFDTOOL" ]; then
+    echo "ifdtool required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+echo "FILE: $FILE"
+echo "ME: $MECLEAN"
+echo "IFD: $IFDTOOL"
+
+bioscopy=$(mktemp)
+extractdir=$(mktemp -d)
+
+echo "###Copying $FILE under $bioscopy"
+cp "$FILE" $bioscopy
+
+cd "$extractdir"
+echo "###Unlocking $bioscopy IFD..."
+$IFDTOOL -u $bioscopy
+echo "###Extracting regions from ROM..."
+$IFDTOOL -x $bioscopy
+echo "###Copying GBE region under $BLOBDIR/gbe.bin..."
+cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
+echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... "
+$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy"
+
+echo "###Cleaning up..."
+rm "$bioscopy"
+rm -r "$extractdir"
diff --git a/blobs/xx30/gbe.bin b/blobs/xx30/gbe.bin