system76 · crawfxrd · Dec 21, 2021 · Dec 21, 2021 · Dec 21, 2021 · Dec 21, 2021
diff --git a/.gitmodules b/.gitmodules
@@ -82,10 +82,6 @@
 	path = FSP
 	url = https://github.com/IntelFsp/FSP.git
 	branch = master
-[submodule "libs/smmstore"]
-	path = libs/smmstore
-	url = https://github.com/system76/smmstore.git
-	branch = master
 [submodule "apps/firmware-smmstore"]
 	path = apps/firmware-smmstore
 	url = https://github.com/system76/firmware-smmstore.git

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,12 +4,22 @@ Changes are identified by the date of the released firmware including them. If
 you are running System76 Open Firmware, opening the boot menu will show this
 date followed by an underscore and a short git revision.
 
+## 2021-12-21
+
+- Added support to enable/disable Intel ME via the CMOS option `me_state`
+- Enabled coreboot measured boot
+- Updated Rust toolchain to nightly-2021-06-15
+- Updated coreboot to 4.15
+- Updated EDK2 to edk2-stabke202108
+- Updated TGL-U microcode blobs to revision 0x9a
+- Updated TGL-H microcode blobs to revision 0x3c
+- Updated all other boards to use microcode blobs from Intel's public repo
+- Updated TGL FSP to A.0.51.31 from Intel's public repo
+- Removed behavior of erasing NVRAM on CMOS reset
+
 ## 2021-09-30
 
 - gaze16: Do not require unplugging the AC adapter after flashing
-
-## 2021-09-29
-
 - gaze16: Fix using USB 2.0 devices in Type-C port
 
 ## 2021-09-23

diff --git a/README.md b/README.md
@@ -10,15 +10,14 @@ manager:
 
 - addw2
 - bonw14
-- darp5
 - darp6
 - darp7
-- galp3-c
 - galp4
 - galp5
 - gaze15
 - gaze16-3050
 - gaze16-3060
+- gaze16-3060-b
 - lemp9
 - lemp10
 - oryp6
@@ -31,18 +30,18 @@ seen in the `models/` directory.
 If the device becomes bricked it will require restoring the current firmware
 using an external programmer. See [flashing](./docs/flashing.md) for details.
 
-## Changelog
+### Schematics
 
-For a list of important changes please see the [changelog](./CHANGELOG.md).
+System76 customers may request board schematics for their system by sending an
+email to firmware@system76.com with the subject line  "Schematics for _model_",
+where _model_ is one of the supported models listed above. Please include the
+serial number of your system for verification.
 
-## Schematics
+You may not share these without explicit permission from System76.
 
-System76 customers may request board schematics by sending an email to
-firmware@system76.com with the subject line  "Schematics for _model_", where
-_model_ is the name of a directory in the `models/` directory, such as darp6.
-Please include the serial number of your system for verification.
+## Changelog
 
-You may not share these without explicit permission from System76.
+For a list of important changes please see the [changelog](./CHANGELOG.md).
 
 ## Dependencies
 
@@ -65,18 +64,3 @@ source ~/.cargo/env
 ```
 ./scripts/qemu.sh
 ```
-
-## Contents
-
-- [apps](./apps) - Applications
-- [coreboot](https://github.com/system76/coreboot.git) - coreboot README
-- [docs](./docs) - System76 Open Firmware Documentation
-- [ec](https://github.com/system76/ec.git) - System76 EC
-- [edk2](https://github.com/system76/edk2.git) - EDK II Project
-- [edk2-non-osi](https://github.com/tianocore/edk2-non-osi.git)
-- [edk2-platforms](https://github.com/system76/edk2-platforms.git) - This branch holds all platforms actively maintained against the
-- [FSP](https://github.com/IntelFsp/FSP.git) - Intel® Firmware Support Package (Intel® FSP) Binaries
-- [libs](./libs) - Libraries
-- [models](./models) - Models
-- [scripts](./scripts)
-- [tools](./tools) - Tools
diff --git a/README.md.in b/README.md.in
diff --git a/apps/firmware-setup b/apps/firmware-setup
diff --git a/apps/firmware-smmstore b/apps/firmware-smmstore
diff --git a/apps/firmware-update b/apps/firmware-update
diff --git a/apps/gop-policy b/apps/gop-policy
diff --git a/coreboot b/coreboot
diff --git a/docs/intel-me.md b/docs/intel-me.md
@@ -1,26 +1,43 @@
 # Intel Management Engine
 
-Intel-based machines by System76 come with the [Intel Management Engine][wiki]
-disabled. It is a proprietary, mostly undocumented, system that provides many
-extraneous features that are generally not usable or useful to our users, with
-multiple known vulnerabilities that compromise the entire system.
+[Intel Management Engine][wiki] is a proprietary, mostly undocumented, firmware
+system that provides many extraneous features that are generally not usable or
+useful to our users, with multiple known vulnerabilities that compromise the
+entire system.
 
 The Intel ME is _required_ (since Nehalem, 2008), so cannot be removed. The
-[me\_cleaner] project is able to remove non-essential components, but currently
-does not support the ME version used on many of our systems. Instead, we [send
-a HECI command][heci_disable] to tell the Intel ME to disable runtime
-components during early boot.
+[me\_cleaner] project is able to remove non-essential components, but does not
+support the ME version used on many of our systems. Instead, we [send a HECI
+command][CB52800] to tell the Intel ME to disable runtime components during
+early boot.
+
+Most Intel-based machines from System76 come with the IME disabled.
+
+## Configuring
+
+The IME can be enabled or disabled via the coreboot CMOS option `me_state`.
+The value can be set using coreboot's nvramtool.
+
+```
+make -C coreboot/util/nvramtool
+sudo ./coreboot/util/nvramtool/nvramtool -w me_state={Enable,Disable}
+```
+
+A restart is required for the change to take effect. On the boot after changing
+the value, the system will perform a global reset (power off again) to complete
+the change and ensure the IME is operating in a valid state.
 
 ## Tiger Lake-U
 
-Models using TGL-U processors currently leave the IME enabled. TGL-U removes
+Models using TGL-U processors default to having the IME enabled. TGL-U removes
 support for S3 and requires S0ix. This requires all CPU, PCH, and PCIe devices
 to have ACPI defined low power states. With S0ix, the CPU has numerous states
 for low power, with the lowest being C10. In order to reach this C10 state, the
 IME must report that it is in a low power state. Disabling the ME with the HAP
 bit keeps the CPU in the C8 state. This nearly triples the power usage in S0ix
 suspend, from around 1 watt to around 3 watts.
 
+
 [wiki]: https://en.wikipedia.org/wiki/Intel_Management_Engine
 [me\_cleaner]: https://github.com/corna/me_cleaner
-[heci_disable]: https://github.com/system76/coreboot/blob/011439cb9196d6a71d394ead8c98dfd8ead325d4/src/soc/intel/cannonlake/me.c#L186
+[CB52800]: https://review.coreboot.org/c/coreboot/+/52800
diff --git a/docs/uefi.md b/docs/uefi.md
@@ -0,0 +1,27 @@
+# UEFI
+
+System76 uses [EDK2](https://github.com/tianocore/edk2) to implement UEFI.
+
+[coreboot](https://coreboot.org/) is used for Platform Initialization (PI).
+
+## Booting
+
+System76 Open Firmware only supports UEFI booting. Legacy BIOS-MBR booting is
+not supported. `\EFI\BOOT\BOOTX64.EFI` must exist on the EFI System Partition
+to be considered valid.
+
+Network functionality is disabled. Native PXE booting is not supported.
+
+### Secure Boot
+
+Secure Boot support is currently disabled.
+
+The implementation from 9elements is in development. If building a custom
+image, the edk2 config `SECURE_BOOT_ENABLE` can be set to enable support.
+
+There is currently no firmware UI to view or configure Secure Boot.
+
+## Shell
+
+The internal UEFI shell is disabled. A separate binary on a bootable drive
+must be used to access the shell environment.
diff --git a/edk2 b/edk2
diff --git a/libs/ecflash b/libs/ecflash
diff --git a/libs/intel-spi b/libs/intel-spi
diff --git a/libs/smmstore b/libs/smmstore
diff --git a/libs/uefi b/libs/uefi
diff --git a/libs/uefi_alloc b/libs/uefi_alloc
diff --git a/libs/uefi_std b/libs/uefi_std
diff --git a/models/addw1/coreboot.config b/models/addw1/coreboot.config
@@ -14,7 +14,8 @@ CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x20000000
 CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
-CONFIG_SUBSYSTEM_DEVICE_ID=0x65d1
-CONFIG_SUBSYSTEM_VENDOR_ID=0x1558
+CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/addw1/edk2.config b/models/addw1/edk2.config
@@ -0,0 +1,7 @@
+DISABLE_SERIAL_TERMINAL=TRUE
+PLATFORM_BOOT_TIMEOUT=2
+#SECURE_BOOT_ENABLE=TRUE
+SERIAL_DRIVER_ENABLE=FALSE
+SHELL_TYPE=NONE
+TPM_ENABLE=TRUE
+#SYSTEM76_EC_LOGGING=TRUE
diff --git a/models/addw2/coreboot.config b/models/addw2/coreboot.config
@@ -2,8 +2,7 @@ CONFIG_VENDOR_SYSTEM76=y
 CONFIG_BOARD_SYSTEM76_ADDW2=y
 CONFIG_CCACHE=y
 CONFIG_CONSOLE_SERIAL=n
-CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y
-CONFIG_CPU_UCODE_BINARIES="$(FIRMWARE_OPEN_MODEL_DIR)/microcode.rom"
+CONFIG_CPU_MICROCODE_CBFS_DEFAULT_BINS=y
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_HAVE_ME_BIN=y
 CONFIG_IFD_BIN_PATH="$(FIRMWARE_OPEN_MODEL_DIR)/fd.rom"
@@ -15,7 +14,8 @@ CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x20000000
 CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
-CONFIG_SUBSYSTEM_DEVICE_ID=0x65e1
-CONFIG_SUBSYSTEM_VENDOR_ID=0x1558
+CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/addw2/edk2.config b/models/addw2/edk2.config
@@ -0,0 +1,7 @@
+DISABLE_SERIAL_TERMINAL=TRUE
+PLATFORM_BOOT_TIMEOUT=2
+#SECURE_BOOT_ENABLE=TRUE
+SERIAL_DRIVER_ENABLE=FALSE
+SHELL_TYPE=NONE
+TPM_ENABLE=TRUE
+#SYSTEM76_EC_LOGGING=TRUE
diff --git a/models/addw2/microcode.rom b/models/addw2/microcode.rom
diff --git a/models/bonw14/coreboot.config b/models/bonw14/coreboot.config
@@ -2,8 +2,7 @@ CONFIG_VENDOR_SYSTEM76=y
 CONFIG_BOARD_SYSTEM76_BONW14=y
 CONFIG_CCACHE=y
 CONFIG_CONSOLE_SERIAL=n
-CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y
-CONFIG_CPU_UCODE_BINARIES="$(FIRMWARE_OPEN_MODEL_DIR)/microcode.rom"
+CONFIG_CPU_MICROCODE_CBFS_DEFAULT_BINS=y
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_HAVE_ME_BIN=y
 CONFIG_IFD_BIN_PATH="$(FIRMWARE_OPEN_MODEL_DIR)/fd.rom"
@@ -15,7 +14,8 @@ CONFIG_PCIEXP_HOTPLUG_MEM=0x2000000
 CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x20000000
 CONFIG_POST_IO=n
 CONFIG_SMMSTORE=y
-CONFIG_SUBSYSTEM_DEVICE_ID=0x7714
-CONFIG_SUBSYSTEM_VENDOR_ID=0x1558
+CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/bonw14/edk2.config b/models/bonw14/edk2.config
@@ -0,0 +1,7 @@
+DISABLE_SERIAL_TERMINAL=TRUE
+PLATFORM_BOOT_TIMEOUT=2
+#SECURE_BOOT_ENABLE=TRUE
+SERIAL_DRIVER_ENABLE=FALSE
+SHELL_TYPE=NONE
+TPM_ENABLE=TRUE
+#SYSTEM76_EC_LOGGING=TRUE
diff --git a/models/bonw14/microcode.rom b/models/bonw14/microcode.rom
diff --git a/models/darp5/coreboot.config b/models/darp5/coreboot.config
@@ -1,14 +1,11 @@
 CONFIG_VENDOR_SYSTEM76=y
 CONFIG_BOARD_SYSTEM76_DARP5=y
-CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Darter Pro"
-CONFIG_MAINBOARD_VERSION="darp5"
 CONFIG_CCACHE=y
 CONFIG_CONSOLE_SERIAL=n
 CONFIG_CPU_MICROCODE_CBFS_DEFAULT_BINS=y
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_HAVE_ME_BIN=y
 CONFIG_IFD_BIN_PATH="$(FIRMWARE_OPEN_MODEL_DIR)/fd.rom"
-CONFIG_INTEL_GMA_VBT_FILE="$(FIRMWARE_OPEN_MODEL_DIR)/vbt.rom"
 CONFIG_ME_BIN_PATH="$(FIRMWARE_OPEN_MODEL_DIR)/me.rom"
 CONFIG_PAYLOAD_ELF=y
 CONFIG_PAYLOAD_FILE="$(FIRMWARE_OPEN_UEFIPAYLOAD)"
@@ -17,7 +14,8 @@ CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x20000000
 CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
-CONFIG_SUBSYSTEM_DEVICE_ID=0x1325
-CONFIG_SUBSYSTEM_VENDOR_ID=0x1558
+CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
+14 −19		Cargo.lock
+5 −6		Cargo.toml
+1 −0		Makefile
+1 −1		rust-toolchain.toml
+1 −0		src/coreboot.rs
+4 −4		src/display.rs
+32 −33		src/fde.rs
+3 −2		src/image/mod.rs
+1 −0		src/key.rs
+2 −4		src/main.rs
+2 −0		src/serial.rs
+5 −2		targets/x86_64-unknown-uefi-drv.json
+13 −20		Cargo.lock
+2 −3		Cargo.toml
+1 −0		Makefile
+1 −1		rust-toolchain.toml
+18 −18		src/lib.rs
+5 −5		src/main.rs
+5 −2		targets/x86_64-unknown-uefi-drv.json
+14 −20		Cargo.lock
+3 −5		Cargo.toml
+1 −1		Makefile
+18 −2		res/firmware.nsh
+1 −1		rust-toolchain.toml
+6 −4		src/app/bios.rs
+1 −1		src/app/component.rs
+6 −6		src/app/ec.rs
+11 −12		src/app/mod.rs
+19 −15		src/display.rs
+1 −1		src/dmi.rs
+1 −0		src/image/mod.rs
+2 −2		src/io.rs
+2 −2		src/key.rs
+9 −11		src/main.rs
+5 −5		src/null.rs
+5 −5		src/text.rs
+8 −6		Cargo.lock
+2 −2		Cargo.toml
+1 −1		rust-toolchain.toml
+4 −4		src/gop_policy.rs
+3 −5		src/main.rs
+5 −2		targets/x86_64-unknown-uefi-drv.json
+1 −1		Cargo.toml
+7 −5		examples/flash.rs
+5 −1		examples/isp.rs
+2 −2		examples/read.rs
+5 −3		src/file.rs
+9 −5		src/flash.rs
+4 −0		src/flasher.rs
+2 −2		src/io.rs
+1 −1		src/lib.rs
+1 −1		src/main.rs
+1 −2		Cargo.toml
+0 −230		examples/flash.rs
+3 −1		examples/read.rs
+4 −6		examples/util/mod.rs
+1 −1		rust-toolchain
+8 −8		src/io.rs
+4 −1		src/lib.rs
+15 −16		src/main.rs
+8 −14		src/mmio.rs