Merge pull request linuxboot#1282 from rbreslow/rb/support-t440p

tlaurion · Feb 28, 2023 · 3ac896b · 3ac896b
2 parents c4b964c + 1dd9c26
commit 3ac896b
Show file tree

Hide file tree

Showing 11 changed files with 620 additions and 4 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -15,7 +15,7 @@ commands:
           command: |
             ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools sharutils e2fsprogs parted curl unzip
       - run:
           name: Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED)
           command: |
@@ -217,7 +217,7 @@ workflows:
           requires:
             - prep_env
 
-      # Coreboot 4.15
+      # Coreboot 4.17
       - build_and_persist:
           name: librem_14
           target: librem_14
@@ -234,8 +234,7 @@ workflows:
           requires:
             - prep_env
 
-      #Cache one workspace per Coreboot version, ideally the boards including the highest number of modules, since not rebuilt across builds.
-      #Below, 4.11, 4.13, 4.17
+      #Cache one workspace per architecture. Make sure workspace caches are chainloaded and the last in chain for an arch is saved.
       - save_cache:
           requires:
             - librem_14
@@ -443,6 +442,20 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t440p-maximized
+          target: t440p-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
+      - build:
+          name: t440p-hotp-maximized
+          target: t440p-hotp-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
       - build:
           name: qemu-coreboot
           target: qemu-coreboot

diff --git a/blobs/haswell/obtain-mrc b/blobs/haswell/obtain-mrc
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0") path_to_output_directory
+Obtain mrc.bin from a Haswell Chromebook firmware image.
+"
+}
+
+MRC_BIN_HASH="d368ba45096a3b5490ed27014e1f9004bc363434ffdce0c368c08a89c4746722"
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
+
+        output_dir="$(realpath "${1:-./}")"
+
+        # Obtain mrc.bin from a Haswell Chromebook firmware image.
+        # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
+        if [[ ! -f "${output_dir}/mrc.bin" ]]; then
+            pushd "${COREBOOT_DIR}"
+
+            make -C util/cbfstool
+            cd util/chromeos
+            ./crosfirmware.sh peppy
+            ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION
+
+            mv mrc.bin "${output_dir}/mrc.bin"
+
+            popd
+        fi
+
+        if ! echo "${MRC_BIN_HASH} ${output_dir}/mrc.bin" | sha256sum --check; then
+            echo "ERROR: SHA256 checksum for mrc.bin doesn't match."
+            exit 1
+        fi
+    fi
+fi
diff --git a/blobs/t440p/README.md b/blobs/t440p/README.md
@@ -0,0 +1,42 @@
+# T440p Blobs
+
+- [Overview](#overview)
+- [Using Your Own Blobs](#using-your-own-blobs)
+
+## Overview
+
+Coreboot on the T440p requires the following binary blobs:
+
+- `mrc.bin` - Consists of Intel’s Memory Reference Code (MRC) and [is used to initialize the DRAM](https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html).
+- `me.bin` - Consists of Intel’s Management Engine (ME), which we modify using [me_cleaner](https://github.com/corna/me_cleaner) to remove all but the modules which are necessary for the CPU to function.
+- `gbe.bin` - Consists of hardware/software configuration data for the Gigabit Ethernet (GbE) controller. Intel publishes the data structure [here](https://web.archive.org/web/20230122164346/https://www.intel.com/content/dam/www/public/us/en/documents/design-guides/i-o-controller-hub-8-9-nvm-map-guide.pdf), and an [ImHex](https://github.com/WerWolv/ImHex) hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_lan_nvm.hexpat).
+- `ifd.bin` - Consists of the Intel Flash Descriptor (IFD). Intel publishes the data structure [here](https://web.archive.org/web/20221208011432/https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/io-controller-hub-8-datasheet.pdf), and an ImHex hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_flash_descriptor.hexpat).
+
+Heads supplies an IFD and GbE blob, which we extracted from a donor board. We changed the MAC address of the GbE blob to `00:de:ad:c0:ff:ee` using [nvmutil](https://libreboot.org/docs/install/nvmutil.html), to support anonymity and build reproducibility.
+
+When building any T440p board variant with `make`, the build system will download a copy of the MRC and Intel ME. We extract `mrc.bin` from a Chromebook firmware image and `me.bin` from a Lenovo firmware update.
+
+## Using Your Own Blobs
+
+You can compile Heads using the Intel ME, GbE, and and IFD blobs from your original ROM.
+
+However, it's worth noting that our analysis showed [no tangible difference](https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403) between the Intel ME from a donor board and Lenovo's website. Also, we found [no meaningful difference](https://github.com/osresearch/heads/pull/1282#issuecomment-1400634600) between the IFD and and GbE blobs extracted from two T440ps, asides from the LAN MAC address.
+
+First, make sure you've built Heads at least once in order to download the Coreboot sources:
+
+```console
+$ make BOARD=t440p-hotp-maximized
+```
+
+Then, supply the path to the Coreboot sources via the `COREBOOT_DIR` environment variable, and run the blob-extraction script:
+
+```console
+$ export COREBOOT_DIR="./build/x86/coreboot-4.17/"
+$ ./blobs/t440p/extract /path/to/original_rom.bin ./blobs/t440p
+```
+
+Now, you can rebuild Heads:
+
+```console
+$ make BOARD=t440p-hotp-maximized
+```
diff --git a/blobs/t440p/download-clean-me b/blobs/t440p/download-clean-me
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0") path_to_output_directory
+Download Intel ME firmware from Lenovo, neutralize, and shrink.
+"
+}
+
+ME_BIN_HASH="b7cf4c0cf514bbf279d9fddb12c34fca5c1c23e94b000c26275369b924ab9c25"
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
+
+        output_dir="$(realpath "${1:-./}")"
+
+        if [[ ! -f "${output_dir}/me.bin" ]]; then
+            # Unpack Lenovo's Windows installer into a temporary directory and
+            # extract the Intel ME blob.
+            pushd "$(mktemp -d)"
+
+            curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
+            innoextract glrg22ww.exe
+
+            mv app/ME9.1_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+
+            popd
+
+            # Neutralize and shrink Intel ME. Note that this doesn't include
+            # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+            # High Assurance Program) bits, as they are defined within the Flash
+            # Descriptor.
+            # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+            pushd "${COREBOOT_DIR}/util/me_cleaner"
+
+            python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
+
+            mv me_shrinked.bin "${output_dir}/me.bin"
+            rm ./*.bin
+
+            popd
+        fi
+
+        if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
+            echo "ERROR: SHA256 checksum for me.bin doesn't match."
+            exit 1
+        fi
+    fi
+fi
diff --git a/blobs/t440p/extract b/blobs/t440p/extract
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0") path_to_original_rom path_to_output_directory
+Extract Intel firmware from the original ROM.
+"
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
+
+        original_rom="$(realpath "$1")"
+        output_dir="$(realpath "${2:-./}")"
+
+        # Neutralize Intel ME and resize the Intel Flash Descriptor (IFD)
+        # layout.
+        # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+        pushd "${COREBOOT_DIR}/util/me_cleaner"
+
+        python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "${original_rom}"
+
+        mv ifd_shrinked.bin "${output_dir}/ifd.bin"
+        mv me_shrinked.bin "${output_dir}/me.bin"
+        rm ./*.bin
+
+        popd
+
+        # Extract the Intel Gigabit Ethernet (GbE) firmware.
+        pushd "${COREBOOT_DIR}/util/ifdtool"
+
+        make
+        ./ifdtool -x "${original_rom}"
+
+        mv flashregion_3_gbe.bin "${output_dir}/gbe.bin"
+        rm ./*.bin
+
+        popd
+    fi
+fi
diff --git a/blobs/t440p/gbe.bin b/blobs/t440p/gbe.bin
diff --git a/blobs/t440p/ifd.bin b/blobs/t440p/ifd.bin
diff --git a/boards/t440p-hotp-maximized/t440p-hotp-maximized.config b/boards/t440p-hotp-maximized/t440p-hotp-maximized.config
@@ -0,0 +1,6 @@
+# Inherit the rest from the base T440p config.
+include $(pwd)/boards/t440p-maximized/t440p-maximized.config
+
+CONFIG_HOTPKEY=y
+
+export CONFIG_BOARD_NAME="ThinkPad T440p-hotp-maximized"
diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config
@@ -0,0 +1,60 @@
+# Configuration for a ThinkPad T440p.
+CONFIG_COREBOOT_CONFIG=config/coreboot-t440p.config
+# TODO: Make a ThinkPad-common Linux config file.
+CONFIG_LINUX_CONFIG=config/linux-t440p.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=5.10.5
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
+# for a console-based menu.
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="ThinkPad T440p-maximized"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+
+# Make the Coreboot build depend on the following 3rd party blobs:
+$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
+    $(pwd)/blobs/haswell/mrc.bin $(pwd)/blobs/t440p/me.bin
+
+$(pwd)/blobs/haswell/mrc.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/haswell/obtain-mrc $(pwd)/blobs/haswell
+
+$(pwd)/blobs/t440p/me.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/t440p/download-clean-me $(pwd)/blobs/t440p
+
+# Haswell boards have an 8 MiB and 4 MiB SPI flash chip. So, we split the
+# Coreboot ROM into two files to flash one on each chip.
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"
diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config
@@ -0,0 +1,18 @@
+# CONFIG_USE_BLOBS is not set
+CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_CBFS_SIZE=0x800000
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin"
+CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_THINKPAD_T440P=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off"
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_HAVE_MRC=y
+CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"