X200-maximized board addition

-Without TPM nor HOTP support. Basically useable to boot Tails from USB SDCARD adapter, with SDCARD set in read only mode. Based on past work https://github.com/tlaurion/heads/tree/x200_readd Adds: - gbe.bin in tree (generated with bincfg) - unlocked ifd.bin in tree (generated by bincfg and unlucked with ifdtool) - extract.sh script (which extracts gbe.bin from backup with ifdtool and replaced gbe.bin in tree) Fixes linuxboot#878
tlaurion · Dec 15, 2020 · a7438fc · a7438fc
1 parent a81ae6e
commit a7438fc
Show file tree

Hide file tree

Showing 9 changed files with 510 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -326,6 +326,26 @@ jobs:
       - store-artifacts:
           path: build/t430-flash
 
+      - run:
+          name: x200-maximized
+          command: |
+            rm -rf build/x200-maximized/* build/log/* && make CPUS=4 V=1 BOARD=x200-maximized  || touch /tmp/failed_build
+          no_output_timeout: 3h
+      - run:
+          name: Output build failing logs
+          command: |
+            if [[ -f /tmp/failed_build ]]; then find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Not failing. Continuing..."; fi
+      - run:
+          name: Ouput x200-maximized hashes
+          command: |
+            cat build/x200-maximized/hashes.txt \
+      - run:
+          name: Archiving build logs for x200-maximized
+          command: |
+             tar zcvf build/x200-maximized/logs.tar.gz build/log/*
+      - store-artifacts:
+          path: build/x200-maximized
+
       - run:
           name: t430
           command: |

diff --git a/blobs/xxx0/README b/blobs/xxx0/README
@@ -0,0 +1,35 @@
+Coreboot supports generating modified ifd and gbe out of the box.
+To replicate the blobs in this directory (based on coreboot 4.8.1 but simply replace version in paths):
+
+make BOARDS=x200
+
+This will create the ROM.
+
+Then (considering you git clone heads under ~)
+
+#To generate GBE and IFD
+cd ~/heads/build/coreboot-4.8.1/util/bincfg
+make gen-gbe-ich9m
+make gen-ifd-x200
+mv flashregion_0_fd.bin ../../../../blobs/xxx0/ifd.bin
+mv flashregion_3_gbe.bin ../../../../blobs/xxx0/gbe.bin
+
+#To unlock IFD, permitting to reflash whole flash internally
+cd ~/heads/build/coreboot-4.8.1/util/ifdtool
+make
+cd ~/heads/blobs/xxx0/
+~/heads/build/coreboot-4.8.1/util/ifdtool/ifdtool -u ifd.bin
+mv ifd.bin.new ifd.bin
+
+sha256sum -c hashes.txt
+
+should output:
+gbe.bin: OK
+ifd.bin: OK
+
+DISCLAIMER: Considering neither gbe.bin nor ifd.bin are proprietary blobs (generated from specifications), those blobs are in tree to ease ROM reproducibility.
+
+Note that MAC address is fixed under gbe-ich9m.spec to DE:AD:C0:FF:EE. 
+- If you want to keep your MAC, call extract.sh prior of building ROM.
+- If you want to fixate your MAC to a custom address, change it under ~/heads/build/coreboot-4.8.1/util/bincfg/gbe-ich9m.spec prior of generating the gbe.bin above
+
diff --git a/blobs/xxx0/extract.sh b/blobs/xxx0/extract.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+function printusage {
+  echo "Usage: $0 -f <romdump> -i <ifdtool>(optional)"
+  exit 0
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":f:m:i:" opt; do
+  case $opt in
+    f)
+      FILE="$OPTARG"
+      ;;
+    i)
+      if [ -x "$OPTARG" ]; then
+        IFDTOOL="$OPTARG"
+      fi
+      ;;
+  esac
+done
+
+if [ -z "$IFDTOOL" ]; then
+  IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
+  if [ -z "$IFDTOOL" ]; then
+    echo "ifdtool required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+echo "FILE: $FILE"
+echo "IFD: $IFDTOOL"
+
+bioscopy=$(mktemp)
+extractdir=$(mktemp -d)
+
+echo "###Copying $FILE under $bioscopy"
+cp "$FILE" $bioscopy
+
+cd "$extractdir"
+echo "###Unlocking $bioscopy IFD..."
+$IFDTOOL -u $bioscopy
+echo "###Extracting regions from ROM..."
+$IFDTOOL -x $bioscopy.new
+echo "###Copying GBE region under $BLOBDIR/gbe.bin..."
+cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
+
+echo "###Cleaning up..."
+rm "$bioscopy"
+rm -r "$extractdir"
diff --git a/blobs/xxx0/gbe.bin b/blobs/xxx0/gbe.bin
diff --git a/blobs/xxx0/hashes.txt b/blobs/xxx0/hashes.txt
@@ -0,0 +1,2 @@
+7917e0f0eb16c895da25d8acf01155e88ca189724c48a14cd1645d0d09f1cf5b  gbe.bin
+7415548cbe93b5543c6ccbf1b8d9d4f4ef794c4f376e46638a25f84378c19872  ifd.bin
diff --git a/blobs/xxx0/ifd.bin b/blobs/xxx0/ifd.bin
diff --git a/boards/x200-maximized/x200-maximized.config b/boards/x200-maximized/x200-maximized.config
@@ -0,0 +1,62 @@
+# Configuration for a x200 running non-Qubes OSes.
+#
+# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
+# dropbear support(ssh client/server)
+# e1000e (ethernet driver)
+#
+# Includes (read blobs/xxx0/README) 
+# - Generated IFD from bincfg 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/ifd-x200.set
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.8.1
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x200-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x200.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=n
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=n
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off i915.modeset=1 video=1280x800"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad X200-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+
diff --git a/config/coreboot-x200-maximized.config b/config/coreboot-x200-maximized.config
@@ -0,0 +1,15 @@
+CONFIG_ANY_TOOLCHAIN=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x700000
+CONFIG_BOARD_LENOVO_X200=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/xxx0/ifd.bin"
+CONFIG_GBE_BIN_PATH="../../blobs/xxx0/gbe.bin"
+CONFIG_NO_GFX_INIT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x200-maximized/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_INITRD="../../build/x200-maximized/initrd.cpio.xz"