From 3343f8dcbbc608043f32a608ce85e746bba51412 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Tue, 7 Sep 2021 13:49:31 -0400
Subject: [PATCH] WiP: io386 on top of coreboot 4.13. Revamps
 https://github.com/osresearch/heads/pull/326

---
 boards/x230-hotp-maximized/x230-hotp-maximized.config | 1 +
 config/coreboot-x230-hotp-maximized.config            | 2 ++
 initrd/bin/generic-init                               | 9 ---------
 initrd/bin/kexec-boot                                 | 4 ++++
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config
index 7fe317d60..2b6011284 100644
--- a/boards/x230-hotp-maximized/x230-hotp-maximized.config
+++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config
@@ -26,6 +26,7 @@ CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
+CONFIG_IO386=y
 
 #Remote attestation support
 #TPM based requirements
diff --git a/config/coreboot-x230-hotp-maximized.config b/config/coreboot-x230-hotp-maximized.config
index e5f0e436a..86417a5f6 100644
--- a/config/coreboot-x230-hotp-maximized.config
+++ b/config/coreboot-x230-hotp-maximized.config
@@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_X230=y
 CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
 CONFIG_UART_PCI_ADDR=0
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
 CONFIG_NO_GFX_INIT=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/x230-hotp-maximized/bzImage"
diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init
index 8471c9a92..fa91642ea 100755
--- a/initrd/bin/generic-init
+++ b/initrd/bin/generic-init
@@ -40,18 +40,12 @@ while true; do
 	fi
 
 	if [ "$totp_confirm" = "u" ]; then
-		if [ "$CONFIG_IO386" = y ]; then
-			lock_chip
-		fi
 		exec /bin/usb-init
 		continue
 	fi
 
 	if [ "$totp_confirm" = "m" ]; then
 		# Try to select a kernel from the menu
-		if [ "$CONFIG_IO386" = y ]; then
-			lock_chip
-		fi
 		mount_boot
 		kexec-select-boot -m -b /boot -c "grub.cfg"
 		continue
@@ -59,9 +53,6 @@ while true; do
 
 	if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
 		# Try to boot the default
-		if [ "$CONFIG_IO386" = y ]; then
-			lock_chip
-		fi
 		mount_boot
 		kexec-select-boot -b /boot -c "grub.cfg" \
 		|| recovery "Failed default boot"
diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot
index fb9e9edef..ccd6be132 100755
--- a/initrd/bin/kexec-boot
+++ b/initrd/bin/kexec-boot
@@ -127,6 +127,10 @@ fi
 
 if [ "$dryrun" = "y" ]; then exit 0; fi
 
+if [ "$CONFIG_IO386" = y ]; then
+	lock_chip
+fi
+
 echo "Loading the new kernel:"
 echo "$kexeccmd"
 eval "$kexeccmd" \