diff --git a/blobs/t420/extract.sh b/blobs/t420/extract.sh new file mode 100755 index 000000000..e34c3f907 --- /dev/null +++ b/blobs/t420/extract.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -f -m (optional) -i (optional)" + exit 0 +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":f:m:i:" opt; do + case $opt in + f) + FILE="$OPTARG" + ;; + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + i) + if [ -x "$OPTARG" ]; then + IFDTOOL="$OPTARG" + fi + ;; + esac +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +if [ -z "$IFDTOOL" ]; then + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` + if [ -z "$IFDTOOL" ]; then + echo "ifdtool required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "FILE: $FILE" +echo "ME: $MECLEAN" +echo "IFD: $IFDTOOL" + +bioscopy=$(mktemp) +extractdir=$(mktemp -d) + +cp "$FILE" $bioscopy + +cd "$extractdir" +$IFDTOOL -x $bioscopy +cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" +$MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" +$IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy +$IFDTOOL -x $bioscopy.new +cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" + +rm "$bioscopy" +rm "$bioscopy.new" +rm -r "$extractdir" diff --git a/blobs/t420/layout.txt b/blobs/t420/layout.txt new file mode 100644 index 000000000..bbd90962c --- /dev/null +++ b/blobs/t420/layout.txt @@ -0,0 +1,4 @@ +00000000:00000fff fd +00018000:007fffff bios +00003000:00017fff me +00001000:00002fff gbe diff --git a/blobs/t420/readme.md b/blobs/t420/readme.md new file mode 100644 index 000000000..4a40a0528 --- /dev/null +++ b/blobs/t420/readme.md @@ -0,0 +1,29 @@ +To build for T420, we need to have the following files in this folder: +* `me.bin` - ME binary that has been stripped and truncated with me_cleaner +* `gbe.bin` - Network card blob from the original firmware +* `ifd.bin` - Flash layout file has been provided as text + +To get the binaries, start with a copy of the original Lenovo firmware image. +If you do not have one already, you can read one out from the laptops SPI flash with flashrom + +``` +flashrom -p -r original.bin +``` + +Set `` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi). + +Once you have the image, the provided extraction script will extract the files needed. + +``` +./extract.sh -f +``` + +Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically. + +The flash layout will be automatically adjusted and the ME image cleaned and truncated. + +You can now compile the image with: + +``` +make BOARD=t420 +``` diff --git a/blobs/x220/extract.sh b/blobs/x220/extract.sh index 173ed7fc6..e34c3f907 100755 --- a/blobs/x220/extract.sh +++ b/blobs/x220/extract.sh @@ -5,6 +5,8 @@ function printusage { exit 0 } +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + if [ "$#" -eq 0 ]; then printusage; fi while getopts ":f:m:i:" opt; do @@ -26,7 +28,7 @@ while getopts ":f:m:i:" opt; do done if [ -z "$MECLEAN" ]; then - MECLEAN=`command -v me_cleaner.py 2>&1` + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` if [ -z "$MECLEAN" ]; then echo "me_cleaner.py required but not found or specified with -m. Aborting." exit 1; @@ -34,7 +36,7 @@ if [ -z "$MECLEAN" ]; then fi if [ -z "$IFDTOOL" ]; then - IFDTOOL=`command -v ifdtool 2>&1` + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` if [ -z "$IFDTOOL" ]; then echo "ifdtool required but not found or specified with -m. Aborting." exit 1; @@ -47,7 +49,6 @@ echo "IFD: $IFDTOOL" bioscopy=$(mktemp) extractdir=$(mktemp -d) -BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cp "$FILE" $bioscopy diff --git a/boards/t420/t420.config b/boards/t420/t420.config new file mode 100644 index 000000000..77f51f2e7 --- /dev/null +++ b/boards/t420/t420.config @@ -0,0 +1,36 @@ +# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" +export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config new file mode 100644 index 000000000..80bee434a --- /dev/null +++ b/boards/t430-flash/t430-flash.config @@ -0,0 +1,28 @@ +# Minimal configuration for a t430 to support flashrom, USB and networking +BOARD=t430.flash + +export CONFIG_COREBOOT=y +CONFIG_FLASHROM=y +#CONFIG_GPG=y +CONFIG_FLASHTOOLS=y +CONFIG_PCIUTILS=y +#CONFIG_MBEDTLS=y +#CONFIG_QRENCODE=y +#CONFIG_TPMTOTP=y +#CONFIG_DROPBEAR=y + +CONFIG_LINUX_CONFIG=config/linux-x230-flash.config +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_BOOTSCRIPT=/bin/install.init + +# This board is "special" in that we only want the top 4 MB of the ROM +# for flashing into SPI flash 1 on the mainboard. This is enough to +# allow the board to boot into a minimal Heads and read the full +# ROM from an external USB media. +all: $(build)/$(BOARD)/$(BOARD).rom +$(build)/$(BOARD)/$(BOARD).rom: $(build)/$(BOARD)/coreboot.rom + dd of=$@ if=$< bs=65536 count=64 skip=128 + sha256sum $@ diff --git a/boards/t430/t430.config b/boards/t430/t430.config new file mode 100644 index 000000000..4ed35901f --- /dev/null +++ b/boards/t430/t430.config @@ -0,0 +1,44 @@ +# Configuration for a t430 running Qubes and other OSes +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad T430 Heads Boot Menu" +export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" + +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing, and x230-flash +# is installed first. diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 0b901bdba..f3e4372c3 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,12 +1,12 @@ -# Configuration for a x220 running Qubes and other OS -# The Linux configuration is close enough to the x230 +# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y -CONFIG_GPG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y @@ -17,14 +17,20 @@ CONFIG_QRENCODE=y CONFIG_TPMTOTP=y CONFIG_DROPBEAR=y +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n -export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index b10d17aff..17be7fafd 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -16,7 +16,7 @@ CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" -export CONFIG_BOOTSCRIPT=/bin/x230-flash.init +export CONFIG_BOOTSCRIPT=/bin/install.init # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config new file mode 100644 index 000000000..dcd0cda30 --- /dev/null +++ b/config/coreboot-t420.config @@ -0,0 +1,25 @@ +CONFIG_LOCALVERSION="heads" +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x7e8000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/t420/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/t420/me.bin" +CONFIG_BOARD_LENOVO_T420=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_CHECK_ME=y +CONFIG_GBE_BIN_PATH="../../blobs/t420/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" +CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t430-flash.config b/config/coreboot-t430-flash.config new file mode 100644 index 000000000..c0b0c9777 --- /dev/null +++ b/config/coreboot-t430-flash.config @@ -0,0 +1,18 @@ +CONFIG_LOCALVERSION="heads" +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x400000 +# CONFIG_POST_DEVICE is not set +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-flash/bzImage" +CONFIG_LINUX_INITRD="../../build/t430-flash/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t430.config b/config/coreboot-t430.config new file mode 100644 index 000000000..b21181194 --- /dev/null +++ b/config/coreboot-t430.config @@ -0,0 +1,24 @@ +CONFIG_LOCALVERSION="heads" +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x700000 +# CONFIG_POST_IO is not set +# CONFIG_POST_DEVICE is not set +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_NO_GFX_INIT=y +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430/bzImage" +CONFIG_PAYLOAD_OPTIONS="" +# CONFIG_PXE is not set +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/t430/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index a91aef7dc..03f227f01 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -17,9 +17,8 @@ CONFIG_NO_POST=y CONFIG_CHECK_ME=y CONFIG_GBE_BIN_PATH="../../blobs/x220/gbe.bin" CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 -CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/x220/bzImage" -CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/x220/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index e89c9a98c..b33bfcdf4 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -13,11 +13,20 @@ case "$CONFIG_BOARD" in x230* ) FLASHROM_OPTIONS='--force --noverify-all --programmer internal --ifd --image bios' ;; + t430* ) + FLASHROM_OPTIONS='--force --noverify-all --programmer internal:laptop=force_I_want_a_brick --ifd --image bios' + ;; + t420* ) + FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick --ifd --image bios' + ;; + x220* ) + FLASHROM_OPTIONS='--force --noverify-all -p internal --ifd --image bios -c MX25L6405D' + ;; "kgpe-d16" ) FLASHROM_OPTIONS='--force --noverify --programmer internal' ;; * ) - die "ERROR: No board has been configured!\n\nEach board requires specific flashrom options and it's unsafe to flash without them.\n\nAborting." + die "ERROR: No board has been configured!\nEach board requires specific flashrom options and it's unsafe to flash without them.\nAborting." ;; esac diff --git a/initrd/bin/x230-flash.init b/initrd/bin/install.init similarity index 92% rename from initrd/bin/x230-flash.init rename to initrd/bin/install.init index e02dcf5d8..872ebb861 100755 --- a/initrd/bin/x230-flash.init +++ b/initrd/bin/install.init @@ -20,7 +20,7 @@ echo '' echo 'To install from flash drive:' echo '' echo ' mount -o ro /dev/sdb1 /media' -echo ' flashrom-x230.sh /media/x230.rom' +echo ' flash.sh /media/' echo '' exec /bin/ash