From 50f47e73593d2dcd1f7a16ea8847282688d99791 Mon Sep 17 00:00:00 2001 From: eganonoa <56741779+eganonoa@users.noreply.github.com> Date: Wed, 29 Dec 2021 00:26:38 +0100 Subject: [PATCH] Add support for t430 dgpu-versions Maximized boards being supported here only. I do not have a board to test. But these have been tested as working by another user (see https://github.com/osresearch/heads/issues/1057#issuecomment-1002309781). --- .circleci/config.yml | 19 ++++ blobs/xx30/README_vbios | 1 + blobs/xx30/vbios_t430.sh | 73 +++++++++++++++ .../t430-dgpu-hotp-maximized.config | 91 +++++++++++++++++++ .../t430-dgpu-maximized.config | 90 ++++++++++++++++++ .../coreboot-t430-dgpu-hotp-maximized.config | 29 ++++++ config/coreboot-t430-dgpu-maximized.config | 29 ++++++ 7 files changed, 332 insertions(+) create mode 100755 blobs/xx30/vbios_t430.sh create mode 100644 boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config create mode 100644 boards/t430-dgpu-maximized/t430-dgpu-maximized.config create mode 100644 config/coreboot-t430-dgpu-hotp-maximized.config create mode 100644 config/coreboot-t430-dgpu-maximized.config diff --git a/.circleci/config.yml b/.circleci/config.yml index 2adde8a83..fa30fbe77 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -93,6 +93,11 @@ jobs: command: | ./blobs/xx30/download_clean_me.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py) + - run: + name: Download and extract t430 vbios roms for dgpu boards + command: | + ./blobs/xx30/vbios_t430.sh + - run: name: Download and extract t530 vbios roms for dgpu boards command: | @@ -298,6 +303,13 @@ workflows: requires: - x230-hotp-maximized + - build: + name: t430-dgpu-hotp-maximized + target: t430-dgpu-hotp-maximized + subcommand: "" + requires: + - x230-hotp-maximized + - build: name: x230 target: x230 @@ -361,6 +373,13 @@ workflows: requires: - x230-hotp-maximized + - build: + name: t430-dgpu-maximized + target: t430-dgpu-maximized + subcommand: "" + requires: + - x230-hotp-maximized + - build: name: t530-maximized target: t530-maximized diff --git a/blobs/xx30/README_vbios b/blobs/xx30/README_vbios index bebcc521e..dbe24b1f2 100644 --- a/blobs/xx30/README_vbios +++ b/blobs/xx30/README_vbios @@ -6,6 +6,7 @@ The scripts require sudo to run, but should be run initally without sudo (e.g. . * For the w530: https://download.lenovo.com/pccbbs/mobiles/g5uj39us.exe * For the t530: https://download.lenovo.com/pccbbs/mobiles/g4uj41us.exe +* For the t430: https://download.lenovo.com/pccbbs/mobiles/g1uj49us.exe The scripts have been successfully tested on Debian 10 and Ubuntu 21.04. diff --git a/blobs/xx30/vbios_t430.sh b/blobs/xx30/vbios_t430.sh new file mode 100755 index 000000000..eb729d138 --- /dev/null +++ b/blobs/xx30/vbios_t430.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +ROMPARSER="94a615302f89b94e70446270197e0f5138d678f3" +UEFIEXTRACT="UEFIExtract_NE_A58_linux_x86_64.zip" +VBIOSFINDER="c2d764975115de466fdb4963d7773b5bc8468a06" +BIOSUPDATE="g1uj49us.exe" +ROM_PARSER_SHA256SUM="f3db9e9b32c82fea00b839120e4f1c30b40902856ddc61a84bd3743996bed894 94a615302f89b94e70446270197e0f5138d678f3.zip" +UEFI_EXTRACT_SHA256SUM="c9cf4066327bdf6976b0bd71f03c9e049ae39ed19ea3b3592bae3da8615d26d7 UEFIExtract_NE_A58_linux_x86_64.zip" +VBIOS_FINDER_SHA256SUM="bd07f47fb53a844a69c609ff268249ffe7bf086519f3d20474087224a23d70c5 c2d764975115de466fdb4963d7773b5bc8468a06.zip" +BIOS_UPDATE_SHA256SUM="f6769f197d9becf0533e41e9822b3934bc900a767e8ce2e3538d90fe0d113d5f g1uj49us.exe" +DGPU_ROM_SHA256SUM="b0e797cf2be7e11485a089ff7b1962b566737d7ddf082167e638601f47ae5ae8 vbios_10de_0def_1.rom" +IGPU_ROM_SHA256SUM="11eb0011023391f07e7ae6d8068e1d6f586c9b73cbdaa24c65aa662ee785fca5 vbios_8086_0106_1.rom" + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Installing basic dependencies" +sudo apt update && sudo apt install -y wget ruby ruby-dev ruby-bundler p7zip-full upx-ucl + +echo "### Downloading rom-parser dependency" +wget https://github.com/awilliam/rom-parser/archive/"$ROMPARSER".zip + +echo "### Verifying expected hash of rom-parser" +echo "$ROM_PARSER_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; } + +echo "### Installing rom-parser dependency" +unzip "$ROMPARSER".zip +cd rom-parser-"$ROMPARSER" && make +sudo cp rom-parser /usr/sbin/ + +echo "### Downloading UEFIExtract dependency" +wget https://github.com/LongSoft/UEFITool/releases/download/A58/"$UEFIEXTRACT" + +echo "### Verifying expected hash of UEFIExtract" +echo "$UEFI_EXTRACT_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; } + +echo "### Installing UEFIExtract" +unzip "$UEFIEXTRACT" +sudo mv UEFIExtract /usr/sbin/ + +echo "### Downloading VBiosFinder" +wget https://github.com/coderobe/VBiosFinder/archive/"$VBIOSFINDER".zip + +echo "### Verifying expected hash of VBiosFinder" +echo "$VBIOS_FINDER_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; } + +echo "### Installing VBiosFinder" +unzip "$VBIOSFINDER".zip +cd VBiosFinder-"$VBIOSFINDER" && bundle install --path=vendor/bundle + +echo "### Downloading latest Lenovo bios update for t430" +wget https://download.lenovo.com/pccbbs/mobiles/"$BIOSUPDATE" + +echo "### Verifying expected hash of bios update" +echo "$BIOS_UPDATE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; } + +echo "### Finding, extracting and saving vbios" +./vbiosfinder extract "$extractdir"/rom-parser-"$ROMPARSER"/VBiosFinder-"$VBIOSFINDER"/"$BIOSUPDATE" + +echo "Verifying expected hash of extracted roms" +cd output +echo "$DGPU_ROM_SHA256SUM" | sha256sum --check || { echo "dGPU rom failed sha256sum verification..." && exit 1; } +echo "$IGPU_ROM_SHA256SUM" | sha256sum --check || { echo "iGPU rom Failed sha256sum verification..." && exit 1; } + +echo "### Moving extracted roms to blobs directory" +mv vbios_10de_0def_1.rom $BLOBDIR/10de,0def.rom +mv vbios_8086_0106_1.rom $BLOBDIR/8086,0106.rom + +echo "### Cleaning Up" +cd "$BLOBDIR" +rm -rf "$extractdir" diff --git a/boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config b/boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config new file mode 100644 index 000000000..28cc43acb --- /dev/null +++ b/boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config @@ -0,0 +1,91 @@ +# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +# This board is designed for a t430 with a dGPU. In order to build this the relevant script in the blobs directory must be run (or self-pulled roms placed in that directory) and after building the rom, the nvramtool must be run on the 12MB rom to change the default graphics mode away from integrated-only graphics (see README_vbios in the blobs directory). + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.13 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t430-dgpu-hotp-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad T430-dgpu-hotp-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. +# +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash t430-flash +# and expands available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/boards/t430-dgpu-maximized/t430-dgpu-maximized.config b/boards/t430-dgpu-maximized/t430-dgpu-maximized.config new file mode 100644 index 000000000..0e8c3c36e --- /dev/null +++ b/boards/t430-dgpu-maximized/t430-dgpu-maximized.config @@ -0,0 +1,90 @@ +# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec) +# +# Includes +# - Deactivated+neutered ME and expanded consequent IFD BIOS regions +# - Forged 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx30/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) +# This board is designed for a t430 with a dGPU. In order to build this the relevant script in the blobs directory must be run (or self-pulled roms placed in that directory) and after building the rom, the nvramtool must be run on the 12MB rom to change the default graphics mode away from integrated-only graphics (see README_vbios in the blobs directory). +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.13 +export CONFIG_LINUX_VERSION=4.14.62 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t430-dgpu-maximized.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +#Additional hardware support +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#Remote attestation support +#TPM based requirements +export CONFIG_TPM=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y + +#Nitrokey Storage admin tool +CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools: +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOARD_NAME="Thinkpad T430-dgpu-maximized" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" + +# xx30-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx30/download_clean_me.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# - blobs/xx30/extract.sh +# To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. +# +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# As a consequence, this replaces the need of having to flash t430-flash +# and expands available CBFS region (11.5Mb available CBFS space) +# +# When flashing via an external programmer it is easiest to have +# two separate files for these pieces. +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none) + @sha256sum $@ + +all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom +$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE) + $(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none) + @sha256sum $@ diff --git a/config/coreboot-t430-dgpu-hotp-maximized.config b/config/coreboot-t430-dgpu-hotp-maximized.config new file mode 100644 index 000000000..5acd36d4f --- /dev/null +++ b/config/coreboot-t430-dgpu-hotp-maximized.config @@ -0,0 +1,29 @@ +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set +CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_UART_PCI_ADDR=0 +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0def" +CONFIG_VGA_BIOS_DGPU_FILE="../../blobs/xx30/10de,0def.rom" +CONFIG_VGA_BIOS=y +CONFIG_VGA_BIOS_FILE="../../blobs/xx30/8086,0106.rom" +# CONFIG_VGA_BIOS_SECOND is not set +CONFIG_VGA_ROM_RUN_DEFAULT=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-dgpu-hotp-maximized/bzImage" +CONFIG_LINUX_INITRD="../../build/t430-dgpu-hotp-maximized/initrd.cpio.xz" diff --git a/config/coreboot-t430-dgpu-maximized.config b/config/coreboot-t430-dgpu-maximized.config new file mode 100644 index 000000000..daa463063 --- /dev/null +++ b/config/coreboot-t430-dgpu-maximized.config @@ -0,0 +1,29 @@ +# CONFIG_USE_BLOBS is not set +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y +CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_CBFS_SIZE=0xB80000 +CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin" +CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_UART_PCI_ADDR=0 +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +CONFIG_VGA_BIOS_DGPU_ID="10de,0def" +CONFIG_VGA_BIOS_DGPU_FILE="../../blobs/xx30/10de,0def.rom" +CONFIG_VGA_BIOS=y +CONFIG_VGA_BIOS_FILE="../../blobs/xx30/8086,0106.rom" +# CONFIG_VGA_BIOS_SECOND is not set +CONFIG_VGA_ROM_RUN_DEFAULT=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-dgpu-maximized/bzImage" +CONFIG_LINUX_INITRD="../../build/t430-dgpu-maximized/initrd.cpio.xz"