add t480 board

.circleci/config.yml

@@ -424,6 +424,20 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t480-maximized
+          target: t480-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: t480-hotp-maximized
+          target: t480-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: UNTESTED_w541-maximized
           target: UNTESTED_w541-maximized
@@ -556,3 +570,4 @@ workflows:
           subcommand: ""
           requires:
             - librem_l1um
+

BOARD_TESTERS.md

@@ -32,6 +32,11 @@ xx4x(Haswell):
 - [ ] t440p: @fhvyhjriur @ThePlexus @srgrint @akunterkontrolle @rbreslow
 - [ ] w541 (similar to t440p): @ResendeGHF @gaspar-ilom (Always tested late: Needs more responsive board testers or risk to become unmaintained.)
 
+xx8x(Kaby Lake Refresh):
+===
+- [ ] t480: @gaspar-ilom
+- [ ] t480s (similar to t480): TODO: NOT SUPPORTED OR TESTED YET
+
 Librems:
 ===
 - [ ] Librem 11(JasperLake): @JonathonHall-Purism

blobs/kabylake/.gitignore

@@ -0,0 +1,3 @@
+Fsp_M.fd
+Fsp_S.fd
+Fsp_T.fd

blobs/kabylake/fetch_split_fsp.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+function usage() {
+	echo -n \
+		"Usage: $(basename "$0") path_to_output_directory
+Get FSP from coreboot git submodule and split.
+"
+}
+
+# Integrity checks for the coreboot provided fsp blob...
+FSP_FD_COREBOOT_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0"
+FSP_SUBMODULE_PATH="3rdparty/fsp"
+PATH_TO_FSP_FD_IN_SUBMODULE="KabylakeFspBinPkg/Fsp.fd"
+SPLIT_FSP_PATH_IN_SUBMODULE="Tools/SplitFspBin.py"
+
+
+split_fsp()
+{
+	fsp_binary="$1"
+	fsp_output_dir="$2"
+	split_fsp_py="${COREBOOT_DIR}/${FSP_SUBMODULE_PATH}/${SPLIT_FSP_PATH_IN_SUBMODULE}"
+	python "$split_fsp_py" split -f "$fsp_binary" -o "$fsp_output_dir" -n "Fsp.fd" || exit 1
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+	if [[ "${1:-}" == "--help" ]]; then
+		usage
+	else
+		output_dir="$(realpath "${1:-./}")"
+		fsp_m_path="${output_dir}/Fsp_M.fd"
+		fsp_s_path="${output_dir}/Fsp_S.fd"
+		#chk_exists
+
+		if [[ -z "${COREBOOT_DIR}" ]]; then
+			echo "ERROR: No COREBOOT_DIR variable defined."
+			exit 1
+		fi
+
+		# TODO chk_exists above
+		# if [[ ! -f "$fsp_s_path" ]] || [[ ! -f "$fsp_m_path" ]] || [ "$retry" = "y" ]; then
+			git -C "$COREBOOT_DIR" submodule update --init --checkout "$FSP_SUBMODULE_PATH"
+			fsp_fd="${COREBOOT_DIR}/${FSP_SUBMODULE_PATH}/${PATH_TO_FSP_FD_IN_SUBMODULE}"
+			chk_sha256sum "$FSP_FD_COREBOOT_HASH" "$fsp_fd"
+			pushd "$(mktemp -d)" || exit
+			fsp_file="Fsp.fd"
+			cp "$fsp_fd" "$fsp_file"
+
+			split_fsp "$(pwd)/${fsp_file}" "$output_dir"
+
+			rm -rf ./*
+			popd || exit
+			git -C "$COREBOOT_DIR" submodule deinit "$FSP_SUBMODULE_PATH"
+		# fi
+
+		# TODO final checksums
+		# chk_sha256sum "$FSP_FD_COREBOOT_HASH" "$fsp_s_path"
+		# chk_sha256sum "$FSP_FD_COREBOOT_HASH" "$fsp_m_path"
+	fi
+fi

blobs/xx80/.gitignore

@@ -0,0 +1 @@
+me.bin

blobs/xx80/README

@@ -0,0 +1,30 @@
+The ME blobs dumped in this directory come from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
+
+This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
+See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
+Therefore, Bootguard can be disabled by deguard with a patched ME.
+
+1.0.0:Automatically extract, neuter and deguard me.bin
+download_clean_me.sh : Downloads vulnerable ME from Dell verify checksum, extract ME, neuters ME, relocate and trim it, then apply deguard patch and place it into me.bin
+
+sha256sum:
+1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b  me.bin
+
+1.0.1: Extract blobs from original rom:
+extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim and deguard it, modify BIOS and ME region of IFD and place output files into this dir.
+
+sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent.
+
+1.1: More blobs
+--------------------
+ifd.bin was extracted from a T480 from an external flashrom backup.
+
+sha256sum:
+f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf  ifd.bin
+
+sha256sum:
+6b7f3912995fb87ae62956e009470b35b72b5b9a4bfd7bed48da429af9804866  gbe.bin
+------------------------
+
+Notes: as specified in first link, this ME can be deployed to:
+    T480 and T480s

blobs/xx80/download_clean_deguard_me.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+
+# These variables are all for the deguard tool.
+# They would need to be changed if using the tool for other devices like the T480s or with a different ME version...
+ME_delta="thinkpad_t480"
+ME_version="11.6.0.1126"
+ME_sku="2M"
+ME_pch="LP"
+
+# Integrity checks for the vendor provided ME blob...
+ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0"
+# ...and the cleaned and deguarded version from that blob.
+DEGUARDED_ME_BIN_HASH="1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b"
+
+function usage() {
+	echo -n \
+		"Usage: $(basename "$0") path_to_output_directory
+Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS.
+"
+}
+
+function chk_sha256sum() {
+	sha256_hash="$1"; filename="$2"
+	echo "$sha256_hash" "$filename" "$(pwd)"
+	sha256sum "$filename"
+	if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then
+		echo "ERROR: SHA256 checksum for ${filename} doesn't match."
+		exit 1
+	fi
+}
+
+function chk_exists() {
+	if [ -e "$me_deguarded" ]; then
+		echo "me.bin already exists"
+		if echo "${DEGUARDED_ME_BIN_HASH} $me_deguarded" | sha256sum --check; then
+			echo "SKIPPING: SHA256 checksum for me.bin matches."
+			exit 0
+		fi
+		retry="y"
+		echo "me.bin exists but checksum doesn't match. Continuing..."
+	fi
+}
+
+function download_and_clean() {
+    me_output="$(realpath "${1}")"
+
+	# Download and unpack the Dell installer into a temporary directory and
+	# extract the deguardable Intel ME blob.
+	pushd "$(mktemp -d)" || exit
+
+	# Download the installer that contains the ME blob
+	me_installer_filename="Inspiron_5468_1.3.0.exe"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+	curl -A "$user_agent" -s -O "https://dl.dell.com/FOLDER04573471M/1/${me_installer_filename}"
+	chk_sha256sum "$ME_DOWNLOAD_HASH" "$me_installer_filename"
+
+	# Download the tool to unpack Dell's installer and unpack the ME blob.
+	git clone https://github.com/platomav/BIOSUtilities
+	git -C BIOSUtilities checkout ef50b75ae115ae8162fa8b0a7b8c42b1d2db894b
+
+	python "BIOSUtilities/Dell_PFS_Extract.py" "${me_installer_filename}" -e || exit
+
+	extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin"
+
+	mv "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" "${COREBOOT_DIR}/util/me_cleaner"
+	rm -rf ./*
+	popd || exit
+
+	# Neutralize and shrink Intel ME. Note that this doesn't include
+	# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+	# High Assurance Program) bits, as they are defined within the Flash
+	# Descriptor.
+	# However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function.
+	# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+	pushd "${COREBOOT_DIR}/util/me_cleaner" || exit
+
+	# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
+	python me_cleaner.py --whitelist MFS -t -O "$me_output" "$extracted_me_filename"
+	rm -f "$extracted_me_filename"
+	popd || exit
+}
+
+function deguard() {
+    me_input="$(realpath "${1}")"
+    me_output="$(realpath "${2}")"
+
+    # Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob.
+	pushd "$(mktemp -d)" || exit
+    git clone https://review.coreboot.org/deguard.git
+    pushd deguard || exit
+    git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2
+
+    python ./finalimage.py \
+        --delta "data/delta/$ME_delta" \
+	    --version "$ME_version" \
+        --pch "$ME_pch" \
+	    --sku "$ME_sku" \
+        --fake-fpfs data/fpfs/zero \
+	    --input "$me_input" \
+        --output "$me_output"
+
+    popd || exit
+    #Cleanup
+	rm -rf ./*
+	popd || exit
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+	if [[ "${1:-}" == "--help" ]]; then
+		usage
+	else
+
+		output_dir="$(realpath "${1:-./}")"
+		me_cleaned="${output_dir}/me_cleaned.bin"
+		me_deguarded="${output_dir}/me.bin"
+		chk_exists
+
+		if [[ -z "${COREBOOT_DIR}" ]]; then
+			echo "ERROR: No COREBOOT_DIR variable defined."
+			exit 1
+		fi
+
+		if [[ ! -f "$me_deguarded" ]] || [ "$retry" = "y" ]; then
+			download_and_clean "$me_cleaned"
+			deguard "$me_cleaned" "$me_deguarded"
+			rm -f "$me_cleaned"
+		fi
+
+		chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded"
+	fi
+fi

blobs/xx80/hashes.txt

@@ -0,0 +1,5 @@
+8e48eb06740a0c250eea0d17a8610106cbd76a50e3bee3485642fd46a8204f02  Fsp_M.fd
+c2f4ee42ba15b315ad3b282375af9151ce3f9e7d81ea3537ffc404e7e20f1f9a  Fsp_S.fd
+6b7f3912995fb87ae62956e009470b35b72b5b9a4bfd7bed48da429af9804866  gbe.bin
+f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf  ifd.bin
+1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b  me.bin

boards/t480-hotp-maximized/t480-hotp-maximized.config

@@ -0,0 +1,70 @@
+# Configuration for a T480 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged TO:DO:TO:DO:TO:DO MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.02.01
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t480-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx80_me_blobs