Merge pull request #4 from osresearch/master

Bringup to master

blobs/t420/extract.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+function printusage {
+  echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
+  exit 0
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":f:m:i:" opt; do
+  case $opt in
+    f)
+      FILE="$OPTARG"
+      ;;
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+    i)
+      if [ -x "$OPTARG" ]; then
+        IFDTOOL="$OPTARG"
+      fi
+      ;;
+  esac
+done
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+if [ -z "$IFDTOOL" ]; then
+  IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1`
+  if [ -z "$IFDTOOL" ]; then
+    echo "ifdtool required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+echo "FILE: $FILE"
+echo "ME: $MECLEAN"
+echo "IFD: $IFDTOOL"
+
+bioscopy=$(mktemp)
+extractdir=$(mktemp -d)
+
+cp "$FILE" $bioscopy
+
+cd "$extractdir"
+$IFDTOOL -x $bioscopy
+cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin"
+$MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin"
+$IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy
+$IFDTOOL -x $bioscopy.new
+cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin"
+
+rm "$bioscopy"
+rm "$bioscopy.new"
+rm -r "$extractdir"

blobs/t420/layout.txt

@@ -0,0 +1,4 @@
+00000000:00000fff fd
+00018000:007fffff bios
+00003000:00017fff me
+00001000:00002fff gbe

blobs/t420/readme.md

@@ -0,0 +1,29 @@
+To build for T420, we need to have the following files in this folder:
+* `me.bin` - ME binary that has been stripped and truncated with me_cleaner
+* `gbe.bin` - Network card blob from the original firmware
+* `ifd.bin` - Flash layout file has been provided as text
+
+To get the binaries, start with a copy of the original Lenovo firmware image.
+If you do not have one already, you can read one out from the laptops SPI flash with flashrom
+
+```
+flashrom -p <programmer> -r original.bin
+```
+
+Set `<programmer>` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi).
+
+Once you have the image, the provided extraction script will extract the files needed.
+
+```
+./extract.sh -f <romdump>
+```
+
+Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically.
+
+The flash layout will be automatically adjusted and the ME image cleaned and truncated.
+
+You can now compile the image with:
+
+```
+make BOARD=t420
+```

blobs/x220/extract.sh

@@ -5,6 +5,8 @@ function printusage {
   exit 0
 }
 
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
 if [ "$#" -eq 0 ]; then printusage; fi
 
 while getopts ":f:m:i:" opt; do
@@ -26,15 +28,15 @@ while getopts ":f:m:i:" opt; do
 done
 
 if [ -z "$MECLEAN" ]; then
-  MECLEAN=`command -v me_cleaner.py 2>&1`
+  MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1`
   if [ -z "$MECLEAN" ]; then
     echo "me_cleaner.py required but not found or specified with -m. Aborting."
     exit 1;
   fi
 fi
 
 if [ -z "$IFDTOOL" ]; then
-  IFDTOOL=`command -v ifdtool 2>&1`
+  IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1`
   if [ -z "$IFDTOOL" ]; then
     echo "ifdtool required but not found or specified with -m. Aborting."
     exit 1;
@@ -47,7 +49,6 @@ echo "IFD: $IFDTOOL"
 
 bioscopy=$(mktemp)
 extractdir=$(mktemp -d)
-BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 cp "$FILE" $bioscopy
 

boards/kgpe-d16/kgpe-d16.config

@@ -30,4 +30,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
 #export CONFIG_BOOT_STATIC_IP=192.168.1.2

boards/librem13v2/librem13v2.config

@@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq"

boards/librem13v4/librem13v4.config

@@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq"

boards/librem15v3/librem15v3.config

@@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq"

boards/librem15v4/librem15v4.config

@@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq"

boards/t420/t420.config

@@ -0,0 +1,37 @@
+# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things.
+export CONFIG_COREBOOT=y
+CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios"

boards/x220/x220.config

@@ -1,12 +1,12 @@
-# Configuration for a x220 running Qubes and other OS
-# The Linux configuration is close enough to the x230
+# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things.
 export CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config
 CONFIG_LINUX_CONFIG=config/linux-x230.config
 
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
-CONFIG_GPG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -17,14 +17,21 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_DROPBEAR=y
 
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 
-export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios"

boards/x230-flash/x230-flash.config

@@ -17,6 +17,7 @@ CONFIG_LINUX_E1000E=y
 
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_BOOTSCRIPT=/bin/x230-flash.init
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios"
 
 # This board is "special" in that we only want the top 4 MB of the ROM
 # for flashing into SPI flash 1 on the mainboard.  This is enough to

boards/x230/x230.config

@@ -34,6 +34,7 @@ export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
 export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios"
 
 # This board has two SPI flash chips, an 8 MB that holds the IFD,
 # the ME image and part of the coreboot image, and a 4 MB one that

config/coreboot-t420.config

@@ -0,0 +1,25 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x700000
+CONFIG_ONBOARD_VGA_IS_PRIMARY=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/t420/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/t420/me.bin"
+CONFIG_BOARD_LENOVO_T420=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_NO_POST=y
+CONFIG_GBE_BIN_PATH="../../blobs/t420/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t420/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y

config/coreboot-x220.config

@@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y
 CONFIG_USE_BLOBS=y
 CONFIG_MEASURED_BOOT=y
 CONFIG_VENDOR_LENOVO=y
-CONFIG_CBFS_SIZE=0x7e8000
+CONFIG_CBFS_SIZE=0x700000
 CONFIG_ONBOARD_VGA_IS_PRIMARY=y
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_HAVE_ME_BIN=y
@@ -15,12 +15,11 @@ CONFIG_ME_BIN_PATH="../../blobs/x220/me.bin"
 CONFIG_BOARD_LENOVO_X220=y
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_NO_POST=y
-CONFIG_CHECK_ME=y
 CONFIG_GBE_BIN_PATH="../../blobs/x220/gbe.bin"
+#CONFIG_DEBUG_TPM=y
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
-CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/x220/bzImage"
-CONFIG_LINUX_COMMAND_LINE="quiet"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
 CONFIG_LINUX_INITRD="../../build/x220/initrd.cpio.xz"
 CONFIG_DEBUG_SMM_RELOCATION=y

initrd/bin/gui-init

@@ -118,8 +118,11 @@ clean_boot_check()
   [ $GPG_KEY_COUNT -ne 0 ] && return
 
    # check for USB security token
-  if ! gpg --card-status > /dev/null ; then
-   return
+  if [ "$CONFIG_LIBREMKEY" = "y" ]; then
+    enable_usb
+    if ! gpg --card-status > /dev/null ; then
+      return
+    fi
   fi
 
   # OS is installed, no kexec files present, no GPG keys in keyring, security token present
@@ -128,9 +131,6 @@ clean_boot_check()
     "Clean Boot Detected - Perform OEM Factory Reset?" "$CONFIG_WARNING_BG_COLOR"
 }
 
-# enable USB to load modules for external kb
-enable_usb
-
 if detect_boot_device ; then
   # /boot device with installed OS found
   clean_boot_check

initrd/bin/oem-factory-reset

@@ -316,6 +316,10 @@ gpg --list-keys >/dev/null 2>&1
 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
 gpg_key_reset
 
+# parse name of generated key
+GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
+PUBKEY="/tmp/${GPG_GEN_KEY}.asc"
+
 if [ "$CUSTOM_PASS" != "" ]; then
   echo -e "\nChanging default GPG Admin PIN\n"
   gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
@@ -327,9 +331,6 @@ fi
 
 ## export generated key to USB
 echo -e "\nExporting generated key to USB...\n"
-# parse name of generated key
-GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
-PUBKEY="/tmp/${GPG_GEN_KEY}.asc"
 # export pubkey to file
 if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
     ERROR=$(tail -n 1 /tmp/error)

initrd/init

@@ -64,6 +64,11 @@ if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
 		> "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
 fi
 
+# load USB modules for boards using a USB keyboard
+if [ "$CONFIG_USB_KEYBOARD" = "y" ]; then
+	enable_usb
+fi
+
 # If the user has been holding down r, enter a recovery shell
 # otherwise immediately start the configured boot script.
 # We don't print a prompt, since this is a near instant timeout.

modules/hidapi

@@ -0,0 +1,2 @@
+# empty placeholder file
+# This submodule is defined in modules/libremkey-hotp-verification

modules/libremkey-hotp-verification

@@ -2,9 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
 
 libremkey-hotp-verification_depends := libusb $(musl_dep)
 
-libremkey-hotp-verification_version := git
-libremkey-hotp-verification_dir := libremkey-hotp-verification
-libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification
+libremkey-hotp-verification_version := e5fa36a7a1950226d0ef94e2eeed0ffb510eba89
+libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)
+libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz
+libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz
+libremkey-hotp-verification_hash := 668113ebc21cc875d49266c8d3a47acfd524a8d6b64f75b7ce5833d595415469
 
 libremkey-hotp-verification_target := \
 	$(MAKE_JOBS) \
@@ -18,3 +20,18 @@ libremkey-hotp-verification_configure := \
   INSTALL="$(INSTALL)" \
   CROSS="$(CROSS)" \
   cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . 
+
+libremkey-hotp-verification_depends  += hidapi
+modules-y += hidapi
+
+hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
+hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi
+hidapi_tar := hidapi-$(hidapi_version).tar.xz
+hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
+hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
+
+
+## hidapi will be built as part of libremkey-hotp-verification
+## so nothing to do here (but need make to be happy)
+hidapi_output := .built
+hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile