Rebase, chmod +x download_BIOS_clean.sh, config options to enable pla…

…tform locking as defined under https://github.com/osresearch/heads/blob/473c235fbaf56698aa9beefd2684fbf7d4499809/initrd/bin/lock_chip header, Changed description comment lines in the Heads board config file.
linuxboot · Jul 22, 2023 · fec63b3 · fec63b3
1 parent 473c235
commit fec63b3
Show file tree

Hide file tree

Showing 6 changed files with 3,985 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -469,6 +469,20 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: z220-cmt-maximized
+          target: z220-cmt-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: z220-cmt-hotp-maximized
+          target: z220-cmt-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: UNTESTED_p8z77-m_pro-tpm1-maximized
           target: UNTESTED_p8z77-m_pro-tpm1-maximized

diff --git a/blobs/z220/download_BIOS_clean.sh b/blobs/z220/download_BIOS_clean.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# Z220 CMT HP
+
+function printusage {
+  echo "Usage: $0 -m <me_cleaner>(optional)"
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":m:i:" opt; do
+  case $opt in
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+  esac
+
+done
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+BIN_FILE="DOS Flash/K51_0187.BIN"
+BIN_TGZ_SHA256SUM="0102d569239fdc14ca86a7afc4b16d2b12703401890b83e188f34d23844870dc  sp97120.tgz"
+BIN_FILE_SHA256SUM="cc5a9c2d4827e9b1501c2dc0a464f580d4a2d65e4ff83dbab548e51839339d06  $BIN_FILE"
+FINAL_IFD_SHA256SUM="ba7371fcf1c03a999adae66f4a5fccd65ae3429c1aedc0c7b7e11c548363d30e  $BLOBDIR/ifd.bin"
+FINAL_ME_SHA256SUM="2ee4bbf3e49e0c1f0215d7955d2a7793c7e108014f3aa4592bfa9785c0033d0d  $BLOBDIR/me.bin"
+TGZURL="https://ftp.hp.com/pub/softpaq/sp97001-97500/sp97120.tgz"
+
+TGZFILENAME=`echo $TGZURL | sed 's/.*\///'`
+ROMFILENAME=`echo $TGZFILENAME | sed 's/\.zip$/\.ROM/'`
+
+extractdir=$(mktemp -d)
+echo "### Creating temp dir $extractdir "
+cd "$extractdir"
+
+echo "### Downloading $TGZURL"
+wget $TGZURL || { echo "ERROR: wget failed $TGZURL" && exit 1; }
+echo "### Verifying expected hash of $TGZFILENAME"
+echo "$BIN_TGZ_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
+
+echo "### Extracting Archives"
+tar -xf $TGZFILENAME DOS\ Flash || { echo "Failed unzipping $TGZFILENAME - Tool installed on host?" && exit 1;}
+
+echo "### Verifying expected hash of $ROMFILENAME"
+echo "$BIN_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
+
+echo "### Applying me_cleaner to neuter and truncate. EFFS,FCRS whitelisted"
+$MECLEAN -S -r -t -d -O  /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$BIN_FILE"
+
+printf '\x00' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3837 count=1 conv=notrunc
+printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of="$BLOBDIR/ifd.bin" bs=1 seek=3712 count=40 conv=notrunc
+
+echo "### Verifying expected hashes"
+echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated IFD bin..." && exit 1; }
+echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on generated ME binary..." && exit 1; }
+
+echo "###Cleaning up..."
+cd -
+rm -r "$extractdir"
diff --git a/boards/z220-cmt-hotp-maximized/z220-cmt-hotp-maximized.config b/boards/z220-cmt-hotp-maximized/z220-cmt-hotp-maximized.config
@@ -0,0 +1,6 @@
+# Inherit the rest from the base Z220 CMT config.
+include $(pwd)/boards/z220-cmt-maximized/z220-cmt-maximized.config
+
+CONFIG_HOTPKEY=y
+
+export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower (HOTP)"
diff --git a/boards/z220-cmt-maximized/z220-cmt-maximized.config b/boards/z220-cmt-maximized/z220-cmt-maximized.config
@@ -0,0 +1,75 @@
+# Configuration for HP Z220 CMT
+#
+#The board supports Intel LGA1155, which allows for ME removal (both neuter+disable as claimed by me_cleaner)
+#, ME region resize/shrinking (aka 'maximized' board), as well as VSCC table modification.
+#It is similar to the ASUS P8Z77 motherboards in those respects, but comes with the bonus of ECC RAM compatibility.
+#
+#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary 
+#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC 
+#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download 
+#script also resizes the rom layout and minimizes ME while maximizing space.
+#The Computer comes as standard with an 16MB Flash chip, which means that no modification is 
+#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by 
+#default. It is soldered onto the board, as is the TPM1 chip.
+#
+#Test platform
+#BOARD: HP Z220 CMT
+#RAM: 16GB - 2x ATP DDR3 ECC
+#CPU: Intel E3-1275v2
+#Even though this has been tested with a discrete graphics card installed, like on other Sandy/Ivy Bridge boards Heads is configured to use the iGPU, i.e. to get a display output while running Heads please
+#avoid the 1230, 1270v2, etc in favour of 1245v2, 2600k etc.
+#
+#note: nohz=off is an optional CONFIG_LINUX_COMMAND_LINE parameter to supress repeated NOHZ: local_softirq_pending console output
+#
+CONFIG_LINUX_CONFIG=config/linux-c216.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-z220-cmt.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.19
+export CONFIG_LINUX_VERSION=5.10.5
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y 
+
+# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
+# for a console-based menu.
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Hewlett-Packard Z220 Convertible Minitower"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+
+# Make the Coreboot build depend on the following 3rd party blobs:
+$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
+    $(pwd)/blobs/z220/me.bin $(pwd)/blobs/z220/ifd.bin
+
+$(pwd)/blobs/z220/me.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/z220/download_BIOS_clean.sh
+
+$(pwd)/blobs/z220/ifd.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/z220/download_BIOS_clean.sh