From 3f1c76ce116a283850cde032711a7b76bcad69bb Mon Sep 17 00:00:00 2001 From: persmule Date: Wed, 17 Jan 2018 16:16:18 +0800 Subject: [PATCH 1/6] Introduce io386 to heads and use it to finalize chipset at runtime On some newer platforms of intel (confirmed on nehalem, sandy/ivy bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd) registers an SMI to lockdown some registers on the chipset, as well as access to the SPI flash, optionally. The SMI will always be triggered by coreboot during S3 resume, but can be triggered by either coreboot or the payload during normal boot path. Enabling lockdown access to SPI flash will effectly write-protect it, but there is no runtime option for coreboot to control it, so letting coreboot to trigger such SMI will leave the owner of the machine lost any possibility to program the SPI flash with its own OS, and becomes a nightmare if the machine is uneasy to disassemble, so a scheme could be implement, in which the SMI to lockdown chipset and SPI flash is left for a payload to trigger, and temporarily disabling such triggering in order to program the SPI flash needs authentication. I have implemented a passcode-protected runtime-disableable lockdown with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for Heads, I wrote [io386](https://github.com/hardenedlinux/io386). With this commit, io386 will be called before entering boot routine to trigger the SMI to finalize the chipset and write protect the SPI flash at the same time. Entering recovery shell will leave the flash writable. (The authentication routine implemented in previous revisions has been split as an independent commit.) Originally proposed under PR#326 --- Makefile | 1 + initrd/bin/generic-init | 11 +++++++++++ initrd/bin/lock_chip | 15 +++++++++++++++ modules/io386 | 28 ++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+) create mode 100755 initrd/bin/lock_chip create mode 100644 modules/io386 diff --git a/Makefile b/Makefile index 33bb89013..85cda083c 100644 --- a/Makefile +++ b/Makefile @@ -499,6 +499,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools bin_modules-$(CONFIG_BASH) += bash bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils +bin_modules-$(CONFIG_IO386) += io386 $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index 438f29d99..cd07049a1 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -41,12 +41,18 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi exec /bin/usb-init continue fi if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -m -b /boot -c "grub.cfg" continue @@ -54,11 +60,16 @@ while true; do if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi + + done recovery "Something failed during boot" diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip new file mode 100755 index 000000000..1331aebfe --- /dev/null +++ b/initrd/bin/lock_chip @@ -0,0 +1,15 @@ +#!/bin/sh +# For this to work: +# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) +# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. +# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly + +#include ash shell functions (TRACE requires it) +. /etc/ash_functions + +TRACE "Under /bin/lock_chip" +APM_CNT=0xb2 +FIN_CODE=0xcb +echo "Finalizing chipset" +io386 -o b -b x $APM_CNT $FIN_CODE diff --git a/modules/io386 b/modules/io386 new file mode 100644 index 000000000..6829c7ea9 --- /dev/null +++ b/modules/io386 @@ -0,0 +1,28 @@ +modules-$(CONFIG_IO386) += io386 + +io386_depends := $(musl_dep) + +io386_version := git +io386_repo := https://github.com/hardenedlinux/io386 +io386_dir := io386-$(io386_version) + +io386_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + && \ + $(MAKE) \ + -C $(build)/$(io386_dir) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + DESTDIR="$(INSTALL)" \ + install \ + +io386_output := \ + io386 + +io386_libraries := + +io386_configure := From 699a9613818932669330af842457352b2e6ef97b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 12 Apr 2023 15:04:05 -0400 Subject: [PATCH 2/6] io386: replace check for io386 to call lock_chip by a single common call from kexec-boot prior of real kexec --- initrd/bin/generic-init | 11 ----------- initrd/bin/kexec-boot | 4 ++++ 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index cd07049a1..438f29d99 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -41,18 +41,12 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi exec /bin/usb-init continue fi if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi mount_boot kexec-select-boot -m -b /boot -c "grub.cfg" continue @@ -60,16 +54,11 @@ while true; do if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default - if [ "$CONFIG_IO386" = y ]; then - lock_chip - fi mount_boot kexec-select-boot -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi - - done recovery "Something failed during boot" diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index d25b04829..dfbfccd90 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -150,5 +150,9 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi +if [ -x /bin/io386 ]; then + lock_chip +fi + echo "Starting the new kernel" exec kexec -e From a598ba6e57e22ae60773b69ca745440f06e1be51 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 13 Apr 2023 09:21:26 -0400 Subject: [PATCH 3/6] modules/io386: fixate to latest commit id and optimize for space --- modules/io386 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/io386 b/modules/io386 index 6829c7ea9..5ee33e630 100644 --- a/modules/io386 +++ b/modules/io386 @@ -2,13 +2,16 @@ modules-$(CONFIG_IO386) += io386 io386_depends := $(musl_dep) -io386_version := git -io386_repo := https://github.com/hardenedlinux/io386 +io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1 io386_dir := io386-$(io386_version) +io386_tar := io386-$(io386_version).tar.gz +io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz +io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06 io386_target := \ $(MAKE_JOBS) \ $(CROSS_TOOLS) \ + CFLAGS="-Os" \ SHARED=yes \ PREFIX="/" \ && \ From 9830c6c4ed14dcfc161517c8dae6310284c32860 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 12 Apr 2023 15:08:49 -0400 Subject: [PATCH 4/6] io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs --- .../p8z77-m_pro-tpm1-maximized.config | 4 +++ .../t420-hotp-maximized.config | 5 +++ boards/t420-maximized/t420-maximized.config | 4 +++ .../t430-hotp-maximized.config | 4 +++ boards/t430-maximized/t430-maximized.config | 5 +++ boards/t440p-maximized/t440p-maximized.config | 5 +++ .../t520-hotp-maximized.config | 5 +++ boards/t520-maximized/t520-maximized.config | 5 +++ .../t530-dgpu-hotp-maximized.config | 5 +++ .../t530-dgpu-maximized.config | 5 +++ .../t530-hotp-maximized.config | 5 +++ boards/t530-maximized/t530-maximized.config | 5 +++ .../w530-dgpu-K1000m-hotp-maximized.config | 5 +++ .../w530-dgpu-K1000m-maximized.config | 5 +++ .../w530-dgpu-K2000m-hotp-maximized.config | 5 +++ .../w530-dgpu-K2000m-maximized.config | 5 +++ .../w530-hotp-maximized.config | 5 +++ boards/w530-maximized/w530-maximized.config | 5 +++ .../x220-hotp-maximized.config | 5 +++ boards/x220-maximized/x220-maximized.config | 5 +++ .../x230-hotp-maximized-fhd_edp.config | 5 +++ .../x230-hotp-maximized.config | 5 +++ .../x230-hotp-maximized_usb-kb.config | 5 +++ .../x230-maximized-fhd_edp.config | 5 +++ boards/x230-maximized/x230-maximized.config | 5 +++ config/coreboot-p8z77-m_pro-tpm1.config | 23 +++++++++---- config/coreboot-t420-maximized.config | 4 ++- config/coreboot-t430-maximized.config | 4 ++- config/coreboot-t440p.config | 9 +++++- config/coreboot-t520-maximized.config | 18 +++++------ .../coreboot-t530-dgpu-hotp-maximized.config | 2 ++ config/coreboot-t530-dgpu-maximized.config | 31 +++++++++--------- config/coreboot-t530-maximized.config | 21 ++++++------ ...coreboot-w530-dgpu-K1000m-maximized.config | 32 +++++++++---------- ...coreboot-w530-dgpu-K2000m-maximized.config | 32 +++++++++---------- config/coreboot-w530-maximized.config | 19 +++++------ config/coreboot-x220-maximized.config | 2 ++ config/coreboot-x230-maximized-fhd_edp.config | 2 ++ config/coreboot-x230-maximized.config | 2 ++ 39 files changed, 235 insertions(+), 88 deletions(-) diff --git a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config index 57cb23d32..515027166 100644 --- a/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config +++ b/boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config @@ -55,6 +55,10 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 1281c4444..e9b782737 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index bfbd81711..9f3760b03 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -28,6 +28,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index 5f172eb7b..70f8ef8c2 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -27,6 +27,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 10d5a2358..4983a6c05 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config index b74edef93..247dc8ef6 100644 --- a/boards/t440p-maximized/t440p-maximized.config +++ b/boards/t440p-maximized/t440p-maximized.config @@ -20,6 +20,11 @@ CONFIG_POPT=y CONFIG_QRENCODE=y CONFIG_TPMTOTP=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. CONFIG_CAIRO=y diff --git a/boards/t520-hotp-maximized/t520-hotp-maximized.config b/boards/t520-hotp-maximized/t520-hotp-maximized.config index 7de13744c..7d3ea1b3a 100644 --- a/boards/t520-hotp-maximized/t520-hotp-maximized.config +++ b/boards/t520-hotp-maximized/t520-hotp-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t520-maximized/t520-maximized.config b/boards/t520-maximized/t520-maximized.config index 4589ec212..35f55ff70 100644 --- a/boards/t520-maximized/t520-maximized.config +++ b/boards/t520-maximized/t520-maximized.config @@ -25,6 +25,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config index 364e49b7c..e0412ef35 100644 --- a/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config +++ b/boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config index ef7877b5c..4d1c756ef 100644 --- a/boards/t530-dgpu-maximized/t530-dgpu-maximized.config +++ b/boards/t530-dgpu-maximized/t530-dgpu-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 9f9c00e05..8a4209fb5 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 0bc59d862..3fa20c29b 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config index f3dab011b..396639ccd 100644 --- a/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config +++ b/boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config index 6a7bd1f1f..822c91f7d 100644 --- a/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config +++ b/boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config index b5e45aa6d..968cce2bb 100644 --- a/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config +++ b/boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config index edb50cb3d..9a374c4db 100644 --- a/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config +++ b/boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index a01a98d88..5e38664b3 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index a25832975..fdd1c0c29 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -28,6 +28,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 69531e65e..ba46fb41d 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 611dc3a8a..d4df3a843 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -29,6 +29,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index cb5daa6bb..377e91f12 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index a8dca8506..df4e8a454 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 47a4133a2..5cd7cfc23 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -30,6 +30,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index eda0d3a48..1db26bccf 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -39,6 +39,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7d385a3f9..e8f78e796 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -27,6 +27,11 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support #TPM based requirements export CONFIG_TPM=y diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config index 2fb5b5b71..2b3b7be30 100644 --- a/config/coreboot-p8z77-m_pro-tpm1.config +++ b/config/coreboot-p8z77-m_pro-tpm1.config @@ -1,17 +1,28 @@ -CONFIG_USE_BLOBS=y CONFIG_VENDOR_ASUS=y CONFIG_CBFS_SIZE=0x7E7000 CONFIG_BOARD_ASUS_P8Z77_M_PRO=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y CONFIG_NO_GFX_INIT=y -CONFIG_TPM_MEASURED_BOOT=y -CONFIG_TPM1=y +CONFIG_PCIEXP_HOTPLUG_IO=0x2000 +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM1=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y +CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off" diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config index 455aa803e..ebc93fcad 100644 --- a/config/coreboot-t420-maximized.config +++ b/config/coreboot-t420-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T420=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config index 190ac0fbc..ae701a378 100644 --- a/config/coreboot-t430-maximized.config +++ b/config/coreboot-t430-maximized.config @@ -1,6 +1,6 @@ -# CONFIG_USE_BLOBS is not set CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_USE_BLOBS is not set CONFIG_VENDOR_LENOVO=y CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF @@ -11,11 +11,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T430=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config index c70c0e6a6..a14496bae 100644 --- a/config/coreboot-t440p.config +++ b/config/coreboot-t440p.config @@ -5,15 +5,22 @@ CONFIG_CBFS_SIZE=0x800000 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_THINKPAD_T440P=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0" CONFIG_TPM_MEASURED_BOOT=y CONFIG_HAVE_MRC=y CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin" +CONFIG_UART_PCI_ADDR=0x0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y -CONFIG_NO_GFX_INIT=y +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config index 0665a3958..6830c1026 100644 --- a/config/coreboot-t520-maximized.config +++ b/config/coreboot-t520-maximized.config @@ -1,23 +1,21 @@ # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set -CONFIG_USE_BLOBS=y -CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0x7E7FFF -CONFIG_ONBOARD_VGA_IS_PRIMARY=y -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx20/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx20/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T520=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y -CONFIG_NO_POST=y -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx20/gbe.bin" +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-t530-dgpu-hotp-maximized.config b/config/coreboot-t530-dgpu-hotp-maximized.config index b1f84b7aa..7b1ca6841 100644 --- a/config/coreboot-t530-dgpu-hotp-maximized.config +++ b/config/coreboot-t530-dgpu-hotp-maximized.config @@ -28,3 +28,5 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" CONFIG_USE_OPTION_TABLE=y CONFIG_STATIC_OPTION_TABLE=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config index fd236eea6..d19336467 100644 --- a/config/coreboot-t530-dgpu-maximized.config +++ b/config/coreboot-t530-dgpu-maximized.config @@ -1,28 +1,27 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0def" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0def.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config index 415699247..3d245dcf9 100644 --- a/config/coreboot-t530-maximized.config +++ b/config/coreboot-t530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_T530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config index 64a2f3ecd..245a5c565 100644 --- a/config/coreboot-w530-dgpu-K1000m-maximized.config +++ b/config/coreboot-w530-dgpu-K1000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0ffc" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffc.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config index ab1ea461f..dc2f561cd 100644 --- a/config/coreboot-w530-dgpu-K2000m-maximized.config +++ b/config/coreboot-w530-dgpu-K2000m-maximized.config @@ -1,30 +1,28 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y +CONFIG_VGA_BIOS=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" CONFIG_VGA_BIOS_DGPU_ID="10de,0ffb" CONFIG_VGA_BIOS_DGPU_FILE="@BLOB_DIR@/xx30/10de,0ffb.rom" -CONFIG_VGA_BIOS=y CONFIG_VGA_BIOS_FILE="@BLOB_DIR@/xx30/8086,0106.rom" -# CONFIG_VGA_BIOS_SECOND is not set -CONFIG_VGA_ROM_RUN_DEFAULT=y -CONFIG_VGA_BIOS_DGPU=y +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set -CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_VGA_BIOS_DGPU=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config index daf91635b..3adb53d31 100644 --- a/config/coreboot-w530-maximized.config +++ b/config/coreboot-w530-maximized.config @@ -1,23 +1,24 @@ -CONFIG_TPM_MEASURED_BOOT=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y CONFIG_VENDOR_LENOVO=y +CONFIG_NO_POST=y CONFIG_CBFS_SIZE=0xBE4FFF -CONFIG_HAVE_IFD_BIN=y -CONFIG_HAVE_ME_BIN=y -CONFIG_HAVE_GBE_BIN=y CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx30/ifd.bin" CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx30/me.bin" CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx30/gbe.bin" +CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_W530=y -CONFIG_NO_POST=y +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 -# CONFIG_CONSOLE_SERIAL is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" -CONFIG_USE_OPTION_TABLE=y -CONFIG_STATIC_OPTION_TABLE=y diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config index 934ff13f7..3b2a6223a 100644 --- a/config/coreboot-x220-maximized.config +++ b/config/coreboot-x220-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X220=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config index 231c24a4d..837d8a6ad 100644 --- a/config/coreboot-x230-maximized-fhd_edp.config +++ b/config/coreboot-x230-maximized-fhd_edp.config @@ -11,10 +11,12 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230_EDP=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config index dedeed36a..f5780fe77 100644 --- a/config/coreboot-x230-maximized.config +++ b/config/coreboot-x230-maximized.config @@ -9,11 +9,13 @@ CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_LENOVO_X230=y CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_UART_PCI_ADDR=0 +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_HAVE_ME_BIN=y CONFIG_HAVE_GBE_BIN=y CONFIG_NO_GFX_INIT=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_TPM_MEASURED_BOOT=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" From 39bb6ea313b37e182635c5010b15c69d91d74c08 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 20 Jun 2023 12:40:00 -0400 Subject: [PATCH 5/6] lock_chip: parametrize locking in function of board config exported config option kexec-boot: depend on io386 presence and board config option to call lock_chip --- initrd/bin/kexec-boot | 2 +- initrd/bin/lock_chip | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index dfbfccd90..de59db6ef 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -150,7 +150,7 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi -if [ -x /bin/io386 ]; then +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then lock_chip fi diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 1331aebfe..8bf316b71 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -9,7 +9,15 @@ . /etc/ash_functions TRACE "Under /bin/lock_chip" -APM_CNT=0xb2 -FIN_CODE=0xcb -echo "Finalizing chipset" -io386 -o b -b x $APM_CNT $FIN_CODE +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then + APM_CNT=0xb2 + FIN_CODE=0xcb +fi + +if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then + echo "Finalizing chipset" + io386 -o b -b x $APM_CNT $FIN_CODE +else + echo "NOT Finalizing chipset" + echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." +fi From 995a6931f1471565b293bf1799c7ff91fd310ee3 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 18 Jun 2023 17:08:45 -0400 Subject: [PATCH 6/6] config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime ash_functions: make sure /tmp/config is sourced before going to recovery shell TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on --- initrd/bin/config-gui.sh | 25 +++++++++++++++++++++---- initrd/etc/ash_functions | 1 + 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 071248ba1..4f6ea91c7 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -10,6 +10,20 @@ TRACE "Under /bin/config-gui.sh" param=$1 while true; do + dynamic_config_options=( + 'b' ' Change the /boot device' + 's' ' Save the current configuration to the running BIOS' \ + 'r' ' Clear GPG key(s) and reset all user settings' \ + ) + if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ];then + dynamic_config_options+=( + 't' ' Deactivate Platform Locking to permit OS write access to firmware' + ) + fi + dynamic_config_options+=( + 'x' ' Return to Main Menu' + ) + if [ ! -z "$param" ]; then # use first char from parameter menu_choice=${param::1} @@ -18,16 +32,19 @@ while true; do unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ - 'b' ' Change the /boot device' \ - 's' ' Save the current configuration to the running BIOS' \ - 'r' ' Clear GPG key(s) and reset all user settings' \ - 'x' ' Return to Main Menu' \ + "${dynamic_config_options[@]}" \ 2>/tmp/whiptail || recovery "GUI menu failed" menu_choice=$(cat /tmp/whiptail) fi case "$menu_choice" in + "t" ) + unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + combine_configs + . /tmp/config + ;; "x" ) exit 0 ;; diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index ffe88ec3a..a26823fdc 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -57,6 +57,7 @@ recovery() { # ensure /tmp/config exists for recovery scripts that depend on it touch /tmp/config + . /tmp/config if [ "$CONFIG_TPM" = "y" ]; then tpmr extend -ix 4 -ic recovery