Skip to content

Commit

Permalink
config-gui.sh: permit io386 platform locking to be dynamically disabled
Browse files Browse the repository at this point in the history
  • Loading branch information
@tlaurion
tlaurion committed Jun 19, 2023
1 parent a00a8be commit 7c379f7
Show file tree
Hide file tree
Showing 29 changed files with 125 additions and 9 deletions.
3 changes: 3 additions & 0 deletions boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,10 @@ CONFIG_PCIUTILS=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y

# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
# for a console-based menu.
Expand Down
4 changes: 4 additions & 0 deletions boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ CONFIG_DROPBEAR=y
CONFIG_MSRTOOLS=y
#CONFIG_HOTPKEY=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y

#Uncomment only one of the following block
#Required for graphical gui-init (FBWhiptail)
#CONFIG_CAIRO=y
Expand Down
4 changes: 4 additions & 0 deletions boards/t420-hotp-maximized/t420-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
3 changes: 3 additions & 0 deletions boards/t420-maximized/t420-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y

#Remote attestation support
#TPM based requirements
Expand Down
3 changes: 3 additions & 0 deletions boards/t430-hotp-maximized/t430-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y

#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t430-maximized/t430-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t440p-maximized/t440p-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ CONFIG_PCIUTILS=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
# for a console-based menu.
Expand Down
4 changes: 4 additions & 0 deletions boards/t520-hotp-maximized/t520-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t520-maximized/t520-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t530-dgpu-hotp-maximized/t530-dgpu-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t530-dgpu-maximized/t530-dgpu-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t530-hotp-maximized/t530-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/t530-maximized/t530-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-dgpu-K1000m-hotp-maximized/w530-dgpu-K1000m-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-dgpu-K1000m-maximized/w530-dgpu-K1000m-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-dgpu-K2000m-hotp-maximized/w530-dgpu-K2000m-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-dgpu-K2000m-maximized/w530-dgpu-K2000m-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-hotp-maximized/w530-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/w530-maximized/w530-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x220-hotp-maximized/x220-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x220-maximized/x220-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x230-hotp-maximized/x230-hotp-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
4 changes: 4 additions & 0 deletions boards/x230-maximized/x230-maximized.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#platform locking finalization (PR0)
CONFIG_IO386=y
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y


#Remote attestation support
#TPM based requirements
Expand Down
15 changes: 11 additions & 4 deletions initrd/bin/config-gui.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@ TRACE "Under /bin/config-gui.sh"
param=$1

while true; do
choices=("b" "Change the /boot device" "s" "Save the current configuration to the running BIOS" "r" "Clear GPG key(s) and reset all user settings" "x" "Return to Main Menu")
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ];then
choices=("b" "Change the /boot device" "s" "Save the current configuration to the running BIOS" "r" "Clear GPG key(s) and reset all user settings" "t" "Skip Platform Locking at kexec so OS can write to firmware" "x" "Return to Main Menu")
fi

if [ ! -z "$param" ]; then
# use first char from parameter
menu_choice=${param::1}
Expand All @@ -18,16 +23,18 @@ while true; do
unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
'b' ' Change the /boot device' \
's' ' Save the current configuration to the running BIOS' \
'r' ' Clear GPG key(s) and reset all user settings' \
'x' ' Return to Main Menu' \
"${choices[@]}" \
2>/tmp/whiptail || recovery "GUI menu failed"

menu_choice=$(cat /tmp/whiptail)
fi

case "$menu_choice" in
"t" )
export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=n
echo "export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=\"$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE\"" >> /etc/config.user
combine_configs
;;
"x" )
exit 0
;;
Expand Down
2 changes: 1 addition & 1 deletion initrd/bin/kexec-boot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
tpmr kexec_finalize
fi

if [ -x /bin/io386 ]; then
if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
lock_chip
fi

Expand Down
16 changes: 12 additions & 4 deletions initrd/bin/lock_chip
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,15 @@
. /etc/ash_functions

TRACE "Under /bin/lock_chip"
APM_CNT=0xb2
FIN_CODE=0xcb
echo "Finalizing chipset"
io386 -o b -b x $APM_CNT $FIN_CODE
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
APM_CNT=0xb2
FIN_CODE=0xcb
fi

if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
echo "Finalizing chipset"
io386 -o b -b x $APM_CNT $FIN_CODE
else
echo "NOT Finalizing chipset"
echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
fi

0 comments on commit 7c379f7

Please sign in to comment.