T430 Support

[flawedworld]

Building upon what @SebastianMcMillan created in #580 I have created a patch for coreboot to backport TPM functionality to the T430, allowing for the usage of coreboot 4.8.1I have also updated his work to allow the new musl cross compiler.

TOTP and TPM functionality appear to be wholly functional. GPG based actions however results in all actions failing with an 'End of file' error. I have tried resetting the NitroKey and attempted RSA 4096 and RSA 2048 and do not appear to be able to perform any GPG related actions. No signing actions are possible.

Thus I am at a loss of what to do. Suggestions appreciated.

UPDATE 31/01/2020: GPG issues all solved, t430 is fully functional but t430-flash has minor script issue

[prez]

I also have a T430, already disassembled, and would like to help with this.

Building upon what @SebastianMcMillan created in #580 I have created a patch for coreboot to backport TPM functionality to the T430, allowing for the usage of coreboot 4.8.1

Nice! I hate to ask, but what's blocking #568? Wouldn't waiting for that be more practical in the long term (If I understand correctly, the coreboot 4.11 native vboot might have different issues on this device than the current in-house measured boot code, rendering this effort moot once that gets merged)?

Are there any IRC or slack channels you hang out in? Would love to get in touch and solve this together.

[tlaurion]

@flawedworld Temporary fix for gpg signing was upstreamed (GPG_TTY was asking tty to return actual termnial, which currently doesn't. #665 still needs fix for other non single terminal machines (servers) )

[flawedworld]

@tlaurion I will merge in commits from master into my branch and build tomorrow.

[flawedworld]

@SeiToKaiChou great! coreboot 4.11 porting time will take likely a while still, this port is fine until it is done, I am not experienced enough unfortunately to assist with the whole port to 4.11 Given that the T430 much like the T530 and the rest of the **30 series is like the X230, I do not expect to see any major issues arise in future. I am present on the u-root slack if you wish to PM me there.

[flawedworld]

@tlaurion One issue with t430-flash is that install.init is not invoked on startup, if i try to execute it once in ash by doing /bin/inistall.init I get permission denied. However if I perform each command manually I can successfully flash the rom made from 't430' and have 0 issues there.

So I can happily say the port for actual core heads is done, its just the flash script that needs a fix, which seems trivial hopefully

[flawedworld]

@SeiToKaiChou If you wish to assist, I reccomend following the steps in my previous comment and in theory you should be able to get functional heads on T430

[tlaurion]

@sebastianMcMillan, can you give your comments?

[snmcmillan]

This is a decent stop-gap solution until 4.11 is used. Here's my notes:

1. This uses commits of both T430 initial support #580 as well as X230 flash universal init #579. This means that this PR effectively generalizes the flash phase init file as proposed in X230 flash universal init #579. Is that intended?
2. install.init doesn't have proper permissions. Maybe you need to give it a chmod +x on your build system to work. If git preserves file perms, make sure you have a commit that does such.
3. You enable the ability to change CMOS values. How do we measure changes to them?

[tlaurion]

@flawedworld @SebastianMcMillan
1- Please keep changes minimal and base your branch on top of other users branches, so that rebasing permits you to incorporate changes without including them personally.
2- @SebastianMcMillan is right.
3- I'm not a fan of that CMOS pull request @flawedworld. Unless proven otherwise, I do not see how this is needed with the added risk of adding another source of persistence and externally modifiable hardware behavior without a direct possibility of measurement. As specified here, if someone comes up with a need for that and proposes code to measure modified CBFS regions, that would be mergeable.

[flawedworld]

All changes made do not intrude on x230 files, we use the x230-linux config, i see no need to change it for the t430 as all the **30 series are highly similar in configuration.

@tlaurion The ability to modify CMOS does not affect the SPI flash chip thus measured boot is unaffected and any values we can alter are limited to that which coreboot limits us to hence because of this I do not see a risk. These values are not executable and just a list of glorified true or false so I believe it is safe.

If despite this it is still seen as a risk, we can do what #274 discusses and use STATIC_OPTION_TABLE meaning we load CMOS values in at boottime and if a user wishes to edit values they must do so at compile time.

As @SebastianMcMillan stated, file permissions have been updated. Flash init is no longer generalized. This can be a separate pull.

If this all looks okay, I will start cleaning up commits.

[tlaurion]

Seems good! Try to give @SebastianMcMillan as much credit for his contributions!

[flawedworld]

@tlaurion Of course! @SebastianMcMillan You have been an absolute pleasure to work with!

[tlaurion]

@flawedworld @SebastianMcMillan : resolve conflict and good to merge too if confirmed working!

[tlaurion]

#506

[snmcmillan]

@tlaurion conflicts have been resolved, awaiting @flawedworld to test and confirm working.

[MrChromebox]

looks like this could use a rebase on master

[tlaurion]

@flawedworld @petabyteboy : can you rebuild and confirm that that board compiles and works as intended?

git fetch
git checkout master
git pull
wget https://github.com/osresearch/heads/pull/656.patch
patch -p0 < 656.patch
make BOARD=t430 real.clean
rm -rf crossgcc build/*
make BOARD=t430

[flawedworld]

Main 't430' build confirmed working. Going to test t430-flash soon.

The following was tested:
Adding GPG Key
TPM Reset and TOTP generation
GPG Signing of /boot
Setting /boot
Booting
Changing of CMOS values in OS, then seeing them reset to compile time defined settings after shutdown

[flawedworld]

@tlaurion t430-flash fully working, the following has been tested:
Mounting USB
Execution of flash.sh to flash 't430' sucessfully

HOWEVER, a minor visual issue was noticed by me when using a modded 1080p IPS panel. This works by using a eDP to LVDS adapter between the panel and the motherboard for those who aren't aware of its workings. Everything still works however part of the screen is cut off at the bottom and there is general glitchiness. As evidenced by commits I attemped to fix this but 7c3d8a2 would not compile. Help needed, but I do not deem this to be important as the main 't430' build works perfectly with this modded panel and the user is only going to be in 't430-flash' for mere seconds anyway.

[flawedworld]

@tlaurion comments please?

[tlaurion]

@flawedworld seems to work!
You have made a clean build?

make BOARD=t430 real.clean && rm -rf crossgcc build/* && make BOARD=t430 to arrive to your working results? To me it looks all good, still not convinced about this but users seems to want it, so I won't go against it.

As a sidenote, if boards customizations are required, let it be to have LIBREM_KEY, or specify added linux kernel modules (sdcard required modules etc), then boards customizations alone would be required (different board config matching different linux config, specific for that specialized board). Ex: a x230-libremkey or a t430-HDPanel board config, linux and coreboot matching files. problem here and now, but I see specialized boards as being required in the future.

Good for me! @SebastianMcMillan ? Will merge if no one has opposition tomorrow.

[tlaurion]

@flawedworld

HOWEVER, a minor visual issue was noticed by me when using a modded 1080p IPS panel. This works by using a eDP to LVDS adapter between the panel and the motherboard for those who aren't aware of its workings. Everything still works however part of the screen is cut off at the bottom and there is general glitchiness. As evidenced by commits I attemped to fix this but 7c3d8a2 would not compile. Help needed, but I do not deem this to be important as the main 't430' build works perfectly with this modded panel and the user is only going to be in 't430-flash' for mere seconds anyway.

Please open another issue with compilation error trace you encounter from a clean build.

Note that flash board configs will probably disappear soon, if we agree that modified ifd and neutered me blobs can be distributed in heads (or find a clever way to store them on external repository), see issue 307.

The resulting top and bottom rom images would be externally flashable, removing the need to rely on a flash board that produces smaller then 4mb ROM images and splitting a 12mb image in two.

[snmcmillan]

I've gotten reports that even in the main t430 build there's screen garble, and said T430 doesn't have the FHD mod either.

They are experiencing screen garble in full ROM, but not in flash ROM on their HD+ panel.

If we want to have this merged, we need someone with the stock HD or HD+ panels to test this as working.

[snmcmillan]

@tlaurion alright, the graphics issue is resolved. Ready for a final review.

Edit: seems that CircleCI is failing with a signature error on mbedtls.

[flawedworld]

@tlaurion Checks failed due to TLS issue on Circle CI, likely ca-certificates will need update or something like that.

[tlaurion]

@flawedworld : did a lot of

@tlaurion Checks failed due to TLS issue on Circle CI, likely ca-certificates will need update or something like that.

@flawedworld: rerun that pipeline from failed point and it should work. Played in the past days with both circleCI and GitlabCI and didn't encounter the issue your CircleCI environement unfortunately encountered when it tried to download a package.

[OkashiOdayakana]

Any progress on this?

[tlaurion]

@flawedworld ?

[MrChromebox]

configs need to be adjusted for flashrom 1.2, and IMO would be nice to see a lot of these commits squashed and refactored now that things are working properly.

[flawedworld]

@tlaurion Yeah been getting super sidetracked recently, I am going to neaten things up hopefully and will update.

[flawedworld]

@tlaurion commits neatened, tested build, successfully able to flash.

Only changes are the increase in CBFS size and flashrom changes. The original commits for this pull may be viewed at: https://github.com/fibreblazer/heads/commits/master_old

[MrChromebox]

some notes:

• several files are missing newlines at end of files
• commented out lines in the 'flash' configs - I know it's just a copy/paste/edit from the x230, but seems pointless to add them in a new board
• there's a lot of coreboot config items carried over from the x230 that aren't needed or don't really make sense (for either board). Can prune them now, or can do it as part of the coreboot 4.12 update in Add option to build against coreboot 4.12 #721

[flawedworld]

@MrChromebox I will amend the commit to add in newlines and I will remove the commented lines in flash configs, I kept them for easy reference between x230 and t430 but will nuke them.

As for point 3, I feel that this is better placed as part of 4.12. If 4.12 gets merged in before this I will update this pull.

[MrChromebox]

@flawedworld sounds good to me, will approve once updated

[flawedworld]

@MrChromebox Right I believe this updated commit should do the trick.

[MrChromebox]

@flawedworld 0060-enable-tpm-on-t430.patch is still missing the trailing newline, otherwise looks good

[flawedworld]

oh? I better check that, my apologies!

[flawedworld]

@MrChromebox I believe this should do it.