diff --git a/.circleci/config.yml b/.circleci/config.yml index 3b706fb86..0473a4e77 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -102,7 +102,8 @@ jobs: - run: name: Download, neuter and deguard xx80 ME (keep generated GBE and extracted IFD in tree) command: | - ./blobs/xx80/download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ + ./blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ + ./blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ - run: name: Download and extract t530 vbios roms for dgpu boards command: | @@ -252,7 +253,7 @@ workflows: requires: - novacustom-nv4x_adl - # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build_and_persist: name: EOL_t480-hotp-maximized target: EOL_t480-hotp-maximized @@ -526,7 +527,7 @@ workflows: requires: - librem_14 - # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: name: EOL_t480-maximized target: EOL_t480-maximized @@ -534,6 +535,22 @@ workflows: requires: - EOL_t480-hotp-maximized + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache + - build: + name: EOL_t480s-hotp-maximized + target: EOL_t480s-hotp-maximized + subcommand: "" + requires: + - EOL_t480-hotp-maximized + + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache + - build: + name: EOL_t480s-maximized + target: EOL_t480s-maximized + subcommand: "" + requires: + - EOL_t480-hotp-maximized + # dasharo release, share 24.02.01 utils/crossgcc - build: name: UNTESTED_nitropad-ns50 diff --git a/blobs/xx80/.gitignore b/blobs/xx80/.gitignore index 326bba658..f9cc243ba 100644 --- a/blobs/xx80/.gitignore +++ b/blobs/xx80/.gitignore @@ -1,2 +1,6 @@ me.bin tb.bin +t480_tb.bin +t480s_tb.bin +t480_me.bin +t480s_me.bin diff --git a/blobs/xx80/hashes.txt b/blobs/xx80/hashes.txt index 1b4a87e5c..e3b6df2fd 100644 --- a/blobs/xx80/hashes.txt +++ b/blobs/xx80/hashes.txt @@ -1,4 +1,10 @@ -d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin -f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin -1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin -fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 tb.bin +#T480: +1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b t480_me.bin +fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 t480_tb.bin +d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 t480_gbe.bin +f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf t480_ifd.bin +#T480s: +7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b t480s_me.bin +b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119 t480s_tb.bin +caf6393cd5c4ff305b677f50c258658710c42439080868c1fb8ea7584cffb204 t480s_ifd.bin +36be39ecd0d06fa3f7893ca2746f702271c46b75de52bc599467a058bab8e271 t480s_gbe.bin diff --git a/blobs/xx80/download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh similarity index 98% rename from blobs/xx80/download_clean_deguard_me_pad_tb.sh rename to blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh index 290ca416b..55610470b 100755 --- a/blobs/xx80/download_clean_deguard_me_pad_tb.sh +++ b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh @@ -168,8 +168,8 @@ function parse_params() { usage_err "No valid output dir found" fi me_cleaned="${output_dir}/me_cleaned.bin" - me_deguarded="${output_dir}/me.bin" - tb_flashable="${output_dir}/tb.bin" + me_deguarded="${output_dir}/t480_me.bin" + tb_flashable="${output_dir}/t480_tb.bin" echo "Writing cleaned and deguarded ME to ${me_deguarded}" echo "Writing flashable TB to ${tb_flashable}" } diff --git a/blobs/xx80/gbe.bin b/blobs/xx80/t480_gbe.bin similarity index 100% rename from blobs/xx80/gbe.bin rename to blobs/xx80/t480_gbe.bin diff --git a/blobs/xx80/ifd.bin b/blobs/xx80/t480_ifd.bin similarity index 100% rename from blobs/xx80/ifd.bin rename to blobs/xx80/t480_ifd.bin diff --git a/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh new file mode 100755 index 000000000..727973122 --- /dev/null +++ b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh @@ -0,0 +1,200 @@ +#!/usr/bin/env bash + +# These variables are all for the deguard tool. +# They would need to be changed if using the tool for other devices like the T480s or with a different ME version... +ME_delta="thinkpad_t480s" +ME_version="11.6.0.1126" +ME_sku="2M" +ME_pch="LP" + +# Thunderbolt firmware offset in bytes to pad to 1M +TBFW_SIZE=1048575 + +# Integrity checks for the vendor provided ME blob... +ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0" +# ...and the cleaned and deguarded version from that blob. +DEGUARDED_ME_BIN_HASH="7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b" +# Integrity checks for the vendor provided Thunderbolt blob... +TB_DOWNLOAD_HASH="090d0085af4a20bcdfba8a75f1bce735ff80afbfea968bbe276a80a0c4c18706" +# ...and the padded and flashable version from that blob. +TB_BIN_HASH="b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119" + + +function usage() { + echo -n \ + "Usage: $(basename "$0") -m (optional) path_to_output_directory +Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS. +Download Thunderbolt firmware from Lenovo and pad it for flashing externally. +" +} + +function chk_sha256sum() { + sha256_hash="$1" + filename="$2" + echo "$sha256_hash" "$filename" "$(pwd)" + sha256sum "$filename" + if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then + echo "ERROR: SHA256 checksum for ${filename} doesn't match." + exit 1 + fi +} + +function chk_exists_and_matches() { + if [[ -f "$1" ]]; then + if echo "${2} ${1}" | sha256sum --check; then + echo "SKIPPING: SHA256 checksum for $1 matches." + [[ "$3" = ME ]] && me_exists="y" + [[ "$3" = TB ]] && tb_exists="y" + fi + echo "$1 exists but checksum doesn't match. Continuing..." + fi +} + +function download_and_clean() { + me_cleaner="$(realpath "${1}")" + me_output="$(realpath "${2}")" + + # Download and unpack the Dell installer into a temporary directory and + # extract the deguardable Intel ME blob. + pushd "$(mktemp -d)" || exit + + # Download the installer that contains the ME blob + me_installer_filename="Inspiron_5468_1.3.0.exe" + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" + curl -A "$user_agent" -s -O "https://dl.dell.com/FOLDER04573471M/1/${me_installer_filename}" + chk_sha256sum "$ME_DOWNLOAD_HASH" "$me_installer_filename" + + # Download the tool to unpack Dell's installer and unpack the ME blob. + git clone https://github.com/platomav/BIOSUtilities + git -C BIOSUtilities checkout ef50b75ae115ae8162fa8b0a7b8c42b1d2db894b + + python "BIOSUtilities/Dell_PFS_Extract.py" "${me_installer_filename}" -e || exit + + extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin" + + # Neutralize and shrink Intel ME. Note that this doesn't include + # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., + # High Assurance Program) bits, as they are defined within the Flash + # Descriptor. + # However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function. + # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot + + # MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition + python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" + rm -rf ./* + popd || exit +} + +function deguard() { + me_input="$(realpath "${1}")" + me_output="$(realpath "${2}")" + + # Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob. + pushd "$(mktemp -d)" || exit + git clone https://github.com/coreboot/deguard + pushd deguard || exit + git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2 + + python ./finalimage.py \ + --delta "data/delta/$ME_delta" \ + --version "$ME_version" \ + --pch "$ME_pch" \ + --sku "$ME_sku" \ + --fake-fpfs data/fpfs/zero \ + --input "$me_input" \ + --output "$me_output" + + popd || exit + #Cleanup + rm -rf ./* + popd || exit +} + +function download_and_pad_tb() { + tb_output="$(realpath "${1}")" + + # Download and unpack the Lenovo installer into a temporary directory and + # extract the TB blob. + pushd "$(mktemp -d)" || exit + + # Download the installer that contains the T480s TB blob + tb_installer_filename=""n22th11w.exe"" + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" + curl -A "$user_agent" -s -O "https://download.lenovo.com/pccbbs/mobiles/${tb_installer_filename}" + chk_sha256sum "$TB_DOWNLOAD_HASH" "$tb_installer_filename" + + # https://www.reddit.com/r/thinkpad/comments/9rnimi/ladies_and_gentlemen_i_present_to_you_the/ + innoextract n22th11w.exe -d . + mv ./code\$GetExtractPath\$/TBT.bin tb.bin + # pad with zeros + dd if=/dev/zero of=tb.bin bs=1 seek="$TBFW_SIZE" count=1 + mv "tb.bin" "$tb_output" + + rm -rf ./* + popd || exit +} + +function usage_err() { + echo "$1" + usage + exit 1 +} + +function parse_params() { + while getopts ":m:" opt; do + case $opt in + m) + if [[ -x "$OPTARG" ]]; then + me_cleaner="$OPTARG" + fi + ;; + ?) + usage_err "Invalid Option: -$OPTARG" + ;; + esac + done + + if [[ -z "${me_cleaner}" ]]; then + if [[ -z "${COREBOOT_DIR}" ]]; then + usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable." + else + me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py" + fi + fi + echo "Using me_cleaner from ${me_cleaner}" + + shift $(($OPTIND - 1)) + output_dir="$(realpath "${1:-./}")" + if [[ ! -d "${output_dir}" ]]; then + usage_err "No valid output dir found" + fi + me_cleaned="${output_dir}/me_cleaned.bin" + me_deguarded="${output_dir}/t480s_me.bin" + tb_flashable="${output_dir}/t480s_tb.bin" + echo "Writing cleaned and deguarded ME to ${me_deguarded}" + echo "Writing flashable TB to ${tb_flashable}" +} + +if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then + if [[ "${1:-}" == "--help" ]]; then + usage + exit 0 + fi + + parse_params "$@" + chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME + chk_exists_and_matches "$tb_flashable" "$TB_BIN_HASH" TB + + if [[ -z "$me_exists" ]]; then + download_and_clean "$me_cleaner" "$me_cleaned" + deguard "$me_cleaned" "$me_deguarded" + rm -f "$me_cleaned" + fi + + if [[ -z "$tb_exists" ]]; then + download_and_pad_tb "$tb_flashable" + fi + + chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded" + chk_sha256sum "$TB_BIN_HASH" "$tb_flashable" +fi diff --git a/blobs/xx80/t480s_gbe.bin b/blobs/xx80/t480s_gbe.bin new file mode 100644 index 000000000..13ad80945 Binary files /dev/null and b/blobs/xx80/t480s_gbe.bin differ diff --git a/blobs/xx80/t480s_ifd.bin b/blobs/xx80/t480s_ifd.bin new file mode 100644 index 000000000..dbbd99cb0 Binary files /dev/null and b/blobs/xx80/t480s_ifd.bin differ diff --git a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config index 725beee9b..de9d1fd05 100644 --- a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config +++ b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config @@ -97,4 +97,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs diff --git a/boards/EOL_t480-maximized/EOL_t480-maximized.config b/boards/EOL_t480-maximized/EOL_t480-maximized.config index 6c94f5850..19edab7c9 100644 --- a/boards/EOL_t480-maximized/EOL_t480-maximized.config +++ b/boards/EOL_t480-maximized/EOL_t480-maximized.config @@ -97,4 +97,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs diff --git a/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config new file mode 100644 index 000000000..d6f3024b5 --- /dev/null +++ b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config @@ -0,0 +1,100 @@ +# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use +# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) +# +# CAVEATS: +# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. +# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. +# Also it can be used to extract FDE keys from a TPM. +# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 +# Make sure you understand the implications of the attack for your threat model before using this board. +# +# Includes +# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions +# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe +# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, +# which is not the same as the 16MB chip to which the heads rom is flashed. +# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. +# You can find a guide here: https://osresearch.net/T430-maximized-flashing/ +# +# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.12 +export CONFIG_LINUX_VERSION=6.1.8 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t480s-maximized.config +CONFIG_LINUX_CONFIG=config/linux-t480.config + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y +CONFIG_MOBILE_TETHERING=y + +#Modules packed into tools.cpio +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y +export CONFIG_DEBUG_OUTPUT=n +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n +#Enable TPM2 pcap output under /tmp +export CONFIG_TPM2_CAPTURE_PCAP=n +#Enable quiet mode: technical information logged under /tmp/debug.log +export CONFIG_QUIET_MODE=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad T480S-hotp-maximized" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" + +#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP +BOARD_TARGETS := t480s_me_blobs diff --git a/boards/EOL_t480s-maximized/EOL_t480s-maximized.config b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config new file mode 100644 index 000000000..fb27389dd --- /dev/null +++ b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config @@ -0,0 +1,100 @@ +# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use +# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) +# +# CAVEATS: +# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. +# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. +# Also it can be used to extract FDE keys from a TPM. +# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 +# Make sure you understand the implications of the attack for your threat model before using this board. +# +# Includes +# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions +# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe +# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, +# which is not the same as the 16MB chip to which the heads rom is flashed. +# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. +# You can find a guide here: https://osresearch.net/T430-maximized-flashing/ +# +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.12 +export CONFIG_LINUX_VERSION=6.1.8 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t480s-maximized.config +CONFIG_LINUX_CONFIG=config/linux-t480.config + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y +CONFIG_MOBILE_TETHERING=y + +#Modules packed into tools.cpio +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y +export CONFIG_DEBUG_OUTPUT=n +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n +#Enable TPM2 pcap output under /tmp +export CONFIG_TPM2_CAPTURE_PCAP=n +#Enable quiet mode: technical information logged under /tmp/debug.log +export CONFIG_QUIET_MODE=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad T480S-maximized" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" + +#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP +BOARD_TARGETS := t480s_me_blobs diff --git a/config/coreboot-t480-maximized.config b/config/coreboot-t480-maximized.config index 48b70fc5a..a7a6847a1 100644 --- a/config/coreboot-t480-maximized.config +++ b/config/coreboot-t480-maximized.config @@ -163,9 +163,9 @@ CONFIG_HAVE_INTEL_FIRMWARE=y CONFIG_USE_LEGACY_8254_TIMER=y CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000 # CONFIG_DRIVERS_INTEL_WIFI is not set -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/gbe.bin" +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/t480_ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/t480_me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/t480_gbe.bin" CONFIG_MAINBOARD_SUPPORTS_SKYLAKE_CPU=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_CARDBUS_PLUGIN_SUPPORT=y diff --git a/config/coreboot-t480s-maximized.config b/config/coreboot-t480s-maximized.config new file mode 100644 index 000000000..41cd2493b --- /dev/null +++ b/config/coreboot-t480s-maximized.config @@ -0,0 +1,885 @@ +# +# Automatically generated file; DO NOT EDIT. +# coreboot configuration +# + +# +# General setup +# +CONFIG_LOCALVERSION="" +CONFIG_CBFS_PREFIX="fallback" +CONFIG_COMPILER_GCC=y +# CONFIG_COMPILER_LLVM_CLANG is not set +# CONFIG_ANY_TOOLCHAIN is not set +# CONFIG_CCACHE is not set +# CONFIG_LTO is not set +# CONFIG_IWYU is not set +# CONFIG_FMD_GENPARSER is not set +# CONFIG_UTIL_GENPARSER is not set +CONFIG_OPTION_BACKEND_NONE=y +CONFIG_COMPRESS_RAMSTAGE_LZMA=y +# CONFIG_COMPRESS_RAMSTAGE_LZ4 is not set +CONFIG_SEPARATE_ROMSTAGE=y +CONFIG_INCLUDE_CONFIG_FILE=y +CONFIG_COLLECT_TIMESTAMPS=y +# CONFIG_TIMESTAMPS_ON_CONSOLE is not set +CONFIG_USE_BLOBS=y +# CONFIG_USE_AMD_BLOBS is not set +# CONFIG_USE_QC_BLOBS is not set +# CONFIG_COVERAGE is not set +# CONFIG_UBSAN is not set +CONFIG_HAVE_ASAN_IN_RAMSTAGE=y +# CONFIG_ASAN is not set +# CONFIG_NO_STAGE_CACHE is not set +CONFIG_TSEG_STAGE_CACHE=y +# CONFIG_UPDATE_IMAGE is not set +CONFIG_BOOTSPLASH_IMAGE=y +CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg" +CONFIG_BOOTSPLASH_CONVERT=y +CONFIG_BOOTSPLASH_CONVERT_QUALITY=90 +# CONFIG_BOOTSPLASH_CONVERT_RESIZE is not set +# CONFIG_BOOTSPLASH_CONVERT_COLORSWAP is not set + +# +# Software Bill Of Materials (SBOM) +# +# CONFIG_SBOM is not set +# end of Software Bill Of Materials (SBOM) +# end of General setup + +# +# Mainboard +# + +# +# Important: Run 'make distclean' before switching boards +# +# CONFIG_VENDOR_51NB is not set +# CONFIG_VENDOR_ACER is not set +# CONFIG_VENDOR_AMD is not set +# CONFIG_VENDOR_AOOSTAR is not set +# CONFIG_VENDOR_AOPEN is not set +# CONFIG_VENDOR_APPLE is not set +# CONFIG_VENDOR_ARM is not set +# CONFIG_VENDOR_ASROCK is not set +# CONFIG_VENDOR_ASUS is not set +# CONFIG_VENDOR_BIOSTAR is not set +# CONFIG_VENDOR_BOSTENTECH is not set +# CONFIG_VENDOR_BYTEDANCE is not set +# CONFIG_VENDOR_CAVIUM is not set +# CONFIG_VENDOR_CLEVO is not set +# CONFIG_VENDOR_COMPULAB is not set +# CONFIG_VENDOR_CWWK is not set +# CONFIG_VENDOR_DELL is not set +# CONFIG_VENDOR_EMULATION is not set +# CONFIG_VENDOR_ERYING is not set +# CONFIG_VENDOR_EXAMPLE is not set +# CONFIG_VENDOR_FACEBOOK is not set +# CONFIG_VENDOR_FOXCONN is not set +# CONFIG_VENDOR_FRAMEWORK is not set +# CONFIG_VENDOR_GETAC is not set +# CONFIG_VENDOR_GIGABYTE is not set +# CONFIG_VENDOR_GOOGLE is not set +# CONFIG_VENDOR_HARDKERNEL is not set +# CONFIG_VENDOR_HP is not set +# CONFIG_VENDOR_IBASE is not set +# CONFIG_VENDOR_IBM is not set +# CONFIG_VENDOR_INTEL is not set +# CONFIG_VENDOR_INVENTEC is not set +# CONFIG_VENDOR_KONTRON is not set +# CONFIG_VENDOR_LATTEPANDA is not set +CONFIG_VENDOR_LENOVO=y +# CONFIG_VENDOR_LIBRETREND is not set +# CONFIG_VENDOR_MITAC_COMPUTING is not set +# CONFIG_VENDOR_MSI is not set +# CONFIG_VENDOR_OCP is not set +# CONFIG_VENDOR_OPENCELLULAR is not set +# CONFIG_VENDOR_PACKARDBELL is not set +# CONFIG_VENDOR_PCENGINES is not set +# CONFIG_VENDOR_PINE64 is not set +# CONFIG_VENDOR_PORTWELL is not set +# CONFIG_VENDOR_PRODRIVE is not set +# CONFIG_VENDOR_PROTECTLI is not set +# CONFIG_VENDOR_PURISM is not set +# CONFIG_VENDOR_RAPTOR_CS is not set +# CONFIG_VENDOR_RAZER is not set +# CONFIG_VENDOR_RODA is not set +# CONFIG_VENDOR_SAMSUNG is not set +# CONFIG_VENDOR_SAPPHIRE is not set +# CONFIG_VENDOR_SIEMENS is not set +# CONFIG_VENDOR_SIFIVE is not set +# CONFIG_VENDOR_STARLABS is not set +# CONFIG_VENDOR_SUPERMICRO is not set +# CONFIG_VENDOR_SYSTEM76 is not set +# CONFIG_VENDOR_TI is not set +# CONFIG_VENDOR_TOPTON is not set +# CONFIG_VENDOR_UP is not set +# CONFIG_VENDOR_VIA is not set +CONFIG_MAINBOARD_FAMILY="T480S" +CONFIG_MAINBOARD_PART_NUMBER="T480S" +CONFIG_MAINBOARD_VERSION="1.0" +CONFIG_MAINBOARD_DIR="lenovo/sklkbl_thinkpad" +CONFIG_VGA_BIOS_ID="8086,0406" +CONFIG_DIMM_MAX=2 +CONFIG_DIMM_SPD_SIZE=512 +CONFIG_FMDFILE="" +CONFIG_NO_POST=y +CONFIG_MAINBOARD_VENDOR="LENOVO" +CONFIG_CBFS_SIZE=0xEEC000 +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT=1600 +CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH=2560 +CONFIG_MAINBOARD_SUPPORTS_KABYLAKE_DUAL=y +CONFIG_MAINBOARD_SUPPORTS_KABYLAKE_QUAD=y +CONFIG_MAX_CPUS=8 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_VARIANT_DIR="t480s" +CONFIG_OVERRIDE_DEVICETREE="variants/$(CONFIG_VARIANT_DIR)/overridetree.cb" +CONFIG_DEVICETREE="devicetree.cb" +# CONFIG_VBOOT is not set +# CONFIG_VGA_BIOS is not set +CONFIG_PCIEXP_ASPM=y +CONFIG_PCIEXP_L1_SUB_STATE=y +CONFIG_PCIEXP_CLK_PM=y +CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="LENOVO" +CONFIG_ECAM_MMCONF_BASE_ADDRESS=0xe0000000 +CONFIG_ECAM_MMCONF_BUS_NUMBER=256 +CONFIG_MEMLAYOUT_LD_FILE="src/arch/x86/memlayout.ld" +# CONFIG_FATAL_ASSERTS is not set +CONFIG_INTEL_GMA_VBT_FILE="src/mainboard/$(MAINBOARDDIR)/variants/$(VARIANT_DIR)/data.vbt" +# CONFIG_DISABLE_HECI1_AT_PRE_BOOT is not set +CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00 +CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="T480S" +CONFIG_MAX_SOCKET=1 +CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0 +CONFIG_TPM_PIRQ=0x0 +CONFIG_USE_PM_ACPI_TIMER=y +CONFIG_DCACHE_RAM_BASE=0xfef00000 +CONFIG_DCACHE_RAM_SIZE=0x40000 +CONFIG_C_ENV_BOOTBLOCK_SIZE=0x40000 +CONFIG_DCACHE_BSP_STACK_SIZE=0x4000 +CONFIG_MAX_ACPI_TABLE_SIZE_KB=144 +CONFIG_HAVE_INTEL_FIRMWARE=y +CONFIG_USE_LEGACY_8254_TIMER=y +CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000 +# CONFIG_DRIVERS_INTEL_WIFI is not set +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/t480s_ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/t480s_me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/t480s_gbe.bin" +CONFIG_MAINBOARD_SUPPORTS_SKYLAKE_CPU=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_CARDBUS_PLUGIN_SUPPORT=y +CONFIG_SPI_FLASH_DONT_INCLUDE_ALL_DRIVERS=y +# CONFIG_DEBUG_SMI is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_ENABLE is not set +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +# CONFIG_BOARD_LENOVO_THINKPAD_T440P is not set +# CONFIG_BOARD_LENOVO_THINKPAD_W541 is not set +# CONFIG_BOARD_LENOVO_L520 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_M900_TINY is not set +# CONFIG_BOARD_LENOVO_M920Q is not set +# CONFIG_BOARD_LENOVO_S230U is not set +# CONFIG_BOARD_LENOVO_T480 is not set +CONFIG_BOARD_LENOVO_T480S=y +# CONFIG_BOARD_LENOVO_T400 is not set +# CONFIG_BOARD_LENOVO_T500 is not set +# CONFIG_BOARD_LENOVO_R400 is not set +# CONFIG_BOARD_LENOVO_R500 is not set +# CONFIG_BOARD_LENOVO_W500 is not set +# CONFIG_BOARD_LENOVO_T410 is not set +# CONFIG_BOARD_LENOVO_T420 is not set +# CONFIG_BOARD_LENOVO_T420S is not set +# CONFIG_BOARD_LENOVO_THINKPAD_T430 is not set +# CONFIG_BOARD_LENOVO_T430S is not set +# CONFIG_BOARD_LENOVO_T431S is not set +# CONFIG_BOARD_LENOVO_T520 is not set +# CONFIG_BOARD_LENOVO_W520 is not set +# CONFIG_BOARD_LENOVO_T530 is not set +# CONFIG_BOARD_LENOVO_W530 is not set +# CONFIG_BOARD_LENOVO_T60 is not set +# CONFIG_BOARD_LENOVO_Z61T is not set +# CONFIG_BOARD_LENOVO_R60 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_A58 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_M710S is not set +# CONFIG_BOARD_LENOVO_X131E is not set +# CONFIG_BOARD_LENOVO_X1_CARBON_GEN1 is not set +# CONFIG_BOARD_LENOVO_X200 is not set +# CONFIG_BOARD_LENOVO_X301 is not set +# CONFIG_BOARD_LENOVO_X201 is not set +# CONFIG_BOARD_LENOVO_X220 is not set +# CONFIG_BOARD_LENOVO_X220I is not set +# CONFIG_BOARD_LENOVO_X1 is not set +# CONFIG_BOARD_LENOVO_X230 is not set +# CONFIG_BOARD_LENOVO_X230T is not set +# CONFIG_BOARD_LENOVO_X230S is not set +# CONFIG_BOARD_LENOVO_X230_EDP is not set +# CONFIG_BOARD_LENOVO_X60 is not set +CONFIG_PS2K_EISAID="PNP0303" +CONFIG_PS2M_EISAID="PNP0F13" +CONFIG_THINKPADEC_HKEY_EISAID="IBM0068" +CONFIG_GFX_GMA_PANEL_1_PORT="eDP" +CONFIG_BOARD_LENOVO_SKLKBL_THINKPAD_COMMON=y +# CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set +CONFIG_POWER_STATE_DEFAULT_ON_AFTER_FAILURE=y +CONFIG_D3COLD_SUPPORT=y +CONFIG_GFX_GMA_PANEL_1_ON_EDP=y +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_PC_CMOS_BASE_PORT_BANK1=0x72 +CONFIG_HEAP_SIZE=0x100000 +CONFIG_EC_GPE_SCI=0x50 +CONFIG_EC_STARLABS_BATTERY_MODEL="Unknown" +CONFIG_EC_STARLABS_BATTERY_TYPE="LION" +CONFIG_EC_STARLABS_BATTERY_OEM="Unknown" +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_LINUX_COMMAND_LINE="quiet loglevel=2" +CONFIG_BOARD_ROMSIZE_KB_16384=y +# CONFIG_COREBOOT_ROMSIZE_KB_256 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_512 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_1024 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_2048 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_4096 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_5120 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_6144 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_8192 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_10240 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_12288 is not set +CONFIG_COREBOOT_ROMSIZE_KB_16384=y +# CONFIG_COREBOOT_ROMSIZE_KB_24576 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_32768 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_65536 is not set +CONFIG_COREBOOT_ROMSIZE_KB=16384 +CONFIG_ROM_SIZE=0x01000000 +CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y +CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +# CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set +# CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 +# end of Mainboard + +CONFIG_SYSTEM_TYPE_LAPTOP=y + +# +# Chipset +# + +# +# SoC +# +CONFIG_CHIPSET_DEVICETREE="soc/intel/skylake/chipset.cb" +CONFIG_FSP_M_FILE="$(obj)/Fsp_M.fd" +CONFIG_FSP_S_FILE="$(obj)/Fsp_S.fd" +CONFIG_CBFS_MCACHE_SIZE=0x4000 +CONFIG_ROMSTAGE_ADDR=0x2000000 +CONFIG_VERSTAGE_ADDR=0x2000000 +CONFIG_SMM_TSEG_SIZE=0x800000 +CONFIG_SMM_RESERVED_SIZE=0x200000 +CONFIG_SMM_MODULE_STACK_SIZE=0x800 +CONFIG_ACPI_BERT_SIZE=0x0 +CONFIG_DRIVERS_I2C_DESIGNWARE_CLOCK_MHZ=120 +CONFIG_PRERAM_CBFS_CACHE_SIZE=0x4000 +CONFIG_DOMAIN_RESOURCE_32BIT_LIMIT=0xe0000000 +CONFIG_ACPI_CPU_STRING="CP%02X" +CONFIG_STACK_SIZE=0x2000 +CONFIG_IFD_CHIPSET="sklkbl" +CONFIG_IED_REGION_SIZE=0x400000 +CONFIG_MAX_ROOT_PORTS=24 +CONFIG_PCR_BASE_ADDRESS=0xfd000000 +CONFIG_CPU_BCLK_MHZ=100 +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI_CLOCK_MHZ=120 +CONFIG_CPU_XTAL_HZ=24000000 +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI_MAX=2 +CONFIG_SOC_INTEL_I2C_DEV_MAX=6 +# CONFIG_ENABLE_SATA_TEST_MODE is not set +CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_M_VAL=0x30 +CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_N_VAL=0xc35 +CONFIG_FSP_HEADER_PATH="3rdparty/fsp/KabylakeFspBinPkg/Include/" +CONFIG_FSP_FD_PATH="3rdparty/fsp/KabylakeFspBinPkg/Fsp.fd" +CONFIG_SOC_INTEL_COMMON_DEBUG_CONSENT=0 +CONFIG_INTEL_GMA_BCLV_OFFSET=0xc8254 +CONFIG_INTEL_GMA_BCLV_WIDTH=16 +CONFIG_INTEL_GMA_BCLM_OFFSET=0xc8256 +CONFIG_INTEL_GMA_BCLM_WIDTH=16 +CONFIG_FSP_PUBLISH_MBP_HOB=y +CONFIG_FSP_STATUS_GLOBAL_RESET=0x40000003 +CONFIG_MAX_HECI_DEVICES=5 +CONFIG_BOOTBLOCK_IN_CBFS=y +CONFIG_HAVE_PAM0_REGISTER=y +CONFIG_PCIEXP_COMMON_CLOCK=y +CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT=0x40000 +CONFIG_CPU_INTEL_NUM_FIT_ENTRIES=10 +CONFIG_SOC_INTEL_GFX_FRAMEBUFFER_OFFSET=0x0 +CONFIG_PCIE_LTR_MAX_SNOOP_LATENCY=0x1003 +CONFIG_PCIE_LTR_MAX_NO_SNOOP_LATENCY=0x1003 +CONFIG_SOC_PHYSICAL_ADDRESS_WIDTH=0 +CONFIG_SOC_INTEL_COMMON_SKYLAKE_BASE=y +CONFIG_SOC_INTEL_KABYLAKE=y +CONFIG_FSP_T_LOCATION=0xfffe0000 +CONFIG_SOC_INTEL_COMMON_BLOCK_P2SB=y +CONFIG_FIXED_SMBUS_IO_BASE=0xefa0 +CONFIG_CBFS_CACHE_ALIGN=8 +CONFIG_SOC_INTEL_COMMON=y + +# +# Intel SoC Common Code for IP blocks +# +CONFIG_SOC_INTEL_COMMON_BLOCK=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_GPIO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_LPIT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_PEP=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_CPPC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CHIP_CONFIG=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU_MPINIT=y +CONFIG_USE_FSP_FEATURE_PROGRAM_ON_APS=y +# CONFIG_USE_COREBOOT_MP_INIT is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU_SMMRELOCATE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CAR=y +CONFIG_INTEL_CAR_NEM_ENHANCED=y +# CONFIG_USE_INTEL_FSP_MP_INIT is not set +CONFIG_CPU_SUPPORTS_PM_TIMER_EMULATION=y +CONFIG_HAVE_HYPERTHREADING=y +CONFIG_FSP_HYPERTHREADING=y +# CONFIG_INTEL_KEYLOCKER is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_MAX is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_256MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_128MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_64MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_32MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_16MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_8MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_4MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_2MB is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_0MB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CSE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PCR=y +CONFIG_SOC_INTEL_CSE_FMAP_NAME="SI_ME" +CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME="ME_RW_A" +CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME="ME_RW_B" +CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME="me_rw" +CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME="me_rw.hash" +CONFIG_SOC_INTEL_CSE_RW_VERSION_CBFS_NAME="me_rw.version" +CONFIG_SOC_INTEL_CSE_RW_FILE="" +CONFIG_SOC_INTEL_CSE_RW_VERSION="" +CONFIG_SOC_INTEL_CSE_IOM_CBFS_NAME="cse_iom" +CONFIG_SOC_INTEL_CSE_IOM_CBFS_FILE="" +CONFIG_SOC_INTEL_CSE_NPHY_CBFS_NAME="cse_nphy" +CONFIG_SOC_INTEL_CSE_NPHY_CBFS_FILE="" +CONFIG_SOC_INTEL_COMMON_BLOCK_DSP=y +CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI=y +CONFIG_FAST_SPI_DISABLE_WRITE_STATUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_ITSS_POL_CFG=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_PADCFG_PADTOL=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_DUAL_ROUTE_SUPPORT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPMR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GRAPHICS=y +CONFIG_SOC_INTEL_GFX_HAVE_DDI_A_BIFURCATION=y +# CONFIG_SOC_INTEL_DISABLE_IGD is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HDA=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HDA_VERB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_I2C=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ITSS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPC_MIRROR_TO_GPMR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPSS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_BASE_P2SB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PCIE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PCR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PMC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PMC_DISCOVERABLE=y +CONFIG_PMC_GLOBAL_RESET_ENABLE_LOCK=y +CONFIG_SOC_INTEL_COMMON_BLOCK_POWER_LIMIT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_RTC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SATA=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SCS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SGX=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMBUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TCO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TCO_ENABLE_THROUGH_SMBUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_IO_TRAP=y +# CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_S5_DELAY_MS=0 +CONFIG_SOC_INTEL_COMMON_BLOCK_SPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SA=y +CONFIG_SA_ENABLE_DPR=y +CONFIG_HAVE_CAPID_A_REGISTER=y +CONFIG_HAVE_BDSM_BGSM_REGISTER=y +CONFIG_SOC_INTEL_COMMON_BLOCK_THERMAL=y +CONFIG_SOC_INTEL_COMMON_BLOCK_THERMAL_PCI_DEV=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TIMER=y +CONFIG_SOC_INTEL_COMMON_BLOCK_UART=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XDCI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y + +# +# Intel SoC Common PCH Code +# +CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y +CONFIG_SOC_INTEL_COMMON_PCH_BASE=y +CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y +CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y +CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y +CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y + +# +# Intel SoC Common coreboot stages and non-IP blocks +# +CONFIG_SOC_INTEL_COMMON_BASECODE=y +CONFIG_SOC_INTEL_COMMON_RESET=y +CONFIG_SOC_INTEL_COMMON_ACPI_WAKE_SOURCE=y +CONFIG_PAVP=y +# CONFIG_MMA is not set +CONFIG_SOC_INTEL_COMMON_NHLT=y +# CONFIG_SOC_INTEL_DEBUG_CONSENT is not set + +# +# CPU +# +CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE=y +CONFIG_CPU_INTEL_COMMON=y +CONFIG_ENABLE_VMX=y +CONFIG_SET_IA32_FC_LOCK_BIT=y +CONFIG_SET_MSR_AESNI_LOCK_BIT=y +CONFIG_CPU_INTEL_COMMON_SMM=y +CONFIG_PARALLEL_MP=y +CONFIG_PARALLEL_MP_AP_WORK=y +CONFIG_XAPIC_ONLY=y +# CONFIG_X2APIC_ONLY is not set +# CONFIG_X2APIC_RUNTIME is not set +# CONFIG_X2APIC_LATE_WORKAROUND is not set +CONFIG_UDELAY_TSC=y +CONFIG_TSC_MONOTONIC_TIMER=y +CONFIG_TSC_SYNC_MFENCE=y +CONFIG_HAVE_SMI_HANDLER=y +CONFIG_SMM_TSEG=y +CONFIG_SMM_PCI_RESOURCE_STORE_NUM_SLOTS=8 +CONFIG_AP_STACK_SIZE=0x800 +CONFIG_SMP=y +CONFIG_SSE=y +CONFIG_SSE2=y +CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y +CONFIG_USE_CPU_MICROCODE_CBFS_BINS=y +CONFIG_CPU_MICROCODE_CBFS_DEFAULT_BINS=y +# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS is not set +# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set +# CONFIG_CPU_MICROCODE_CBFS_NONE is not set + +# +# Northbridge +# + +# +# Southbridge +# +CONFIG_PCIEXP_HOTPLUG=y +CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y +CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y +CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y +# CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 +CONFIG_RCBA_LENGTH=0x4000 + +# +# Super I/O +# + +# +# Embedded Controllers +# +CONFIG_EC_ACPI=y +CONFIG_EC_LENOVO_H8=y +CONFIG_H8_BEEP_ON_DEATH=y +CONFIG_H8_FLASH_LEDS_ON_DEATH=y +# CONFIG_H8_SUPPORT_BT_ON_WIFI is not set +# CONFIG_H8_FN_CTRL_SWAP is not set +CONFIG_H8_HAS_BAT_THRESHOLDS_IMPL=y +CONFIG_H8_HAS_PRIMARY_FN_KEYS=y +CONFIG_H8_HAS_LEDLOGO=y +CONFIG_EC_LENOVO_PMH7=y + +# +# Intel Firmware +# +CONFIG_HAVE_ME_BIN=y +# CONFIG_STITCH_ME_BIN is not set +# CONFIG_CHECK_ME is not set +# CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS is not set +# CONFIG_USE_ME_CLEANER is not set +CONFIG_MAINBOARD_USES_IFD_GBE_REGION=y +CONFIG_HAVE_GBE_BIN=y +# CONFIG_DO_NOT_TOUCH_DESCRIPTOR_REGION is not set +# CONFIG_LOCK_MANAGEMENT_ENGINE is not set +CONFIG_UNLOCK_FLASH_REGIONS=y +CONFIG_ACPI_FNKEY_GEN_SCANCODE=0 +CONFIG_UDK_BASE=y +CONFIG_UDK_2017_BINDING=y +CONFIG_UDK_2013_VERSION=2013 +CONFIG_UDK_2017_VERSION=2017 +CONFIG_UDK_202005_VERSION=202005 +CONFIG_UDK_202111_VERSION=202111 +CONFIG_UDK_202302_VERSION=202302 +CONFIG_UDK_202305_VERSION=202305 +CONFIG_UDK_VERSION=2017 +CONFIG_ARCH_X86=y +CONFIG_ARCH_BOOTBLOCK_X86_32=y +CONFIG_ARCH_VERSTAGE_X86_32=y +CONFIG_ARCH_ROMSTAGE_X86_32=y +CONFIG_ARCH_POSTCAR_X86_32=y +CONFIG_ARCH_RAMSTAGE_X86_32=y +CONFIG_ARCH_ALL_STAGES_X86_32=y +CONFIG_RESERVED_PHYSICAL_ADDRESS_BITS_SUPPORT=y +CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y +CONFIG_POSTRAM_CBFS_CACHE_IN_BSS=y +CONFIG_RAMSTAGE_CBFS_CACHE_SIZE=0x4000 +CONFIG_PC80_SYSTEM=y +CONFIG_POSTCAR_STAGE=y +CONFIG_BOOTBLOCK_SIMPLE=y +# CONFIG_BOOTBLOCK_NORMAL is not set +CONFIG_COLLECT_TIMESTAMPS_TSC=y +CONFIG_HAVE_CF9_RESET=y +CONFIG_DEBUG_HW_BREAKPOINTS=y +CONFIG_DEBUG_NULL_DEREF_BREAKPOINTS=y +# CONFIG_DUMP_SMBIOS_TYPE17 is not set +CONFIG_X86_BOOTBLOCK_EXTRA_PROGRAM_SZ=0 +CONFIG_DEFAULT_EBDA_LOWMEM=0x100000 +CONFIG_DEFAULT_EBDA_SEGMENT=0xF600 +CONFIG_DEFAULT_EBDA_SIZE=0x400 +# end of Chipset + +# +# Devices +# +CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y +CONFIG_HAVE_LINEAR_FRAMEBUFFER=y +CONFIG_HAVE_FSP_GOP=y +CONFIG_MAINBOARD_HAS_LIBGFXINIT=y +CONFIG_MAINBOARD_USE_LIBGFXINIT=y +# CONFIG_VGA_ROM_RUN is not set +# CONFIG_RUN_FSP_GOP is not set +# CONFIG_NO_GFX_INIT is not set +CONFIG_NO_EARLY_GFX_INIT=y + +# +# Display +# +# CONFIG_VGA_TEXT_FRAMEBUFFER is not set +CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +CONFIG_LINEAR_FRAMEBUFFER=y +CONFIG_BOOTSPLASH=y +CONFIG_DEFAULT_SCREEN_ROTATION_NONE=y +# CONFIG_DEFAULT_SCREEN_ROTATION_90 is not set +# CONFIG_DEFAULT_SCREEN_ROTATION_180 is not set +# CONFIG_DEFAULT_SCREEN_ROTATION_270 is not set +CONFIG_DEFAULT_SCREEN_ROTATION_INT=0 +# end of Display + +CONFIG_PCI=y +CONFIG_ECAM_MMCONF_SUPPORT=y +CONFIG_PCIX_PLUGIN_SUPPORT=y +CONFIG_AZALIA_HDA_CODEC_SUPPORT=y +CONFIG_PCIEXP_PLUGIN_SUPPORT=y +CONFIG_ECAM_MMCONF_LENGTH=0x10000000 +CONFIG_PCI_ALLOW_BUS_MASTER=y +CONFIG_PCI_SET_BUS_MASTER_PCI_BRIDGES=y +CONFIG_PCI_ALLOW_BUS_MASTER_ANY_DEVICE=y +# CONFIG_PCIEXP_SUPPORT_RESIZABLE_BARS is not set +# CONFIG_PCIEXP_LANE_ERR_STAT_CLEAR is not set +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM_ABOVE_4G=y +# CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM_BELOW_4G is not set +CONFIG_PCIEXP_HOTPLUG_IO=0x800 +# CONFIG_EARLY_PCI_BRIDGE is not set +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_INTEL_GMA_HAVE_VBT=y +CONFIG_INTEL_GMA_ADD_VBT=y +# CONFIG_SOFTWARE_I2C is not set +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_RESOURCE_ALLOCATION_TOP_DOWN=y +# end of Devices + +# +# Generic Drivers +# +CONFIG_CRB_TPM_BASE_ADDRESS=0xfed40000 +# CONFIG_DRIVERS_EFI_VARIABLE_STORE is not set +# CONFIG_DRIVERS_EFI_FW_INFO is not set +# CONFIG_ELOG is not set +CONFIG_CACHE_MRC_SETTINGS=y +CONFIG_MRC_SETTINGS_PROTECT=y +# CONFIG_DRIVERS_OPTION_CFR is not set +# CONFIG_SMMSTORE is not set +CONFIG_SPI_FLASH=y +CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y +CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y +# CONFIG_SPI_FLASH_NO_FAST_READ is not set +CONFIG_TPM_INIT_RAMSTAGE=y +# CONFIG_TPM_PPI is not set +CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_OXPCIE is not set +# CONFIG_VPD is not set +# CONFIG_DRIVERS_GENERIC_CBFS_SERIAL is not set +# CONFIG_DRIVERS_GENERIC_CBFS_UUID is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9750 is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9755 is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9763E is not set +CONFIG_DRIVERS_I2C_DESIGNWARE=y +# CONFIG_DRIVERS_I2C_MAX98396 is not set +CONFIG_FSP_USE_REPO=y +# CONFIG_DISPLAY_HOBS is not set +# CONFIG_DISPLAY_UPD_DATA is not set +# CONFIG_BMP_LOGO is not set +CONFIG_PLATFORM_USES_FSP2_0=y +CONFIG_PLATFORM_USES_FSP2_X86_32=y +CONFIG_HAVE_INTEL_FSP_REPO=y +CONFIG_ADD_FSP_BINARIES=y +CONFIG_FSP_S_CBFS="fsps.bin" +CONFIG_FSP_M_CBFS="fspm.bin" +CONFIG_FSP_FULL_FD=y +CONFIG_FSP_T_RESERVED_SIZE=0x0 +CONFIG_FSP_M_XIP=y +CONFIG_HAVE_FSP_LOGO_SUPPORT=y +CONFIG_FSP_COMPRESS_FSP_S_LZ4=y +CONFIG_SOC_INTEL_COMMON_FSP_RESET=y +CONFIG_USE_FSP_NOTIFY_PHASE_POST_PCI_ENUM=y +CONFIG_USE_FSP_NOTIFY_PHASE_READY_TO_BOOT=y +CONFIG_USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE=y +# CONFIG_DISPLAY_FSP_TIMESTAMPS is not set +# CONFIG_BUILDING_WITH_DEBUG_FSP is not set +CONFIG_INTEL_INT15=y +CONFIG_INTEL_GMA_ACPI=y +CONFIG_VBT_CBFS_COMPRESSION_LZMA=y +# CONFIG_VBT_CBFS_COMPRESSION_LZ4 is not set +# CONFIG_VBT_CBFS_COMPRESSION_NONE is not set +CONFIG_VBT_CBFS_COMPRESSION_ALGORITHM="lzma" +CONFIG_GFX_GMA=y +CONFIG_GFX_GMA_DYN_CPU=y +CONFIG_GFX_GMA_GENERATION="Skylake" +CONFIG_GFX_GMA_PCH="Sunrise_Point" +CONFIG_GFX_GMA_PANEL_2_PORT="Disabled" +CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC" +# CONFIG_DRIVERS_NXP_UWB_SR1XX is not set +# CONFIG_DRIVERS_PS2_KEYBOARD is not set +CONFIG_DRIVERS_MC146818=y +CONFIG_USE_PC_CMOS_ALTCENTURY=y +CONFIG_PC_CMOS_BASE_PORT_BANK0=0x70 +CONFIG_MEMORY_MAPPED_TPM=y +CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000 +# CONFIG_DRIVERS_SIL_3114 is not set +CONFIG_DRIVERS_USB_ACPI=y +CONFIG_DRIVERS_WIFI_GENERIC=y +CONFIG_DRIVERS_MTK_WIFI=y +# end of Generic Drivers + +# +# Security +# + +# +# CBFS verification +# +# CONFIG_CBFS_VERIFICATION is not set +# end of CBFS verification + +# +# Verified Boot (vboot) +# +CONFIG_VBOOT_LIB=y +# end of Verified Boot (vboot) + +# +# Trusted Platform Module +# +# CONFIG_TPM1 is not set +CONFIG_TPM2=y +CONFIG_TPM=y +CONFIG_MAINBOARD_HAS_TPM2=y +# CONFIG_DEBUG_TPM is not set +# CONFIG_TPM_LOG_CB is not set +CONFIG_TPM_LOG_TPM2=y +# CONFIG_TPM_HASH_SHA1 is not set +CONFIG_TPM_HASH_SHA256=y +# CONFIG_TPM_HASH_SHA384 is not set +# CONFIG_TPM_HASH_SHA512 is not set +CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA="" +CONFIG_PCR_BOOT_MODE=1 +CONFIG_PCR_HWID=1 +CONFIG_PCR_SRTM=2 +CONFIG_PCR_FW_VER=10 +CONFIG_PCR_RUNTIME_DATA=3 +# end of Trusted Platform Module + +# +# Memory initialization +# +CONFIG_PLATFORM_HAS_DRAM_CLEAR=y +# CONFIG_SECURITY_CLEAR_DRAM_ON_REGULAR_BOOT is not set +# end of Memory initialization + +# CONFIG_INTEL_TXT is not set +# CONFIG_STM is not set +# CONFIG_INTEL_CBNT_SUPPORT is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +# CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set +# CONFIG_BOOTMEDIA_SMM_BWP is not set +# end of Security + +CONFIG_ACPI_HAVE_PCAT_8259=y +CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y +CONFIG_ACPI_SOC_NVS=y +CONFIG_ACPI_CUSTOM_MADT=y +CONFIG_ACPI_NO_CUSTOM_MADT=y +CONFIG_ACPI_COMMON_MADT_LAPIC=y +CONFIG_ACPI_COMMON_MADT_IOAPIC=y +CONFIG_HAVE_ACPI_TABLES=y +CONFIG_ACPI_LPIT=y +CONFIG_BOOT_DEVICE_SPI_FLASH=y +CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y +CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y +CONFIG_RTC=y + +# +# Console +# +CONFIG_BOOTBLOCK_CONSOLE=y +CONFIG_POSTCAR_CONSOLE=y +CONFIG_SQUELCH_EARLY_SMP=y +# CONFIG_SPKMODEM is not set +# CONFIG_CONSOLE_NE2K is not set +CONFIG_CONSOLE_CBMEM=y +# CONFIG_CONSOLE_CBMEM_DUMP_TO_UART is not set +# CONFIG_CONSOLE_SPI_FLASH is not set +# CONFIG_CONSOLE_I2C_SMBUS is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8 is not set +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_7=y +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_4 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_3 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_2 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_1 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0 is not set +CONFIG_DEFAULT_CONSOLE_LOGLEVEL=7 +CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX=y +CONFIG_CONSOLE_USE_ANSI_ESCAPES=y +CONFIG_HWBASE_DEBUG_CB=y +# end of Console + +CONFIG_ACPI_S1_NOT_SUPPORTED=y +CONFIG_HAVE_ACPI_RESUME=y +CONFIG_RESUME_PATH_SAME_AS_BOOT=y +CONFIG_HAVE_MONOTONIC_TIMER=y +CONFIG_IOAPIC=y +CONFIG_ACPI_NHLT=y + +# +# System tables +# +CONFIG_GENERATE_SMBIOS_TABLES=y +CONFIG_BIOS_VENDOR="coreboot" +CONFIG_MAINBOARD_SERIAL_NUMBER="123456789" +# end of System tables + +# +# Payload +# +# CONFIG_PAYLOAD_NONE is not set +# CONFIG_PAYLOAD_ELF is not set +# CONFIG_PAYLOAD_FLAT_BINARY is not set +# CONFIG_PAYLOAD_BOOTBOOT is not set +# CONFIG_PAYLOAD_FILO is not set +# CONFIG_PAYLOAD_GRUB2 is not set +# CONFIG_PAYLOAD_SEAGRUB is not set +# CONFIG_PAYLOAD_LINUXBOOT is not set +# CONFIG_PAYLOAD_SEABIOS is not set +# CONFIG_PAYLOAD_UBOOT is not set +# CONFIG_PAYLOAD_EDK2 is not set +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" +# CONFIG_PXE is not set +CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" +CONFIG_COMPRESS_SECONDARY_PAYLOAD=y + +# +# Secondary Payloads +# +# CONFIG_COREINFO_SECONDARY_PAYLOAD is not set +# CONFIG_GRUB2_SECONDARY_PAYLOAD is not set +# CONFIG_MEMTEST_SECONDARY_PAYLOAD is not set +# CONFIG_SEABIOS_SECONDARY_PAYLOAD is not set +# CONFIG_TINT_SECONDARY_PAYLOAD is not set +# CONFIG_COREDOOM_SECONDARY_PAYLOAD is not set +# end of Secondary Payloads +# end of Payload + +# +# Debugging +# + +# +# CPU Debug Settings +# +# CONFIG_DISPLAY_MTRRS is not set + +# +# Vendorcode Debug Settings +# + +# +# BLOB Debug Settings +# +# CONFIG_DISPLAY_FSP_CALLS_AND_STATUS is not set +# CONFIG_DISPLAY_FSP_HEADER is not set +# CONFIG_VERIFY_HOBS is not set +# CONFIG_DISPLAY_FSP_VERSION_INFO is not set +CONFIG_HAVE_GPIO_SNAPSHOT_VERIFY_SUPPORT=y +# CONFIG_CHECK_GPIO_CONFIG_CHANGES is not set + +# +# General Debug Settings +# +# CONFIG_GDB_STUB is not set +CONFIG_HAVE_DEBUG_GPIO=y +# CONFIG_DEBUG_GPIO is not set +# CONFIG_DEBUG_CBFS is not set +CONFIG_HAVE_DEBUG_SMBUS=y +# CONFIG_DEBUG_SMBUS is not set +# CONFIG_DEBUG_MALLOC is not set +# CONFIG_DEBUG_CONSOLE_INIT is not set +# CONFIG_DEBUG_SPI_FLASH is not set +# CONFIG_DEBUG_BOOT_STATE is not set +# CONFIG_DEBUG_ADA_CODE is not set +CONFIG_HAVE_EM100_SUPPORT=y +# CONFIG_EM100 is not set +# CONFIG_DEBUG_ACPICA_COMPATIBLE is not set +# end of Debugging + +CONFIG_RAMSTAGE_ADA=y +CONFIG_RAMSTAGE_LIBHWBASE=y +CONFIG_SPD_READ_BY_WORD=y +CONFIG_HWBASE_DYNAMIC_MMIO=y +CONFIG_HWBASE_DEFAULT_MMCONF=0xe0000000 +CONFIG_HWBASE_DIRECT_PCIDEV=y +CONFIG_DECOMPRESS_OFAST=y +CONFIG_WARNINGS_ARE_ERRORS=y +CONFIG_MAX_REBOOT_CNT=3 +CONFIG_RELOCATABLE_MODULES=y +CONFIG_GENERIC_GPIO_LIB=y +CONFIG_HAVE_BOOTBLOCK=y +CONFIG_HAVE_ROMSTAGE=y +CONFIG_HAVE_RAMSTAGE=y diff --git a/targets/xx80_me_blobs.mk b/targets/t480_me_blobs.mk similarity index 70% rename from targets/xx80_me_blobs.mk rename to targets/t480_me_blobs.mk index ebc32bd40..d339b0f18 100644 --- a/targets/xx80_me_blobs.mk +++ b/targets/t480_me_blobs.mk @@ -11,11 +11,11 @@ # Make the Coreboot build depend on the following 3rd party blobs: $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ - $(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD)/tb.bin + $(pwd)/blobs/xx80/t480_me.bin $(pwd)/blobs/xx80/t480_tb.bin $(build)/$(BOARD)/t480_tb.bin -$(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin &: - $(pwd)/blobs/xx80/download_clean_deguard_me_pad_tb.sh \ +$(pwd)/blobs/xx80/t480_me.bin $(pwd)/blobs/xx80/t480_tb.bin &: + $(pwd)/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh \ -m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80 -$(build)/$(BOARD)/tb.bin: $(pwd)/blobs/xx80/tb.bin - cp $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD) +$(build)/$(BOARD)/t480_tb.bin: $(pwd)/blobs/xx80/t480_tb.bin + cp $(pwd)/blobs/xx80/t480_tb.bin $(build)/$(BOARD) diff --git a/targets/t480s_me_blobs.mk b/targets/t480s_me_blobs.mk new file mode 100644 index 000000000..a41bde991 --- /dev/null +++ b/targets/t480s_me_blobs.mk @@ -0,0 +1,21 @@ +# Targets for downloading xx80 ME blob, neutering it and deactivating ME. +# This also uses the deguard tool to bypass Intel Boot Guard exploiting CVE-2017-5705. +# See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html + +# xx80-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx80/download_clean_me_and_deguard.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# Also creates the tb.bin blob to flash the Thunderbolt SPI. + +# Make the Coreboot build depend on the following 3rd party blobs: +$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ + $(pwd)/blobs/xx80/t480s_me.bin $(pwd)/blobs/xx80/t480s_tb.bin $(build)/$(BOARD)/t480s_tb.bin + +$(pwd)/blobs/xx80/t480s_me.bin $(pwd)/blobs/xx80/t480s_tb.bin &: + $(pwd)/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh \ + -m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80 + +$(build)/$(BOARD)/t480s_tb.bin: $(pwd)/blobs/xx80/t480s_tb.bin + cp $(pwd)/blobs/xx80/t480s_tb.bin $(build)/$(BOARD)