Add p8z77-m_pro board

.circleci/config.yml

@@ -47,7 +47,7 @@ jobs:
           command: |
             ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime 
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo unzip
       - checkout
 
       - run:
@@ -97,6 +97,11 @@ jobs:
           command: |
             ./blobs/xx30/download_clean_me.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
 
+      - run:
+          name: Download and neuter p8z77-m_pro ME
+          command: |
+            ./blobs/p8z77-m_pro/download_BIOS_clean.sh
+
       - run:
           name: Download and extract t530 vbios roms for dgpu boards
           command: |
@@ -519,6 +524,22 @@ workflows:
           requires:
             - librem_14
 
+      - build:
+          name: p8z77-m_pro-tpm1-maximized
+          target: p8z77-m_pro-tpm1-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
+      - build:
+          name: p8z77-m_pro-tpm1-hotp-maximized
+          target: p8z77-m_pro-tpm1-hotp-maximized
+          subcommand: ""
+          requires:
+            - librem_14
+
+
+
 #      - build:
 #          name: kgpe-d16_workstation-usb_keyboard
 #          target: kgpe-d16_workstation-usb_keyboard

blobs/p8z77-m_pro/download_BIOS_clean.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# P7 ASUS
+
+function printusage {
+  echo "Usage: $0 -m <me_cleaner>(optional)"
+}
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [ "$#" -eq 0 ]; then printusage; fi
+
+while getopts ":m:i:" opt; do
+  case $opt in
+    m)
+      if [ -x "$OPTARG" ]; then
+        MECLEAN="$OPTARG"
+      fi
+      ;;
+    i)
+      if [ -x "$OPTARG" ]; then
+        IFDTOOL="$OPTARG"
+      fi
+      ;;
+  esac
+
+done
+
+if [ -z "$MECLEAN" ]; then
+  MECLEAN=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
+  if [ -z "$MECLEAN" ]; then
+    echo "me_cleaner.py required but not found or specified with -m. Aborting."
+    exit 1;
+  fi
+fi
+
+if [ -z "$IFDTOOL" ]; then
+  IFDTOOL=`command -v $BLOBDIR/../../build/x86/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1`
+  if [ -z "$IFDTOOL" ]; then
+    echo "ifdtool required but not found or specified with -i. Aborting."
+    exit 1;
+  fi
+fi
+
+CAP_ZIP_SHA256SUM="9ea900eccd4a649237b000f1a34beb73cd92fb203d9639d8b7d22ef2a030d360  P8Z77-V-PRO-ASUS-2104.zip"
+CAP_FILE_SHA256SUM="7cf39a893cd6af774e3623a6b80c3e8f8989934b384eff28aba4726e80faa962  P8Z77-V-PRO-ASUS-2104.CAP"
+FINAL_IFD_SHA256SUM="dea50bf6577a0b36db54a62890c939d9c1a942eaf93c4479e00a9a2e48b8bf5d flashregion_0_flashdescriptor.bin"
+FINAL_ME_SHA256SUM="8dda1e8360fbb2da05bfcd187f6e7b8a272a67d66bc0074bbfd1410eb35e3e17 $BLOBDIR/me.bin"
+FINAL_GBE_SHA256SUM="fca4deb13633712113e1824bfd5afa32f487ca7129ca012fecf5d7502ec1d5ba  flashregion_3_gbe.bin"
+ZIPURL="https://dlcdnets.asus.com/pub/ASUS/mb/LGA1155/P8Z77-V_PRO/P8Z77-V-PRO-ASUS-2104.zip"
+
+ZIPFILENAME=`echo $ZIPURL | sed 's/.*\///'`
+ROMFILENAME=`echo $ZIPFILENAME | sed 's/\.zip$/\.ROM/'`
+
+extractdir=$(mktemp -d)
+echo "### Creating temp dir $extractdir "
+cd "$extractdir"
+
+/bin/cat <<EOF > layout.txt
+00000000:00000fff fd
+0001b000:007fffff bios
+00003000:0001afff me
+00001000:00002fff gb
+EOF
+
+
+echo "### Downloading $ZIPURL"
+wget $ZIPURL || { echo "ERROR: wget failed $ZIPURL" && exit 1; }
+echo "### Verifying expected hash of $ZIPFILENAME"
+echo "$CAP_ZIP_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on downloaded binary..." && exit 1; }
+
+echo "### Extracting Archives"
+unzip $ZIPFILENAME || { echo "Failed unzipping $ZIPFILENAME - Tool installed on host?" && exit 1;}
+
+echo "### Verifying expected hash of $ROMFILENAME"
+echo "$CAP_FILE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on extracted binary..." && exit 1; }
+
+echo "### extracing BIOS from Capsule"
+dd bs=1024 skip=2 if=P8Z77-V-PRO-ASUS-2104.CAP of=P8Z77-V-PRO-ASUS-2104.ROM || { echo "Failed to de-cap the ROM..." && exit 1; }
+
+echo "### Stock variant AltME & ME Cleaner"
+$IFDTOOL -M 1 $ROMFILENAME
+echo "### extract stock ME"
+$IFDTOOL -x $ROMFILENAME.new
+
+echo "### Applying me_cleaner to neuter and truncate. EFFS,FCRS whitelisted"
+$MECLEAN -r -t -O "$BLOBDIR/me.bin" flashregion_2_intel_me.bin
+
+echo "### Verifying expected hash of me.bin"
+echo "$FINAL_ME_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on final binary..." && exit 1; }
+rm flashregion*.bin
+echo "### Resizing ..."
+$IFDTOOL -D 8 $ROMFILENAME.new || { echo "Failed density resize " && exit 1;}
+$IFDTOOL --newlayout layout.txt $ROMFILENAME.new.new || { echo "Failed new layout ..." && exit 1;}
+echo "### Extracting final IFD"
+$IFDTOOL -x $ROMFILENAME.new.new.new || { echo "Failed ifdtool. Tool installed on host?" && exit 1;}
+
+printf '\x00' | dd of=flashregion_0_flashdescriptor.bin bs=1 seek=3837 count=1 conv=notrunc
+printf '\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF' | dd of=flashregion_0_flashdescriptor.bin bs=1 seek=3568 count=32 conv=notrunc
+
+echo "### Verifying expected hash of IFD"
+echo "$FINAL_IFD_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on factory IFD bin..." && exit 1; }
+cp flashregion_0_flashdescriptor.bin $BLOBDIR/ifd.bin || { echo "Failed to copy IFD ..." && exit 1; }
+echo "$FINAL_GBE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification on factory IFD bin..." && exit 1; }
+cp flashregion_3_gbe.bin $BLOBDIR/gbe.bin || { echo "Failed to copy GBE ..." && exit 1; }
+
+
+echo "###Cleaning up..."
+cd -
+rm -r "$extractdir"

boards/p8z77-m_pro-tpm1-hotp-maximized/p8z77-m_pro-tpm1-hotp-maximized.config

@@ -0,0 +1,67 @@
+# Configuration for Asus P8Z77-M Pro
+#This board is a better choice over the P8H61 for a cost effective Heads + QubesOS desktop with #ME neuter+disable compatibility. The P8H61 ecosystem was complex with multiple variants 
+#(some not even having a TPM header, and others having RamInit issues with some memory sticks), #while less feature rich than the P8Z77 family. The P8H61s that were compatible still required 
+#some ME #sections (FCRS,EFFS) to be whitelisted in order to post, which introduced unknowns. 
+#The P8H61s #also needed a larger flash chip to work with heads than the manufacturer supplied 
+#4M, which add#ed complexity for the average user.
+#
+#The P8Z77-M Pro is able to offer more SATA connectors (2x 6Gb, 4x 3Gb, 2x eSATA) as well as 
+#more full size expansion ports. The board has a PS/2 keyboard port as recommended for QubesOS. #The board comes with 8M flash chip as standard.
+#
+#The i7-3770 is the best CPU available for the board, with VT-x & VT-d both present
+
+#ME & ROM
+#The board supports Intel LGA1155, which allow for ME removal (both neuter+disable work), ME 
+#region resize/shrinking (aka 'maximized' board), as well as VSCC table modification..
+#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary 
+#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC 
+#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download 
+#script also resizes the rom layout and minimizes ME while maximizing space.
+#The P8Z77-M Pro comes as standard with an 8Mb Flash chip, which means that no modification is 
+#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by 
+#default, leaving just 335396 bytes available.
+#The P8Z77-M Pro has both TPM1 and TPM2 modules available, though at time of writing only the 
+#TPM1 module would be usable with heads until the TPM2 work is completed. All testing was done 
+#with a TPM1 module
+#
+#Test platform
+#BOARD: Asus P8Z77-M Pro
+#RAM: 32Gb - 4x TimeTec DDRL3 75TT16NUL2R8-8G
+#CPU: Intel i7 3770
+#TPM: Modules tested: Asus branded TPM 1.02H & Foxconn TPM Krypton Rev 1.0
+
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-p8z77-m_pro-tpm1.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off nohz=off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="P8Z77-M PRO"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_AUTO_BOOT_TIMEOUT=5

boards/p8z77-m_pro-tpm1-maximized/p8z77-m_pro-tpm1-maximized.config

@@ -0,0 +1,66 @@
+# Configuration for Asus P8Z77-M Pro
+#This board is a better choice over the P8H61 for a cost effective Heads + QubesOS desktop with #ME neuter+disable compatibility. The P8H61 ecosystem was complex with multiple variants 
+#(some not even having a TPM header, and others having RamInit issues with some memory sticks), #while less feature rich than the P8Z77 family. The P8H61s that were compatible still required 
+#some ME #sections (FCRS,EFFS) to be whitelisted in order to post, which introduced unknowns. 
+#The P8H61s #also needed a larger flash chip to work with heads than the manufacturer supplied 
+#4M, which add#ed complexity for the average user.
+#
+#The P8Z77-M Pro is able to offer more SATA connectors (2x 6Gb, 4x 3Gb, 2x eSATA) as well as 
+#more full size expansion ports. The board has a PS/2 keyboard port as recommended for QubesOS. #The board comes with 8M flash chip as standard.
+#
+#The i7-3770 is the best CPU available for the board, with VT-x & VT-d both present
+
+#ME & ROM
+#The board supports Intel LGA1155, which allow for ME removal (both neuter+disable work), ME 
+#region resize/shrinking (aka 'maximized' board), as well as VSCC table modification..
+#The blob download script uses the manufacturer supplied ME and IFD and performs the necessary 
+#hashing. The download script also removes the VSCC table by overwriting a NULL at the VSCC 
+#length table and FF bytes at the VSCC identifier table - using a printf with dd. The download 
+#script also resizes the rom layout and minimizes ME while maximizing space.
+#The P8Z77-M Pro comes as standard with an 8Mb Flash chip, which means that no modification is 
+#needed to replace the chip is order to use heads as we shrink ME and 'maximize' this board by 
+#default, leaving just 335396 bytes available.
+#The P8Z77-M Pro has both TPM1 and TPM2 modules available, though at time of writing only the 
+#TPM1 module would be usable with heads until the TPM2 work is completed. All testing was done 
+#with a TPM1 module
+#
+#Test platform
+#BOARD: Asus P8Z77-M Pro
+#RAM: 32Gb - 4x TimeTec DDRL3 75TT16NUL2R8-8G
+#CPU: Intel i7 3770
+#TPM: Modules tested: Asus branded TPM 1.02H & Foxconn TPM Krypton Rev 1.0
+
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-p8z77-m_pro-tpm1.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off nohz=off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="P8Z77-M PRO"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_AUTO_BOOT_TIMEOUT=5

config/coreboot-p8z77-m_pro-tpm1.config

@@ -0,0 +1,19 @@
+CONFIG_USE_BLOBS=y
+CONFIG_VENDOR_ASUS=y
+CONFIG_CBFS_SIZE=0x7E5000
+CONFIG_BOARD_ASUS_P8Z77_M_PRO=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/ifd.bin"
+CONFIG_ME_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/me.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/p8z77-m_pro/gbe.bin"
+CONFIG_NO_GFX_INIT=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_TPM1=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=on intel_iommu=igfx_off nohz=off"