OEM reownership required changes for QubesOS certification of the X230

.gitlab-ci.yml

@@ -0,0 +1,26 @@
+image: insurgotech/fedora-29_heads-ci
+
+stages:
+  - build
+
+build:
+  stage: build
+  cache:
+    paths:
+      - ./
+    key: "$CI_COMMIT_REF_SLUG"
+  script:
+    - git fetch origin 
+    - git reset --hard origin/$CI_COMMIT_REF_NAME
+    - make BOARD=x230-flash
+    - make BOARD=x230-libremkey
+    - echo "x230-flash hashes:"
+    - cat ./build/x230-flash/hashes.txt
+    - echo "x230 hashes:"
+    - cat ./build/x230-libremkey/hashes.txt
+  artifacts:
+    paths:
+      - ./build/x230-flash/x230-flash.rom
+      - ./build/x230-flash/hashes.txt
+      - ./build/x230-libremkey/coreboot.rom
+      - ./build/x230-libremkey/hashes.txt

boards/librem13v2/librem13v2.config

@@ -25,6 +25,8 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=n
+
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n

boards/librem13v4/librem13v4.config

@@ -25,6 +25,8 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=n
+
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n

boards/librem15v4/librem15v4.config

@@ -27,6 +27,8 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=n
+
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n

boards/x220/x220.config

@@ -20,8 +20,10 @@ CONFIG_DROPBEAR=y
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 
-export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=y
+
+export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"

boards/x230-libremkey/x230-libremkey.config

@@ -0,0 +1,50 @@
+# Configuration for a x230 with Librem Key, running Qubes and other OSes
+export CONFIG_COREBOOT=y
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-libremkey.config
+CONFIG_LINUX_CONFIG=config/linux-x230-libremkey.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_LIBREMKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+export CONFIG_LINUX_SDHCI=y
+
+export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE=""
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and x230-flash
+# is installed first.

boards/x230/x230.config

@@ -17,18 +17,24 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_DROPBEAR=y
 
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
+#CONFIG_LIBREMKEY=y
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+export CONFIG_LINUX_SDHCI=y
 
 export CONFIG_TPM=y
+export CONFIG_OFFER_TPM_LUKS_DISK_UNLOCK_KEY=y
+
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"

config/busybox.config

@@ -280,7 +280,7 @@ CONFIG_RM=y
 CONFIG_RMDIR=y
 CONFIG_SEQ=y
 CONFIG_SHRED=y
-# CONFIG_SHUF is not set
+CONFIG_SHUF=y
 CONFIG_SLEEP=y
 CONFIG_FEATURE_FANCY_SLEEP=y
 CONFIG_FEATURE_FLOAT_SLEEP=y
@@ -350,7 +350,7 @@ CONFIG_FEATURE_HUMAN_READABLE=y
 # Console Utilities
 #
 # CONFIG_CHVT is not set
-# CONFIG_CLEAR is not set
+CONFIG_CLEAR=y
 # CONFIG_DEALLOCVT is not set
 # CONFIG_DUMPKMAP is not set
 # CONFIG_FGCONSOLE is not set

config/coreboot-x230-libremkey.config

@@ -0,0 +1,24 @@
+CONFIG_LOCALVERSION="heads"
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x700000
+# CONFIG_POST_IO is not set
+# CONFIG_POST_DEVICE is not set
+CONFIG_DRIVERS_UART_8250IO=y
+CONFIG_BOARD_LENOVO_X230=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_UART_PCI_ADDR=0
+CONFIG_NO_GFX_INIT=y
+# CONFIG_CONSOLE_SERIAL is not set
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x230-libremkey/bzImage"
+CONFIG_PAYLOAD_OPTIONS=""
+# CONFIG_PXE is not set
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/x230-libremkey/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y

config/coreboot-x230.config

@@ -19,6 +19,6 @@ CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/x230/bzImage"
 CONFIG_PAYLOAD_OPTIONS=""
 # CONFIG_PXE is not set
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
 CONFIG_LINUX_INITRD="../../build/x230/initrd.cpio.xz"
 CONFIG_DEBUG_SMM_RELOCATION=y