forked from linuxboot/heads
-
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
-Without TPM nor HOTP support. Basically useable to boot Tails from USB SDCARD adapter, with SDCARD set in read only mode. Based on past work https://github.com/tlaurion/heads/tree/x200_readd Adds: - gbe.bin in tree (generated with bincfg) - unlocked ifd.bin in tree (generated by bincfg and unlucked with ifdtool) - extract.sh script (which extracts gbe.bin from backup with ifdtool and replaced gbe.bin in tree) Fixes linuxboot#878
- Loading branch information
Showing
9 changed files
with
510 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
Coreboot supports generating modified ifd and gbe out of the box. | ||
To replicate the blobs in this directory (based on coreboot 4.8.1 but simply replace version in paths): | ||
|
||
make BOARDS=x200 | ||
|
||
This will create the ROM. | ||
|
||
Then (considering you git clone heads under ~) | ||
|
||
#To generate GBE and IFD | ||
cd ~/heads/build/coreboot-4.8.1/util/bincfg | ||
make gen-gbe-ich9m | ||
make gen-ifd-x200 | ||
mv flashregion_0_fd.bin ../../../../blobs/xxx0/ifd.bin | ||
mv flashregion_3_gbe.bin ../../../../blobs/xxx0/gbe.bin | ||
|
||
#To unlock IFD, permitting to reflash whole flash internally | ||
cd ~/heads/build/coreboot-4.8.1/util/ifdtool | ||
make | ||
cd ~/heads/blobs/xxx0/ | ||
~/heads/build/coreboot-4.8.1/util/ifdtool/ifdtool -u ifd.bin | ||
mv ifd.bin.new ifd.bin | ||
|
||
sha256sum -c hashes.txt | ||
|
||
should output: | ||
gbe.bin: OK | ||
ifd.bin: OK | ||
|
||
DISCLAIMER: Considering neither gbe.bin nor ifd.bin are proprietary blobs (generated from specifications), those blobs are in tree to ease ROM reproducibility. | ||
|
||
Note that MAC address is fixed under gbe-ich9m.spec to DE:AD:C0:FF:EE. | ||
- If you want to keep your MAC, call extract.sh prior of building ROM. | ||
- If you want to fixate your MAC to a custom address, change it under ~/heads/build/coreboot-4.8.1/util/bincfg/gbe-ich9m.spec prior of generating the gbe.bin above | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
#!/bin/bash | ||
|
||
function printusage { | ||
echo "Usage: $0 -f <romdump> -i <ifdtool>(optional)" | ||
exit 0 | ||
} | ||
|
||
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
||
if [ "$#" -eq 0 ]; then printusage; fi | ||
|
||
while getopts ":f:m:i:" opt; do | ||
case $opt in | ||
f) | ||
FILE="$OPTARG" | ||
;; | ||
i) | ||
if [ -x "$OPTARG" ]; then | ||
IFDTOOL="$OPTARG" | ||
fi | ||
;; | ||
esac | ||
done | ||
|
||
if [ -z "$IFDTOOL" ]; then | ||
IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` | ||
if [ -z "$IFDTOOL" ]; then | ||
echo "ifdtool required but not found or specified with -m. Aborting." | ||
exit 1; | ||
fi | ||
fi | ||
|
||
echo "FILE: $FILE" | ||
echo "IFD: $IFDTOOL" | ||
|
||
bioscopy=$(mktemp) | ||
extractdir=$(mktemp -d) | ||
|
||
echo "###Copying $FILE under $bioscopy" | ||
cp "$FILE" $bioscopy | ||
|
||
cd "$extractdir" | ||
echo "###Unlocking $bioscopy IFD..." | ||
$IFDTOOL -u $bioscopy | ||
echo "###Extracting regions from ROM..." | ||
$IFDTOOL -x $bioscopy.new | ||
echo "###Copying GBE region under $BLOBDIR/gbe.bin..." | ||
cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" | ||
|
||
echo "###Cleaning up..." | ||
rm "$bioscopy" | ||
rm -r "$extractdir" |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
7917e0f0eb16c895da25d8acf01155e88ca189724c48a14cd1645d0d09f1cf5b gbe.bin | ||
7415548cbe93b5543c6ccbf1b8d9d4f4ef794c4f376e46638a25f84378c19872 ifd.bin |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# Configuration for a x200 running non-Qubes OSes. | ||
# | ||
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 : | ||
# dropbear support(ssh client/server) | ||
# e1000e (ethernet driver) | ||
# | ||
# Includes (read blobs/xxx0/README) | ||
# - Generated IFD from bincfg | ||
# - Forged 00:DE:AD:C0:FF:EE MAC address | ||
# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/ifd-x200.set | ||
|
||
export CONFIG_COREBOOT=y | ||
export CONFIG_COREBOOT_VERSION=4.8.1 | ||
export CONFIG_LINUX_VERSION=4.14.62 | ||
|
||
CONFIG_COREBOOT_CONFIG=config/coreboot-x200-maximized.config | ||
CONFIG_LINUX_CONFIG=config/linux-x200.config | ||
|
||
CONFIG_CRYPTSETUP=y | ||
CONFIG_FLASHROM=y | ||
CONFIG_FLASHTOOLS=y | ||
CONFIG_GPG2=y | ||
CONFIG_KEXEC=y | ||
CONFIG_UTIL_LINUX=y | ||
CONFIG_LVM2=y | ||
CONFIG_MBEDTLS=y | ||
CONFIG_PCIUTILS=y | ||
|
||
#Remote attestation support | ||
#TPM based requirements | ||
export CONFIG_TPM=n | ||
CONFIG_POPT=y | ||
CONFIG_QRENCODE=y | ||
CONFIG_TPMTOTP=y | ||
#HOTP based remote attestation for supported USB Security dongle | ||
#With/Without TPM support | ||
#CONFIG_HOTPKEY=n | ||
|
||
#Nitrokey Storage admin tool | ||
CONFIG_NKSTORECLI=n | ||
|
||
#GUI Support | ||
#Console based Whiptail support(Console based, no FB): | ||
#CONFIG_SLANG=y | ||
#CONFIG_NEWT=y | ||
#FBWhiptail based (Graphical): | ||
CONFIG_CAIRO=y | ||
CONFIG_FBWHIPTAIL=y | ||
|
||
#Additional tools: | ||
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) | ||
CONFIG_DROPBEAR=y | ||
|
||
export CONFIG_BOOTSCRIPT=/bin/gui-init | ||
export CONFIG_BOOT_REQ_HASH=n | ||
export CONFIG_BOOT_REQ_ROLLBACK=n | ||
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off i915.modeset=1 video=1280x800" | ||
export CONFIG_BOOT_KERNEL_REMOVE="quiet" | ||
export CONFIG_BOOT_DEV="/dev/sda1" | ||
export CONFIG_BOARD_NAME="Thinkpad X200-maximized" | ||
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
CONFIG_ANY_TOOLCHAIN=y | ||
CONFIG_VENDOR_LENOVO=y | ||
CONFIG_CBFS_SIZE=0x700000 | ||
CONFIG_BOARD_LENOVO_X200=y | ||
CONFIG_HAVE_IFD_BIN=y | ||
CONFIG_HAVE_GBE_BIN=y | ||
CONFIG_IFD_BIN_PATH="../../blobs/xxx0/ifd.bin" | ||
CONFIG_GBE_BIN_PATH="../../blobs/xxx0/gbe.bin" | ||
CONFIG_NO_GFX_INIT=y | ||
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 | ||
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y | ||
CONFIG_PAYLOAD_LINUX=y | ||
CONFIG_PAYLOAD_FILE="../../build/x200-maximized/bzImage" | ||
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" | ||
CONFIG_LINUX_INITRD="../../build/x200-maximized/initrd.cpio.xz" |
Oops, something went wrong.