From 5cce937393c651cc2baf6c20972b073bee175dd5 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 10 Jan 2023 14:18:37 -0500
Subject: [PATCH 01/19] Add script for obtaining Haswell mrc.bin blob

I based this script on the Coreboot docs:
https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html. While
adding an integrity check to ensure we're obtaining the correct blob.

Also, it's worth surfacing that the SHA-1 for the resulting binary is
the same SHA that Libreboot uses in their integrity check:
https://notabug.org/libreboot/lbmk/src/master/resources/scripts/download/mrc#L95.
However, I elected to use SHA-256 for extra paranoia.
---
 blobs/haswell/obtain-mrc | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100755 blobs/haswell/obtain-mrc

diff --git a/blobs/haswell/obtain-mrc b/blobs/haswell/obtain-mrc
new file mode 100755
index 000000000..90ef568c4
--- /dev/null
+++ b/blobs/haswell/obtain-mrc
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0")
+Obtain mrc.bin from a Haswell Chromebook firmware image.
+"
+}
+
+MRC_BIN_HASH="d368ba45096a3b5490ed27014e1f9004bc363434ffdce0c368c08a89c4746722"
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
+        COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+
+        pushd "${COREBOOT_DIR}"
+
+        # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
+        make -C util/cbfstool
+        cd util/chromeos
+        ./crosfirmware.sh peppy
+        ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION
+
+        if ! echo "${MRC_BIN_HASH} mrc.bin" | sha256sum --check; then
+            echo "SHA256 checksum for mrc.bin doesn't match."
+            exit 1
+        fi
+
+        popd
+
+        mv "${COREBOOT_DIR}/util/chromeos/mrc.bin" "$(dirname "$0")/mrc.bin"
+    fi
+fi

From e3259765692b2f614ae4940bc5ba0f1a8d82490b Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 10 Jan 2023 14:54:30 -0500
Subject: [PATCH 02/19] Add initial T440p Coreboot defconfig

I generated this config by walking through Coreboot's `make menuconfig`.
The plan is to pare down verbose defaults and tweak from here.
---
 config/coreboot-t440p.config | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 config/coreboot-t440p.config

diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config
new file mode 100644
index 000000000..d0991a82f
--- /dev/null
+++ b/config/coreboot-t440p.config
@@ -0,0 +1,20 @@
+# CONFIG_USE_BLOBS is not set
+CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_CBFS_SIZE=0x100000
+CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin"
+CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
+CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_HAVE_MRC=y
+CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
+CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"

From 96f0c5b0435f41f2513ee1d5a82546ecf7d7e170 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 10 Jan 2023 21:29:22 -0500
Subject: [PATCH 03/19] Add script for exporting blobs from original T440p ROM

---
 blobs/t440p/export-blobs | 48 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100755 blobs/t440p/export-blobs

diff --git a/blobs/t440p/export-blobs b/blobs/t440p/export-blobs
new file mode 100755
index 000000000..aba59c498
--- /dev/null
+++ b/blobs/t440p/export-blobs
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0") path_to_original_rom
+Extract Intel firmware from the original ROM.
+"
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        if [[ -n "$1" ]]; then
+            BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
+            COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+
+            pushd "${COREBOOT_DIR}"
+            cd util/me_cleaner
+
+            # Neutralize and shrink Intel ME.
+            # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+            python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "$1"
+
+            mv ifd_shrinked.bin "${BLOB_DIR}/ifd.bin"
+            mv me_shrinked.bin "${BLOB_DIR}/me.bin"
+            rm ./*.bin
+
+            cd ../ifdtool
+            make
+
+            # Extract the Intel Gigabit Ethernet (GbE) firmware from the
+            # original ROM.
+            ./ifdtool -x "$1"
+
+            mv flashregion_3_gbe.bin "${BLOB_DIR}/gbe.bin"
+            rm ./*.bin
+
+            popd
+
+        else
+            echo "ERROR: You must supply a path to the original ROM."
+            exit 1
+        fi
+    fi
+fi

From f0792117efa177ded19878f652c5a28e8cc62a71 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 10 Jan 2023 21:29:55 -0500
Subject: [PATCH 04/19] Adjust T440p default Coreboot defconfig options

Remove options that haven't deviated from defaults in the Coreboot
Kconfig, despite being saved by `make savedefconfig`. Also, add
`CONFIG_BOARD_LENOVO_THINKPAD_T440P`, which was missing from the `make
savedefconfig` output, causing Heads builds to fail. And finally, bump
`CONFIG_CBFS_SIZE` to `0x800000` (8 MiB to bytes to hexadecimal).

This value for the CBFS size is arbitrary. Originally, I had totaled the
size of all binary blobs, subtracted that from the T440p's ROM size (12
MiB), and used the remaining space as the CBFS size (~11.68 MiB).
However, this caused very long RAM initialization times (courtesy of
`cbmem -t`). And, an anecdote in
https://groups.google.com/a/chromium.org/g/chromium-os-reviews/c/lUqRrGUoEBY/m/ka7L1f2BS8gJ
suggested that this value needs to be a power of 2.

So, I picked a size I expected our Linux payload to fit into that was a
power of 2 that I also expected would leave enough space in the ROM for
the IFD, ME, GbE, and Coreboot.

Now, it takes less than a second for RAM initialization after
flashing/first boot (anecdotally, it seems the MRC needs to be
"trained?").
---
 config/coreboot-t440p.config | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config
index d0991a82f..cecad0151 100644
--- a/config/coreboot-t440p.config
+++ b/config/coreboot-t440p.config
@@ -1,20 +1,17 @@
 # CONFIG_USE_BLOBS is not set
 CONFIG_VENDOR_LENOVO=y
 CONFIG_NO_POST=y
-CONFIG_CBFS_SIZE=0x100000
+CONFIG_CBFS_SIZE=0x800000
 CONFIG_IFD_BIN_PATH="@BLOB_DIR@/t440p/ifd.bin"
 CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
-CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
 CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_THINKPAD_T440P=y
 CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_HAVE_MRC=y
 CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"
 CONFIG_HAVE_ME_BIN=y
 CONFIG_HAVE_GBE_BIN=y
-CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
-CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
-CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"

From 65be2c5b7ae993f32b9e7645da3a09588997960c Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 10 Jan 2023 21:35:13 -0500
Subject: [PATCH 05/19] Add Heads config for the T440p
 (maximized/hotp-maximized)

---
 .../t440p-hotp-maximized.config               |  6 +++
 boards/t440p-maximized/t440p-maximized.config | 49 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 boards/t440p-hotp-maximized/t440p-hotp-maximized.config
 create mode 100644 boards/t440p-maximized/t440p-maximized.config

diff --git a/boards/t440p-hotp-maximized/t440p-hotp-maximized.config b/boards/t440p-hotp-maximized/t440p-hotp-maximized.config
new file mode 100644
index 000000000..1d48c5cb8
--- /dev/null
+++ b/boards/t440p-hotp-maximized/t440p-hotp-maximized.config
@@ -0,0 +1,6 @@
+# Inherit the rest from the base T440p config.
+include $(pwd)/boards/t440p-maximized/t440p-maximized.config
+
+CONFIG_HOTPKEY=y
+
+export CONFIG_BOARD_NAME="ThinkPad T440p-hotp-maximized"
diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config
new file mode 100644
index 000000000..1c2155b72
--- /dev/null
+++ b/boards/t440p-maximized/t440p-maximized.config
@@ -0,0 +1,49 @@
+# Configuration for a ThinkPad T440p.
+CONFIG_COREBOOT_CONFIG=config/coreboot-t440p.config
+# TODO: Make a ThinkPad-common Linux config file.
+CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_LINUX_VERSION=5.10.5
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+# Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
+# for a console-based menu.
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="ThinkPad T440p-maximized"
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+
+all: $(board_build)/$(CB_OUTPUT_FILE)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"
+
+all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@ | tee -a "$(HASHES)"

From 24d23ff47ce86744cd7e772401361fcc49dba377 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sun, 15 Jan 2023 18:51:27 -0500
Subject: [PATCH 06/19] Add intel_iommu=igfx_off to T440p Coreboot kernel
 parameters

Without this, neither Qubes OS nor the Qubes OS installer would start.
Presumably, because we're "kexecing" from an already running kernel, we
need this set at the Coreboot level? Testing revealed that including
`intel_iommu=igfx_off` in the `CONFIG_BOOT_KERNEL_ADD` board config
option did nothing. And, the Qubes OS default boot option already
contains `intel_iommu=igfx_off`.

See:
- https://www.qubes-os.org/doc/installation-troubleshooting/#not-asking-for-vnc-because-we-dont-have-a-network--x-startup-failed-aborting-installation--pane-is-dead-error-during-installation
- https://github.com/Qubes-Community/Contents/blob/master/docs/troubleshooting/intel-igfx-troubleshooting.md
- https://www.kernel.org/doc/html/v5.10/x86/intel-iommu.html?highlight=igfx_off#graphics-problems
---
 config/coreboot-t440p.config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/coreboot-t440p.config b/config/coreboot-t440p.config
index cecad0151..128125a05 100644
--- a/config/coreboot-t440p.config
+++ b/config/coreboot-t440p.config
@@ -7,6 +7,7 @@ CONFIG_ME_BIN_PATH="@BLOB_DIR@/t440p/me.bin"
 CONFIG_GBE_BIN_PATH="@BLOB_DIR@/t440p/gbe.bin"
 CONFIG_HAVE_IFD_BIN=y
 CONFIG_BOARD_LENOVO_THINKPAD_T440P=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off"
 CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_HAVE_MRC=y
 CONFIG_MRC_FILE="@BLOB_DIR@/haswell/mrc.bin"

From c23ed548ff92651657059a7ea62a1db182ddcd68 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:09:09 -0500
Subject: [PATCH 07/19] Clone linux-librem_common.config for T440p

---
 boards/t440p-maximized/t440p-maximized.config |   2 +-
 config/linux-t440p.config                     | 328 ++++++++++++++++++
 2 files changed, 329 insertions(+), 1 deletion(-)
 create mode 100644 config/linux-t440p.config

diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config
index 1c2155b72..092248882 100644
--- a/boards/t440p-maximized/t440p-maximized.config
+++ b/boards/t440p-maximized/t440p-maximized.config
@@ -1,7 +1,7 @@
 # Configuration for a ThinkPad T440p.
 CONFIG_COREBOOT_CONFIG=config/coreboot-t440p.config
 # TODO: Make a ThinkPad-common Linux config file.
-CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+CONFIG_LINUX_CONFIG=config/linux-t440p.config
 
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.17
diff --git a/config/linux-t440p.config b/config/linux-t440p.config
new file mode 100644
index 000000000..00814567d
--- /dev/null
+++ b/config/linux-t440p.config
@@ -0,0 +1,328 @@
+CONFIG_LOCALVERSION="-heads"
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_KERNEL_XZ=y
+# CONFIG_SWAP is not set
+# CONFIG_CROSS_MEMORY_ATTACH is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_PREEMPT_VOLUNTARY=y
+# CONFIG_CPU_ISOLATION is not set
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_INITRAMFS_SOURCE="@BLOB_DIR@/dev.cpio"
+# CONFIG_RD_GZIP is not set
+# CONFIG_RD_BZIP2 is not set
+# CONFIG_RD_LZMA is not set
+# CONFIG_RD_LZO is not set
+# CONFIG_RD_LZ4 is not set
+# CONFIG_RD_ZSTD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+# CONFIG_MULTIUSER is not set
+# CONFIG_SGETMASK_SYSCALL is not set
+# CONFIG_SYSFS_SYSCALL is not set
+# CONFIG_FHANDLE is not set
+# CONFIG_BASE_FULL is not set
+# CONFIG_SIGNALFD is not set
+# CONFIG_TIMERFD is not set
+# CONFIG_EVENTFD is not set
+# CONFIG_AIO is not set
+# CONFIG_ADVISE_SYSCALLS is not set
+# CONFIG_KALLSYMS is not set
+# CONFIG_RSEQ is not set
+CONFIG_EMBEDDED=y
+# CONFIG_VM_EVENT_COUNTERS is not set
+# CONFIG_SLUB_DEBUG is not set
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_ZONE_DMA is not set
+CONFIG_SMP=y
+# CONFIG_X86_MPPARSE is not set
+# CONFIG_RETPOLINE is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+CONFIG_PROCESSOR_SELECT=y
+# CONFIG_CPU_SUP_AMD is not set
+# CONFIG_CPU_SUP_HYGON is not set
+# CONFIG_CPU_SUP_CENTAUR is not set
+# CONFIG_CPU_SUP_ZHAOXIN is not set
+CONFIG_NR_CPUS=32
+# CONFIG_PERF_EVENTS_INTEL_RAPL is not set
+# CONFIG_X86_VSYSCALL_EMULATION is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_X86_5LEVEL is not set
+CONFIG_X86_PMEM_LEGACY=y
+# CONFIG_MTRR is not set
+# CONFIG_X86_SMAP is not set
+# CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS is not set
+CONFIG_KEXEC=y
+CONFIG_KEXEC_FILE=y
+# CONFIG_RELOCATABLE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_LEGACY_VSYSCALL_NONE=y
+# CONFIG_MODIFY_LDT_SYSCALL is not set
+# CONFIG_SUSPEND is not set
+# CONFIG_FIRMWARE_MEMMAP is not set
+# CONFIG_DMIID is not set
+# CONFIG_VIRTUALIZATION is not set
+CONFIG_JUMP_LABEL=y
+# CONFIG_SECCOMP is not set
+CONFIG_MODULES=y
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
+# CONFIG_MQ_IOSCHED_KYBER is not set
+# CONFIG_COREDUMP is not set
+# CONFIG_COMPACTION is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_PCI=y
+CONFIG_PCI_MSI=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_STANDALONE is not set
+# CONFIG_ALLOW_DEV_COREDUMP is not set
+# CONFIG_PNP_DEBUG_MESSAGES is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_RAM=y
+CONFIG_BLK_DEV_RAM_SIZE=65536
+CONFIG_BLK_DEV_NVME=y
+CONFIG_EEPROM_93CX6=m
+CONFIG_INTEL_MEI_ME=m
+CONFIG_INTEL_MEI_TXE=m
+# CONFIG_SCSI_PROC_FS is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_CHR_DEV_SG=y
+CONFIG_SCSI_SCAN_ASYNC=y
+CONFIG_ISCSI_TCP=y
+CONFIG_ATA=y
+# CONFIG_ATA_VERBOSE_ERROR is not set
+CONFIG_SATA_AHCI=y
+# CONFIG_ATA_SFF is not set
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_VERITY_FEC=y
+CONFIG_NETDEVICES=y
+# CONFIG_NET_VENDOR_3COM is not set
+# CONFIG_NET_VENDOR_ADAPTEC is not set
+# CONFIG_NET_VENDOR_AGERE is not set
+# CONFIG_NET_VENDOR_ALACRITECH is not set
+# CONFIG_NET_VENDOR_ALTEON is not set
+# CONFIG_NET_VENDOR_AMAZON is not set
+# CONFIG_NET_VENDOR_AMD is not set
+# CONFIG_NET_VENDOR_AQUANTIA is not set
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_VENDOR_ATHEROS is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_BROCADE is not set
+# CONFIG_NET_VENDOR_CADENCE is not set
+# CONFIG_NET_VENDOR_CAVIUM is not set
+# CONFIG_NET_VENDOR_CHELSIO is not set
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_NET_VENDOR_CORTINA is not set
+# CONFIG_NET_VENDOR_DEC is not set
+# CONFIG_NET_VENDOR_DLINK is not set
+# CONFIG_NET_VENDOR_EMULEX is not set
+# CONFIG_NET_VENDOR_EZCHIP is not set
+# CONFIG_NET_VENDOR_GOOGLE is not set
+# CONFIG_NET_VENDOR_HUAWEI is not set
+# CONFIG_NET_VENDOR_I825XX is not set
+CONFIG_E1000=m
+CONFIG_E1000E=m
+# CONFIG_NET_VENDOR_MARVELL is not set
+# CONFIG_NET_VENDOR_MELLANOX is not set
+# CONFIG_NET_VENDOR_MICREL is not set
+# CONFIG_NET_VENDOR_MICROCHIP is not set
+# CONFIG_NET_VENDOR_MICROSEMI is not set
+# CONFIG_NET_VENDOR_MYRI is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_NETERION is not set
+# CONFIG_NET_VENDOR_NETRONOME is not set
+# CONFIG_NET_VENDOR_NI is not set
+# CONFIG_NET_VENDOR_NVIDIA is not set
+# CONFIG_NET_VENDOR_OKI is not set
+# CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+# CONFIG_NET_VENDOR_PENSANDO is not set
+# CONFIG_NET_VENDOR_QLOGIC is not set
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+# CONFIG_NET_VENDOR_RDC is not set
+# CONFIG_NET_VENDOR_REALTEK is not set
+# CONFIG_NET_VENDOR_RENESAS is not set
+# CONFIG_NET_VENDOR_ROCKER is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SOLARFLARE is not set
+# CONFIG_NET_VENDOR_SILAN is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_SOCIONEXT is not set
+# CONFIG_NET_VENDOR_STMICRO is not set
+# CONFIG_NET_VENDOR_SUN is not set
+# CONFIG_NET_VENDOR_SYNOPSYS is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+# CONFIG_NET_VENDOR_XILINX is not set
+# CONFIG_USB_NET_DRIVERS is not set
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_UNIX98_PTYS is not set
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_8250=y
+# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
+# CONFIG_SERIAL_8250_PNP is not set
+# CONFIG_SERIAL_8250_PCI is not set
+# CONFIG_SERIAL_8250_LPSS is not set
+# CONFIG_SERIAL_8250_MID is not set
+CONFIG_TTY_PRINTK=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_TIMERIOMEM=m
+CONFIG_HW_RANDOM_INTEL=m
+CONFIG_HW_RANDOM_AMD=m
+CONFIG_HW_RANDOM_VIA=m
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS=y
+# CONFIG_I2C_COMPAT is not set
+CONFIG_I2C_MUX=m
+CONFIG_I2C_MUX_PCA9541=m
+CONFIG_I2C_MUX_REG=m
+# CONFIG_I2C_HELPER_AUTO is not set
+CONFIG_I2C_SLAVE=y
+# CONFIG_PTP_1588_CLOCK is not set
+# CONFIG_HWMON is not set
+# CONFIG_X86_PKG_TEMP_THERMAL is not set
+CONFIG_MFD_SYSCON=y
+CONFIG_DRM=y
+CONFIG_DRM_I915=y
+CONFIG_DRM_AST=y
+CONFIG_FB_VESA=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_USB_HID=m
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=m
+CONFIG_USB_XHCI_PLATFORM=m
+CONFIG_USB_EHCI_HCD=m
+CONFIG_USB_EHCI_HCD_PLATFORM=m
+CONFIG_USB_STORAGE=m
+CONFIG_RTC_CLASS=y
+# CONFIG_VIRTIO_MENU is not set
+# CONFIG_VHOST_MENU is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_GENERIC_PHY=y
+# CONFIG_BLK_DEV_PMEM is not set
+# CONFIG_ND_BLK is not set
+# CONFIG_BTT is not set
+CONFIG_EXT4_FS=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+# CONFIG_PROC_SYSCTL is not set
+# CONFIG_PROC_PAGE_MONITOR is not set
+# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_RSA=m
+CONFIG_CRYPTO_CCM=m
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=m
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_KEYWRAP=m
+CONFIG_CRYPTO_CMAC=m
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=m
+CONFIG_CRYPTO_VMAC=m
+CONFIG_CRYPTO_CRC32C_INTEL=y
+CONFIG_CRYPTO_CRC32=m
+CONFIG_CRYPTO_CRC32_PCLMUL=m
+CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
+CONFIG_CRYPTO_POLY1305_X86_64=m
+CONFIG_CRYPTO_MD4=m
+CONFIG_CRYPTO_MICHAEL_MIC=m
+CONFIG_CRYPTO_RMD128=m
+CONFIG_CRYPTO_RMD160=m
+CONFIG_CRYPTO_RMD256=m
+CONFIG_CRYPTO_RMD320=m
+CONFIG_CRYPTO_SHA1_SSSE3=y
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_TGR192=m
+CONFIG_CRYPTO_WP512=m
+CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=m
+CONFIG_CRYPTO_ARC4=m
+CONFIG_CRYPTO_BLOWFISH=m
+CONFIG_CRYPTO_BLOWFISH_X86_64=m
+CONFIG_CRYPTO_CAMELLIA=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
+CONFIG_CRYPTO_CAST5_AVX_X86_64=m
+CONFIG_CRYPTO_CAST6_AVX_X86_64=m
+CONFIG_CRYPTO_DES3_EDE_X86_64=m
+CONFIG_CRYPTO_FCRYPT=m
+CONFIG_CRYPTO_KHAZAD=m
+CONFIG_CRYPTO_SALSA20=m
+CONFIG_CRYPTO_CHACHA20_X86_64=m
+CONFIG_CRYPTO_SEED=m
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
+CONFIG_CRYPTO_TEA=m
+CONFIG_CRYPTO_TWOFISH=m
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
+CONFIG_CRYPTO_DEFLATE=m
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=m
+CONFIG_CRYPTO_LZ4=m
+CONFIG_CRYPTO_LZ4HC=m
+CONFIG_CRYPTO_ANSI_CPRNG=m
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+CONFIG_CRYPTO_USER_API_RNG=y
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_CORDIC=m
+CONFIG_CRC_CCITT=m
+CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=m
+CONFIG_CRC7=m
+CONFIG_CRC8=m
+# CONFIG_XZ_DEC_POWERPC is not set
+# CONFIG_XZ_DEC_IA64 is not set
+# CONFIG_XZ_DEC_ARM is not set
+# CONFIG_XZ_DEC_ARMTHUMB is not set
+# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_XZ_DEC_TEST=m
+CONFIG_IRQ_POLL=y
+CONFIG_PRINTK_TIME=y
+CONFIG_BOOT_PRINTK_DELAY=y
+# CONFIG_DEBUG_BUGVERBOSE is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+CONFIG_FRAME_WARN=1024
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_HARDLOCKUP_DETECTOR=y
+CONFIG_WQ_WATCHDOG=y
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_FTRACE is not set
+# CONFIG_STRICT_DEVMEM is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_IO_DELAY_0XED=y
+# CONFIG_X86_DEBUG_FPU is not set

From 7a29db11ed365a6ac10ed7ef9f6b1af866625737 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:23:20 -0500
Subject: [PATCH 08/19] t440p: disable NVMe support in Linux kernel

I went through all of the different options we copied from the Librem
config. The only thing that stood out as irrelevant was NVMe support.
However, I'm not a Linux kernel expert, and I didn't do a deep dive, so
I'm sure there is still room for improvement.
---
 config/linux-t440p.config | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/linux-t440p.config b/config/linux-t440p.config
index 00814567d..3aa08a2cc 100644
--- a/config/linux-t440p.config
+++ b/config/linux-t440p.config
@@ -87,7 +87,6 @@ CONFIG_DEVTMPFS_MOUNT=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_RAM=y
 CONFIG_BLK_DEV_RAM_SIZE=65536
-CONFIG_BLK_DEV_NVME=y
 CONFIG_EEPROM_93CX6=m
 CONFIG_INTEL_MEI_ME=m
 CONFIG_INTEL_MEI_TXE=m

From ed8c74e1973d833a968a018c23cbb2688aea5eb4 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Mon, 23 Jan 2023 22:30:53 -0500
Subject: [PATCH 09/19] Add script for obtaining T440p me.bin blob

I performed an analysis of the differences between an me.bin blob I
extracted from my T440p and the me.bin blob from Lenovo's website:
https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403.
---
 blobs/t440p/download-clean-me | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100755 blobs/t440p/download-clean-me

diff --git a/blobs/t440p/download-clean-me b/blobs/t440p/download-clean-me
new file mode 100755
index 000000000..38e272fa6
--- /dev/null
+++ b/blobs/t440p/download-clean-me
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0")
+Download Intel ME firmware from Lenovo, neutralize, and shrink.
+"
+}
+
+ME_BIN_HASH="b7cf4c0cf514bbf279d9fddb12c34fca5c1c23e94b000c26275369b924ab9c25"
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+    if [[ "${1:-}" == "--help" ]]; then
+        usage
+    else
+        BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
+        COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+
+        pushd "$(mktemp -d)"
+
+        curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
+        innoextract glrg22ww.exe
+
+        mv app/ME9.1_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+
+        popd
+
+        pushd "${COREBOOT_DIR}/util/me_cleaner"
+
+        # Neutralize and shrink Intel ME. Note that this doesn't include
+        # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., High
+        # Assurance Program) bits, as they are defined within the Flash
+        # Descriptor.
+        # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+        python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
+
+        mv me_shrinked.bin "${BLOB_DIR}/me.bin"
+        rm ./*.bin
+
+        popd
+
+        if ! echo "${ME_BIN_HASH} ${BLOB_DIR}/me.bin" | sha256sum --check; then
+            echo "SHA256 checksum for me.bin doesn't match."
+            exit 1
+        fi
+    fi
+fi

From 936840415cc43cf33bdcebd4f5c7ae3425d48fc3 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:36:26 -0500
Subject: [PATCH 10/19] Rename T440p export-blobs script to extract

More aligned with the naming conventions of xx20 and xx30's extract.sh.
---
 blobs/t440p/{export-blobs => extract} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename blobs/t440p/{export-blobs => extract} (100%)

diff --git a/blobs/t440p/export-blobs b/blobs/t440p/extract
similarity index 100%
rename from blobs/t440p/export-blobs
rename to blobs/t440p/extract

From 7c32d4ed66791da01b3a4338fbaff57aa98f6d80 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:26:25 -0500
Subject: [PATCH 11/19] Add T440p ifd.bin blob

I extracted the ifd.bin blob from my T440p using the blobs/t440p/extract
script.
---
 blobs/t440p/ifd.bin | Bin 0 -> 4096 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 blobs/t440p/ifd.bin

diff --git a/blobs/t440p/ifd.bin b/blobs/t440p/ifd.bin
new file mode 100644
index 0000000000000000000000000000000000000000..11127f4020363aef4c7b7aa661b93d96bbbca775
GIT binary patch
literal 4096
zcmezW9~DF`{lL%6$imFVBp|B5sK|gS`~SZQ!vs%7r-ZfJcOE$ol4Ae@pek-=1_cI2
z1}298^$Z9MmgnYTU|?a9VC3LHH)}BP7hM-f_|M3|0`dn4Fg-j0VIYw`+zbW{3<nsd
zGce3V5@x7#mH=~^pn@<%27|wdbpy!h#Ht-tHyQ$?Aut*OqaiRF0;3@?8UmvsFd71*
zAuzN;;E;j@gR6q8!XX85C@lu26?RE5uqv=BDC`o4(qdrxy@LdUs)DM*dk1kSEe57#
z3Lxra3Lxr+RwzJRdtZ!!!QCgw&(JVD{J*81p`M`u5E+>MH#G8f`XB7+?&s<<6#Yet
Fn*qQ73+Mm<

literal 0
HcmV?d00001


From e6c34bda55caee332670b9f9e357d7ba6d867da0 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:27:35 -0500
Subject: [PATCH 12/19] Add T440p gbe.bin blob

- I extracted the gbe.bin blob from my T440p's original ROM using the
  blobs/t440p/extract script.
- Using a hex editor, I corrected the sign bit in part 0 that I found
  was malformed in my analysis:
  https://github.com/osresearch/heads/pull/1282#issuecomment-1400634600.
- After correcting the sign bit, nvmutil showed that both parts of my
  gbe.bin blob had valid checksums.
- Finally, I used nvmutil to set the MAC address to 00:de:ad:c0:ff:ee.
---
 blobs/t440p/gbe.bin | Bin 0 -> 8192 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 blobs/t440p/gbe.bin

diff --git a/blobs/t440p/gbe.bin b/blobs/t440p/gbe.bin
new file mode 100644
index 0000000000000000000000000000000000000000..198756d89d4545239254d33816518197f82e9f3d
GIT binary patch
literal 8192
zcmZR$xAwsQcZ?kW|6gX%WMF7u5cvQ9umGRZDsd}O1|VQ!2a&8xH4GRefefA$Ee9@V
z4q-+s(Y3p*L?I-I1=QNW;Mc|hQVrCiumHs1`Tw7Rk-@=Kl-=P!24G<P|6lI_NEs$T
zC~ioQXJGIUU~mA^EEfeC4ghHl4skG!XOLjvU=U}BXOV#OJ)nFB26+bVEe1fh7&5Q`
zX=5PG2Bc+yG~-_b2E93k3_jZo7+8UPgl!{_l^NW^%!nBQqatV_z-)^q0OaoB!4w-6
z84UqaLtx~UI-@=w4S~@R7!85Z5Eu=C(GVC7fzc2cs1RTn?f;MV|4Hqzj6n6H{r?dd
l>2&h)K$ZQY_Kt?YXb6mkz-S1JhQMeDjE2By2#mZC002~wZ9)J5

literal 0
HcmV?d00001


From 144f9c147ed9b409ff6ec2b5a8e466b58a1fcf0f Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:39:18 -0500
Subject: [PATCH 13/19] Make T440p scripts use Coreboot from environment

Before, the T440p blob scripts would look for Coreboot using the find
command. Now, we require the user to specify the path to Coreboot in the
COREBOOT_DIR environment variable. Also, add an output directory
argument to each script.

These changes will make it easier to integrate with the Heads build
system and CI.
---
 blobs/haswell/obtain-mrc      | 34 +++++++++++++++------------
 blobs/t440p/download-clean-me | 44 +++++++++++++++++++----------------
 blobs/t440p/extract           | 18 +++++++-------
 3 files changed, 53 insertions(+), 43 deletions(-)

diff --git a/blobs/haswell/obtain-mrc b/blobs/haswell/obtain-mrc
index 90ef568c4..c7cf8d977 100755
--- a/blobs/haswell/obtain-mrc
+++ b/blobs/haswell/obtain-mrc
@@ -4,7 +4,7 @@ set -e
 
 function usage() {
     echo -n \
-        "Usage: $(basename "$0")
+        "Usage: $(basename "$0") path_to_output_directory
 Obtain mrc.bin from a Haswell Chromebook firmware image.
 "
 }
@@ -15,24 +15,28 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
     if [[ "${1:-}" == "--help" ]]; then
         usage
     else
-        BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
-        COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
 
-        pushd "${COREBOOT_DIR}"
+        if [[ ! -f "$1/mrc.bin" ]]; then
+            pushd "${COREBOOT_DIR}"
 
-        # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
-        make -C util/cbfstool
-        cd util/chromeos
-        ./crosfirmware.sh peppy
-        ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION
+            # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
+            make -C util/cbfstool
+            cd util/chromeos
+            ./crosfirmware.sh peppy
+            ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION
 
-        if ! echo "${MRC_BIN_HASH} mrc.bin" | sha256sum --check; then
-            echo "SHA256 checksum for mrc.bin doesn't match."
-            exit 1
-        fi
+            popd
 
-        popd
+            mv "${COREBOOT_DIR}/util/chromeos/mrc.bin" "$1/mrc.bin"
+        fi
 
-        mv "${COREBOOT_DIR}/util/chromeos/mrc.bin" "$(dirname "$0")/mrc.bin"
+        if ! echo "${MRC_BIN_HASH} $1/mrc.bin" | sha256sum --check; then
+            echo "ERROR: SHA256 checksum for mrc.bin doesn't match."
+            exit 1
+        fi
     fi
 fi
diff --git a/blobs/t440p/download-clean-me b/blobs/t440p/download-clean-me
index 38e272fa6..111b690c4 100755
--- a/blobs/t440p/download-clean-me
+++ b/blobs/t440p/download-clean-me
@@ -4,7 +4,7 @@ set -e
 
 function usage() {
     echo -n \
-        "Usage: $(basename "$0")
+        "Usage: $(basename "$0") path_to_output_directory
 Download Intel ME firmware from Lenovo, neutralize, and shrink.
 "
 }
@@ -15,34 +15,38 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
     if [[ "${1:-}" == "--help" ]]; then
         usage
     else
-        BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
-        COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
 
-        pushd "$(mktemp -d)"
+        if [[ ! -f "$1/me.bin" ]]; then
+            pushd "$(mktemp -d)"
 
-        curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
-        innoextract glrg22ww.exe
+            curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
+            innoextract glrg22ww.exe
 
-        mv app/ME9.1_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
+            mv app/ME9.1_5M_Production.bin "${COREBOOT_DIR}/util/me_cleaner"
 
-        popd
+            popd
 
-        pushd "${COREBOOT_DIR}/util/me_cleaner"
+            pushd "${COREBOOT_DIR}/util/me_cleaner"
 
-        # Neutralize and shrink Intel ME. Note that this doesn't include
-        # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., High
-        # Assurance Program) bits, as they are defined within the Flash
-        # Descriptor.
-        # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
-        python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
+            # Neutralize and shrink Intel ME. Note that this doesn't include
+            # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., High
+            # Assurance Program) bits, as they are defined within the Flash
+            # Descriptor.
+            # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+            python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
 
-        mv me_shrinked.bin "${BLOB_DIR}/me.bin"
-        rm ./*.bin
+            popd
 
-        popd
+            mv "${COREBOOT_DIR}/util/me_cleaner/me_shrinked.bin" "$1/me.bin"
+            rm "${COREBOOT_DIR}/util/me_cleaner/"*.bin
+        fi
 
-        if ! echo "${ME_BIN_HASH} ${BLOB_DIR}/me.bin" | sha256sum --check; then
-            echo "SHA256 checksum for me.bin doesn't match."
+        if ! echo "${ME_BIN_HASH} $1/me.bin" | sha256sum --check; then
+            echo "ERROR: SHA256 checksum for me.bin doesn't match."
             exit 1
         fi
     fi
diff --git a/blobs/t440p/extract b/blobs/t440p/extract
index aba59c498..cccb286bb 100755
--- a/blobs/t440p/extract
+++ b/blobs/t440p/extract
@@ -4,7 +4,7 @@ set -e
 
 function usage() {
     echo -n \
-        "Usage: $(basename "$0") path_to_original_rom
+        "Usage: $(basename "$0") path_to_original_rom path_to_output_directory
 Extract Intel firmware from the original ROM.
 "
 }
@@ -13,19 +13,22 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
     if [[ "${1:-}" == "--help" ]]; then
         usage
     else
-        if [[ -n "$1" ]]; then
-            BLOB_DIR="$(cd "$(dirname "$0")" && pwd)"
-            COREBOOT_DIR="$(find "${BLOB_DIR}/../../build/x86/" -maxdepth 1 -type d -name 'coreboot-*')"
+        if [[ -z "${COREBOOT_DIR}" ]]; then
+            echo "ERROR: No COREBOOT_DIR variable defined."
+            exit 1
+        fi
 
+        if [[ -n "$1" ]]; then
             pushd "${COREBOOT_DIR}"
+
             cd util/me_cleaner
 
             # Neutralize and shrink Intel ME.
             # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
             python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "$1"
 
-            mv ifd_shrinked.bin "${BLOB_DIR}/ifd.bin"
-            mv me_shrinked.bin "${BLOB_DIR}/me.bin"
+            mv ifd_shrinked.bin "$2/ifd.bin"
+            mv me_shrinked.bin "$2/me.bin"
             rm ./*.bin
 
             cd ../ifdtool
@@ -35,11 +38,10 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
             # original ROM.
             ./ifdtool -x "$1"
 
-            mv flashregion_3_gbe.bin "${BLOB_DIR}/gbe.bin"
+            mv flashregion_3_gbe.bin "$2/gbe.bin"
             rm ./*.bin
 
             popd
-
         else
             echo "ERROR: You must supply a path to the original ROM."
             exit 1

From 1dc5d4eb99f7308d8fa1f0011704f16b19b6ad6b Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:43:14 -0500
Subject: [PATCH 14/19] Make T440p Coreboot build depend on blob files

Now, when you run `make BOARD=any-t440p-variant`, the build system
automatically fetches mrc.bin and me.bin.
---
 boards/t440p-maximized/t440p-maximized.config | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/boards/t440p-maximized/t440p-maximized.config b/boards/t440p-maximized/t440p-maximized.config
index 092248882..b74edef93 100644
--- a/boards/t440p-maximized/t440p-maximized.config
+++ b/boards/t440p-maximized/t440p-maximized.config
@@ -35,9 +35,20 @@ export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="ThinkPad T440p-maximized"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
+# Make the Coreboot build depend on the following 3rd party blobs:
+$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \
+    $(pwd)/blobs/haswell/mrc.bin $(pwd)/blobs/t440p/me.bin
+
+$(pwd)/blobs/haswell/mrc.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/haswell/obtain-mrc $(pwd)/blobs/haswell
+
+$(pwd)/blobs/t440p/me.bin:
+	COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \
+		$(pwd)/blobs/t440p/download-clean-me $(pwd)/blobs/t440p
 
+# Haswell boards have an 8 MiB and 4 MiB SPI flash chip. So, we split the
+# Coreboot ROM into two files to flash one on each chip.
 all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
 $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
 	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)

From 5083ba356c68182db83226c051782f31e8aa33a6 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 19:46:00 -0500
Subject: [PATCH 15/19] Add the T440p to CircleCI

---
 .circleci/config.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 4868493be..1fd40e5ee 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -429,6 +429,20 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t440p-maximized
+          target: t440p-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: t440p-hotp-maximized
+          target: t440p-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: qemu-coreboot
           target: qemu-coreboot

From 3efec15dc70a12176d6882bb3346c645c4103bc2 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Sat, 25 Feb 2023 21:28:29 -0500
Subject: [PATCH 16/19] CircleCI: Install crosfirmware.sh dependencies

We need extra dependencies to support Coreboot's util/crosfirmware.sh to
extract the T440p's mrc.bin.
---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 1fd40e5ee..81e6f0e66 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -15,7 +15,7 @@ commands:
           command: |
             ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime
             apt update
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools
+            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools sharutils e2fsprogs parted curl unzip
       - run:
           name: Make Board
           command: |

From 63eab714e53565a2b8e36108f91dd54b30f4a914 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 28 Feb 2023 11:44:48 -0500
Subject: [PATCH 17/19] Make T440p scripts work with relative paths

Because we're using pushd/popd to make the Coreboot util invocation
cleaner, we need to use realpath so that the scripts will work with any
user input.
---
 blobs/haswell/obtain-mrc      | 13 +++++++-----
 blobs/t440p/download-clean-me | 22 +++++++++++--------
 blobs/t440p/extract           | 40 +++++++++++++++++------------------
 3 files changed, 40 insertions(+), 35 deletions(-)

diff --git a/blobs/haswell/obtain-mrc b/blobs/haswell/obtain-mrc
index c7cf8d977..42a6daabd 100755
--- a/blobs/haswell/obtain-mrc
+++ b/blobs/haswell/obtain-mrc
@@ -20,21 +20,24 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
             exit 1
         fi
 
-        if [[ ! -f "$1/mrc.bin" ]]; then
+        output_dir="$(realpath "${1:-./}")"
+
+        # Obtain mrc.bin from a Haswell Chromebook firmware image.
+        # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
+        if [[ ! -f "${output_dir}/mrc.bin" ]]; then
             pushd "${COREBOOT_DIR}"
 
-            # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
             make -C util/cbfstool
             cd util/chromeos
             ./crosfirmware.sh peppy
             ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION
 
-            popd
+            mv mrc.bin "${output_dir}/mrc.bin"
 
-            mv "${COREBOOT_DIR}/util/chromeos/mrc.bin" "$1/mrc.bin"
+            popd
         fi
 
-        if ! echo "${MRC_BIN_HASH} $1/mrc.bin" | sha256sum --check; then
+        if ! echo "${MRC_BIN_HASH} ${output_dir}/mrc.bin" | sha256sum --check; then
             echo "ERROR: SHA256 checksum for mrc.bin doesn't match."
             exit 1
         fi
diff --git a/blobs/t440p/download-clean-me b/blobs/t440p/download-clean-me
index 111b690c4..26297d89e 100755
--- a/blobs/t440p/download-clean-me
+++ b/blobs/t440p/download-clean-me
@@ -20,7 +20,11 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
             exit 1
         fi
 
-        if [[ ! -f "$1/me.bin" ]]; then
+        output_dir="$(realpath "${1:-./}")"
+
+        if [[ ! -f "${output_dir}/me.bin" ]]; then
+            # Unpack Lenovo's Windows installer into a temporary directory and
+            # extract the Intel ME blob.
             pushd "$(mktemp -d)"
 
             curl -O https://download.lenovo.com/pccbbs/mobiles/glrg22ww.exe
@@ -30,22 +34,22 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
 
             popd
 
-            pushd "${COREBOOT_DIR}/util/me_cleaner"
-
             # Neutralize and shrink Intel ME. Note that this doesn't include
-            # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., High
-            # Assurance Program) bits, as they are defined within the Flash
+            # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+            # High Assurance Program) bits, as they are defined within the Flash
             # Descriptor.
             # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+            pushd "${COREBOOT_DIR}/util/me_cleaner"
+
             python me_cleaner.py -r -t -O me_shrinked.bin ME9.1_5M_Production.bin
 
-            popd
+            mv me_shrinked.bin "${output_dir}/me.bin"
+            rm ./*.bin
 
-            mv "${COREBOOT_DIR}/util/me_cleaner/me_shrinked.bin" "$1/me.bin"
-            rm "${COREBOOT_DIR}/util/me_cleaner/"*.bin
+            popd
         fi
 
-        if ! echo "${ME_BIN_HASH} $1/me.bin" | sha256sum --check; then
+        if ! echo "${ME_BIN_HASH} ${output_dir}/me.bin" | sha256sum --check; then
             echo "ERROR: SHA256 checksum for me.bin doesn't match."
             exit 1
         fi
diff --git a/blobs/t440p/extract b/blobs/t440p/extract
index cccb286bb..0307b93b6 100755
--- a/blobs/t440p/extract
+++ b/blobs/t440p/extract
@@ -18,33 +18,31 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
             exit 1
         fi
 
-        if [[ -n "$1" ]]; then
-            pushd "${COREBOOT_DIR}"
+        original_rom="$(realpath "$1")"
+        output_dir="$(realpath "${2:-./}")"
 
-            cd util/me_cleaner
+        # Neutralize Intel ME and resize the Intel Flash Descriptor (IFD)
+        # layout.
+        # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+        pushd "${COREBOOT_DIR}/util/me_cleaner"
 
-            # Neutralize and shrink Intel ME.
-            # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
-            python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "$1"
+        python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "${original_rom}"
 
-            mv ifd_shrinked.bin "$2/ifd.bin"
-            mv me_shrinked.bin "$2/me.bin"
-            rm ./*.bin
+        mv ifd_shrinked.bin "${output_dir}/ifd.bin"
+        mv me_shrinked.bin "${output_dir}/me.bin"
+        rm ./*.bin
 
-            cd ../ifdtool
-            make
+        popd
 
-            # Extract the Intel Gigabit Ethernet (GbE) firmware from the
-            # original ROM.
-            ./ifdtool -x "$1"
+        # Extract the Intel Gigabit Ethernet (GbE) firmware.
+        pushd "${COREBOOT_DIR}/util/ifdtool"
 
-            mv flashregion_3_gbe.bin "$2/gbe.bin"
-            rm ./*.bin
+        make
+        ./ifdtool -x "${original_rom}"
 
-            popd
-        else
-            echo "ERROR: You must supply a path to the original ROM."
-            exit 1
-        fi
+        mv flashregion_3_gbe.bin "${output_dir}/gbe.bin"
+        rm ./*.bin
+
+        popd
     fi
 fi

From e4a09e81bbdba07c07f0747a0408f6230a3765b8 Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 28 Feb 2023 11:46:36 -0500
Subject: [PATCH 18/19] Add T440p blobs documentation

---
 blobs/t440p/README.md | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 blobs/t440p/README.md

diff --git a/blobs/t440p/README.md b/blobs/t440p/README.md
new file mode 100644
index 000000000..79ddada13
--- /dev/null
+++ b/blobs/t440p/README.md
@@ -0,0 +1,42 @@
+# T440p Blobs
+
+- [Overview](#overview)
+- [Using Your Own Blobs](#using-your-own-blobs)
+
+## Overview
+
+Coreboot on the T440p requires the following binary blobs:
+
+- `mrc.bin` - Consists of Intel’s Memory Reference Code (MRC) and [is used to initialize the DRAM](https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html).
+- `me.bin` - Consists of Intel’s Management Engine (ME), which we modify using [me_cleaner](https://github.com/corna/me_cleaner) to remove all but the modules which are necessary for the CPU to function.
+- `gbe.bin` - Consists of hardware/software configuration data for the Gigabit Ethernet (GbE) controller. Intel publishes the data structure [here](https://web.archive.org/web/20230122164346/https://www.intel.com/content/dam/www/public/us/en/documents/design-guides/i-o-controller-hub-8-9-nvm-map-guide.pdf), and an [ImHex](https://github.com/WerWolv/ImHex) hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_lan_nvm.hexpat).
+- `ifd.bin` - Consists of the Intel Flash Descriptor (IFD). Intel publishes the data structure [here](https://web.archive.org/web/20221208011432/https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/io-controller-hub-8-datasheet.pdf), and an ImHex hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_flash_descriptor.hexpat).
+
+Heads supplies an IFD and GbE blob, which we extracted from a donor board. We changed the MAC address of the GbE blob to `00:de:ad:c0:ff:ee` using [nvmutil](https://libreboot.org/docs/install/nvmutil.html), to support anonymity and build reproducibility.
+
+When building any T440p board variant with `make`, the build system will download a copy of the MRC and Intel ME. We extract `mrc.bin` from a Chromebook firmware image and `me.bin` from a Lenovo firmware update.
+
+## Using Your Own Blobs
+
+You can compile Heads using the Intel ME, GbE, and and IFD blobs from your original ROM.
+
+However, it's worth noting that our analysis showed [no tangible difference](https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403) between the Intel ME from a donor board and Lenovo's website. Also, we found [no meaningful difference](https://github.com/osresearch/heads/pull/1282#issuecomment-1400634600) between the IFD and and GbE blobs extracted from two T440ps, asides from the LAN MAC address.
+
+First, make sure you've built Heads at least once in order to download the Coreboot sources:
+
+```console
+$ make BOARD=t440p-hotp-maximized
+```
+
+Then, supply the path to the Coreboot sources via the `COREBOOT_DIR` environment variable, and run the blob-extraction script:
+
+```console
+$ export COREBOOT_DIR="./build/x86/coreboot-4.17/"
+$ ./blobs/t440p/extract /path/to/original_rom.bin ./blobs/t440p
+```
+
+Now, you can rebuild Heads:
+
+```console
+$ make BOARD=t440p-hotp-maximized
+```

From 1dd9c266a8df506d615b9f663475b3a80920805a Mon Sep 17 00:00:00 2001
From: Rocky Breslow <1774125+rbreslow@users.noreply.github.com>
Date: Tue, 28 Feb 2023 14:11:03 -0500
Subject: [PATCH 19/19] CircleCI: Make the T440p depend on Librem boards

This change will improve build times by allowing the T440p to share the
Coreboot 4.17 cache with the Librem boards. Once we update the other
ThinkPad boards to use Coreboot 4.19, we'll make the T440p depend on the
X230 again.

Co-authored-by: Thierry Laurion <insurgo@riseup.net>
---
 .circleci/config.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 81e6f0e66..87e994985 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -217,7 +217,7 @@ workflows:
           requires:
             - prep_env
 
-      # Coreboot 4.15
+      # Coreboot 4.17
       - build_and_persist:
           name: librem_14
           target: librem_14
@@ -234,8 +234,7 @@ workflows:
           requires:
             - prep_env
 
-      #Cache one workspace per Coreboot version, ideally the boards including the highest number of modules, since not rebuilt across builds.
-      #Below, 4.11, 4.13, 4.17
+      #Cache one workspace per architecture. Make sure workspace caches are chainloaded and the last in chain for an arch is saved.
       - save_cache:
           requires:
             - librem_14
@@ -434,14 +433,14 @@ workflows:
           target: t440p-maximized
           subcommand: ""
           requires:
-            - x230-hotp-maximized
+            - librem_14
 
       - build:
           name: t440p-hotp-maximized
           target: t440p-hotp-maximized
           subcommand: ""
           requires:
-            - x230-hotp-maximized
+            - librem_14
 
       - build:
           name: qemu-coreboot