m900 tower port + TPM1 auth/defend lock fixes#2118
Open
tlaurion wants to merge 14 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR ports the Lenovo M900 Tower (Skylake/Kaby Lake LGA1151 mini-tower) to Heads with two board variants (maximized, hotp-maximized), plus targeted TPM1 reliability fixes in tpmr.sh so that auth-failure detection and tpm1_reset() recover from the TPM_DEFEND_LOCK_RUNNING state after multiple bad passphrases. Documentation in doc/tpm.md is expanded with TPM1 vs TPM2 error-stream conventions, auth grep patterns, and the defend-lock recovery flow.
Changes:
- New
EOL_m900_tower-{maximized,hotp-maximized}boards with shared coreboot/linux configs and an ME blob preparation pipeline (download → me_cleaner → deguard). - TPM1 auth grep patterns extended to include
defend/0x98e/0x149;tpm1_reset()cycles physical presence ondefend lock runningafterforceclear. - CircleCI: two new build jobs (depend on the existing
EOL_t480-hotp-maximized25.09 seed).
Reviewed changes
Copilot reviewed 10 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| boards/EOL_m900_tower-maximized/EOL_m900_tower-maximized.config | New maximized board config (no HOTP). |
| boards/EOL_m900_tower-hotp-maximized/EOL_m900_tower-hotp-maximized.config | New hotp-maximized variant. |
| config/coreboot-m900-maximized.config | Coreboot 25.09 config for Lenovo M900. |
| config/linux-m900.config | Linux 6.1.8 kernel config for the board. |
| targets/m900_me_blobs.mk | Make rules tying the ME blob script into the board build. |
| blobs/m900/m900_download_clean_deguard_me.sh | Downloads ASRock BIOS, neuters/deguards ME 11.6.0.1126. |
| blobs/m900/README.md | Blob layout, sources and integrity notes. |
| blobs/m900/hashes.txt | SHA256 of ME/IFD/GBE blobs. |
| blobs/m900/.gitignore | Ignores generated me.bin/m900_me.bin. |
| initrd/bin/tpmr.sh | Adds defend-lock detection in auth-retry grep and tpm1_reset() recovery sequence. |
| doc/tpm.md | New sections on TPM1/TPM2 auth error patterns and defend-lock recovery. |
| .circleci/config.yml | Adds the two M900 board build jobs (depending on the 25.09 seed). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
m900_with_tpm1_fixes
branch
2 times, most recently
from
78366db to
a9cd1fc
Compare
tlaurion
force-pushed
the
m900_with_tpm1_fixes
branch
from
a9cd1fc to
d8d7665
Compare
tlaurion
force-pushed
the
m900_with_tpm1_fixes
branch
2 times, most recently
from
11e9506 to
863c9b7
Compare
…ecovery
TPM1 auth errors from tpmtotp use TPM_GetErrMsg() which returns English
strings ('Authentication failed (Incorrect Password)', 'Defend lock
running') — but the grep patterns lacked 'defend', causing defend lock
to be treated as a non-auth error (DIE instead of retry).
- Add 'defend' to all auth detection grep patterns (catches TPM_DEFEND_LOCK_RUNNING)
- tpm1_reset: detect 'defend lock' after forceclear, cycle physical
presence (disable/enable) to clear the lock, retry takeown
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…900_tower board Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: notgivenby <notgivenby@gmail.com> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- blobs/m900/README.md: fix blob filenames, spelling (paritally->partially, Unfourtunatly->Unfortunately, layot->layout) - blobs/m900/m900_download_clean_deguard_me.sh: fix Dell->ASRock comment - boards/EOL_m900_tower-*: fix m900_tiny->m900_tower, fix ME script path, add 'tower' to CONFIG_BOARD_NAME - targets/m900_me_blobs.mk: rewrite header with accurate instructions Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
m900_with_tpm1_fixes
branch
from
863c9b7 to
6919d44
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Superseeds #2111 rebased on #2117 (which was rebased on master)
Merges the m900 tower board port (notgivenby) with TPM1 auth failure
detection and defend lock recovery.
Board port (notgivenby's commits):
TPM1 fixes (tpmr.sh):
@notgivenby so you can test artifacts. Fixed comments #2111.
Feel free to pick comments, steal, reuse reword.