m900 tower port + TPM1 auth/defend lock fixes

.circleci/config.yml

@@ -534,6 +534,20 @@ workflows:
             - x86-musl-cross-make
 
       # ── coreboot 25.09 boards (alphabetical) ───────────────────────────────
+      - build:
+          name: EOL_m900_tower-hotp-maximized
+          target: EOL_m900_tower-hotp-maximized
+          subcommand: ""
+          requires:
+            - EOL_t480-hotp-maximized
+
+      - build:
+          name: EOL_m900_tower-maximized
+          target: EOL_m900_tower-maximized
+          subcommand: ""
+          requires:
+            - EOL_t480-hotp-maximized
+
       - build:
           name: EOL_optiplex-7010_9010-hotp-maximized
           target: EOL_optiplex-7010_9010-hotp-maximized

blobs/m900/.gitignore

@@ -0,0 +1,3 @@
+m900_me.bin
+me_cleaned.bin
+

blobs/m900/README.md

@@ -0,0 +1,53 @@
+# m900_tower Blobs
+
+The following blobs are needed:
+
+* `m900_tower_ifd.bin`
+* `m900_tower_gbe.bin`
+* `m900_me.bin`
+
+## m900_me.bin: automatically extract, deactivate, partially neuter and deguard
+
+`m900_download_clean_deguard_me.sh`: Download vulnerable ME from ASRock, verify checksum, extract ME, deactivate ME and partially neuter it, then apply the deguard patch and place it into m900_me.bin.
+For the technical details please read the documentation in the script itself, as removing modules is limited on the platform.
+
+The ME blob dumped in this directory comes from the following link: https://download.asrock.com/BIOS/1151/H110M-DGS(7.30)ROM.zip
+
+
+This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
+See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
+Therefore, Bootguard can be disabled by deguard with a patched ME.
+
+As specified in the first link, this ME can be deployed to:
+
+* m900_tower/SFF
+* optiplex_3050
+* m900_tiny
+
+
+## ifd.bin and gbe.bin
+
+Both blobs are from a production unit of this platform.
+
+The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE`. Unfortunately, after disabling the ME the onboard ethernet stops working. This was tested on coreboot and is true for heads too. So, PCI ethernet or usb/ethernet adapter is needed. 
+IFD blob was unlocked using ifdtool. Moreover, to be sure, the HAP bit was set by altmedisable. 
+The IFD layout was changed: the bios region was expanded to take space after reducing the me blob. 
+
+## Integrity
+
+Sha256sums: `blobs/m900/hashes.txt`
+
+# CAVEATS for the board:
+
+> This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
+> This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
+> Also it can be used to extract FDE keys from a TPM.
+> The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
+> Make sure you understand the implications of the attack for your threat model before using this board.
+
+# Documentation
+
+A guide on how to flash this board can be found at https://osresearch.net/m900_tower-maximized-flashing/ (pending: the page needs to be created).
+
+The upstream port for the board can be found here: https://review.coreboot.org/c/coreboot/+/74187
+

blobs/m900/hashes.txt

@@ -0,0 +1,5 @@
+#m900:
+9c3eff6be017b36c819a0df3c1f6537bb26b6f3d5780787f60b91cedc789f0f0  m900_me.bin
+9508980f92b6b6d270c7f53fd8d4fbf90f37465dff6506d5b3c0675c85f48ffe  m900_tower_gbe.bin
+6d085dfd05f4c945e2745568ab8b1412ea2514a68b463aa05fa1fedec6e429dd  m900_tower_ifd.bin
+

blobs/m900/m900_download_clean_deguard_me.sh

@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+
+# These variables are all for the deguard tool.
+# They would need to be changed if using the tool for other devices with different ME version...
+ME_delta="optiplex_3050"
+ME_version="11.6.0.1126"
+ME_sku="2M"
+ME_pch="H"
+
+
+# Integrity checks for the vendor provided ME blob...
+DL_HASH="de26085e1fbfaaa0302ec73dba411a5fd25fe13ae07e69a2287754ada6a7a196"
+
+# ...and the cleaned and deguarded version from that blob.
+DEGUARDED_ME_BIN_HASH="9c3eff6be017b36c819a0df3c1f6537bb26b6f3d5780787f60b91cedc789f0f0"
+
+
+function usage() {
+	echo -n \
+		"Usage: $(basename "$0") -m <me_cleaner>(optional) path_to_output_directory
+Download Intel ME firmware from ASRock, neutralize and shrink keeping the MFS.
+
+"
+}
+
+function chk_sha256sum() {
+	sha256_hash="$1"
+	filename="$2"
+	echo "$sha256_hash" "$filename" "$(pwd)"
+	sha256sum "$filename"
+	if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then
+		echo "ERROR: SHA256 checksum for ${filename} doesn't match."
+		exit 1
+	fi
+}
+
+function chk_exists_and_matches() {
+	if [[ -f "$1" ]]; then
+		if echo "${2} ${1}" | sha256sum --check; then
+			echo "SKIPPING: SHA256 checksum for $1 matches."
+			[[ "$3" = ME ]] && me_exists="y"
+			return 0
+		fi
+		echo "$1 exists but checksum doesn't match. Continuing..."
+	fi
+}
+
+function download_and_clean() {
+	me_cleaner="$(realpath "${1}")"
+	me_output="$(realpath "${2}")"
+
+	# Download and unpack the ASRock BIOS zip (compatible ME for this Lenovo platform) and
+	# extract the deguardable Intel ME blob.
+	pushd "$(mktemp -d)" || exit
+
+	# Download the installer that contains the ME blob
+	me_installer_filename="H110M-DGS(7.30)ROM.zip"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+	curl -A "$user_agent" -s -O "https://download.asrock.com/BIOS/1151/${me_installer_filename}"
+	chk_sha256sum "$DL_HASH" "$me_installer_filename"
+
+	# Unpack the ME blob.
+	unzip "$me_installer_filename" || exit
+
+	extracted_me_filename="H11MDGS7.30"
+
+	# Deactivate, partially neuter and shrink Intel ME. Note that this doesn't include
+	# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+	# High Assurance Program) bits, as they are defined within the Flash
+	# Descriptor.
+	# However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function.
+	# For ME 11.x this means we must keep the rbe, bup, kernel and syslib modules.
+	# https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F#me-versions-from-11x-skylake-1
+	# Furthermore, deguard requires keeping the MFS, the HAP bit set, and we cannot relocate the FTPR partition.
+	# Some more general info on shrinking:
+	# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+
+	# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
+	python "$me_cleaner" --whitelist MFS -t -M "$me_output" "${extracted_me_filename}"
+	rm -rf ./*
+	popd || exit
+}
+
+function deguard() {
+	me_input="$(realpath "${1}")"
+	me_output="$(realpath "${2}")"
+
+	# Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob.
+	pushd "$(mktemp -d)" || exit
+	git clone https://github.com/coreboot/deguard
+	pushd deguard || exit
+	git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2
+
+	python ./finalimage.py \
+		--delta "data/delta/$ME_delta" \
+		--version "$ME_version" \
+		--pch "$ME_pch" \
+		--sku "$ME_sku" \
+		--fake-fpfs data/fpfs/zero \
+		--input "$me_input" \
+		--output "$me_output"
+
+	popd || exit
+	#Cleanup
+	rm -rf ./*
+	popd || exit
+}
+
+
+function usage_err() {
+	echo "$1"
+	usage
+	exit 1
+}
+
+function parse_params() {
+	while getopts ":m:" opt; do
+		case $opt in
+		m)
+			if [[ -f "$OPTARG" ]] && [[ ! -x "$OPTARG" ]]; then
+				# me_cleaner is a Python script — passed to python interpreter,
+				# not executed directly.  Only require readability, not +x.
+				me_cleaner="$OPTARG"
+			elif [[ -x "$OPTARG" ]]; then
+				me_cleaner="$OPTARG"
+			else
+				usage_err "-m path '$OPTARG' does not exist or is not readable"
+			fi
+			;;
+		?)
+			usage_err "Invalid Option: -$OPTARG"
+			;;
+		esac
+	done
+
+	if [[ -z "${me_cleaner}" ]]; then
+		if [[ -z "${COREBOOT_DIR}" ]]; then
+			usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable."
+		else
+			me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py"
+		fi
+	fi
+	echo "Using me_cleaner from ${me_cleaner}"
+
+	shift $(($OPTIND - 1))
+	output_dir="$(realpath "${1:-./}")"
+	if [[ ! -d "${output_dir}" ]]; then
+		usage_err "No valid output dir found"
+	fi
+	me_cleaned="${output_dir}/me_cleaned.bin"
+	me_deguarded="${output_dir}/m900_me.bin"
+	echo "Writing cleaned and deguarded ME to ${me_deguarded}"
+}
+
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+	if [[ "${1:-}" == "--help" ]]; then
+		usage
+		exit 0
+	fi
+
+	parse_params "$@"
+	chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME
+
+	if [[ -z "$me_exists" ]]; then
+		download_and_clean "$me_cleaner" "$me_cleaned"
+		deguard "$me_cleaned" "$me_deguarded"
+		rm -f "$me_cleaned"
+	fi
+
+	chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded"
+fi

boards/EOL_m900_tower-hotp-maximized/EOL_m900_tower-hotp-maximized.config

@@ -0,0 +1,87 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a m900_tower running Qubes 4.3 and other Linux Based OSes (through kexec)
+# CAVEATS:
+# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
+# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
+# Also it can be used to extract FDE keys from a TPM.
+# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
+# Make sure you understand the implications of the attack for your threat model before using this board.
+# Includes
+# - Deactivated+partially neutered+deguarded ME and expanded consequent IFD BIOS regions
+# - More details can be found in the script under blobs/m900/m900_download_clean_deguard_me.sh
+# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=25.09
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-m900-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-m900.config
+
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Additional features
+export CONFIG_USB_KEYBOARD_REQUIRED=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init.sh
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkcentre m900_tower-hotp-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+BOARD_TARGETS := m900_me_blobs