Add support for t430 dgpu-versions

Maximized boards being supported here only. I do not have a board to test. But these have been tested as working by another user (see linuxboot#1057 (comment)).
tlaurion · Jun 21, 2022 · e05fed7 · e05fed7
1 parent 2ddc559
commit e05fed7
Show file tree

Hide file tree

Showing 7 changed files with 332 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -95,6 +95,11 @@ jobs:
           command: |
             ./blobs/xx30/download_clean_me.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
 
+      - run:
+          name: Download and extract t430 vbios roms for dgpu boards
+          command: |
+            ./blobs/xx30/vbios_t430.sh
+
       - run:
           name: Download and extract t530 vbios roms for dgpu boards
           command: |
@@ -306,6 +311,13 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t430-dgpu-hotp-maximized
+          target: t430-dgpu-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: x230
           target: x230
@@ -382,6 +394,13 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      - build:
+          name: t430-dgpu-maximized
+          target: t430-dgpu-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: t530-maximized
           target: t530-maximized

diff --git a/blobs/xx30/README_vbios b/blobs/xx30/README_vbios
@@ -6,6 +6,7 @@ The scripts require sudo to run, but should be run initally without sudo (e.g. .
 
 * For the w530: https://download.lenovo.com/pccbbs/mobiles/g5uj39us.exe
 * For the t530: https://download.lenovo.com/pccbbs/mobiles/g4uj41us.exe
+* For the t430: https://download.lenovo.com/pccbbs/mobiles/g1uj49us.exe
 
 The scripts have been successfully tested on Debian 10 and Ubuntu 21.04.
 

diff --git a/blobs/xx30/vbios_t430.sh b/blobs/xx30/vbios_t430.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROMPARSER="94a615302f89b94e70446270197e0f5138d678f3"
+UEFIEXTRACT="UEFIExtract_NE_A58_linux_x86_64.zip"
+VBIOSFINDER="c2d764975115de466fdb4963d7773b5bc8468a06"
+BIOSUPDATE="g1uj49us.exe"
+ROM_PARSER_SHA256SUM="f3db9e9b32c82fea00b839120e4f1c30b40902856ddc61a84bd3743996bed894  94a615302f89b94e70446270197e0f5138d678f3.zip"
+UEFI_EXTRACT_SHA256SUM="c9cf4066327bdf6976b0bd71f03c9e049ae39ed19ea3b3592bae3da8615d26d7  UEFIExtract_NE_A58_linux_x86_64.zip"
+VBIOS_FINDER_SHA256SUM="bd07f47fb53a844a69c609ff268249ffe7bf086519f3d20474087224a23d70c5  c2d764975115de466fdb4963d7773b5bc8468a06.zip"
+BIOS_UPDATE_SHA256SUM="f6769f197d9becf0533e41e9822b3934bc900a767e8ce2e3538d90fe0d113d5f  g1uj49us.exe"
+DGPU_ROM_SHA256SUM="b0e797cf2be7e11485a089ff7b1962b566737d7ddf082167e638601f47ae5ae8  vbios_10de_0def_1.rom"
+IGPU_ROM_SHA256SUM="11eb0011023391f07e7ae6d8068e1d6f586c9b73cbdaa24c65aa662ee785fca5  vbios_8086_0106_1.rom"
+
+echo "### Creating temp dir"
+extractdir=$(mktemp -d)
+cd "$extractdir"
+
+echo "### Installing basic dependencies"
+sudo apt update && sudo apt install -y wget ruby ruby-dev ruby-bundler p7zip-full upx-ucl 
+
+echo "### Downloading rom-parser dependency"
+wget https://github.com/awilliam/rom-parser/archive/"$ROMPARSER".zip
+
+echo "### Verifying expected hash of rom-parser"
+echo "$ROM_PARSER_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; }
+
+echo "### Installing rom-parser dependency"
+unzip "$ROMPARSER".zip
+cd rom-parser-"$ROMPARSER" && make
+sudo cp rom-parser /usr/sbin/
+
+echo "### Downloading UEFIExtract dependency"
+wget https://github.com/LongSoft/UEFITool/releases/download/A58/"$UEFIEXTRACT"
+
+echo "### Verifying expected hash of UEFIExtract"
+echo "$UEFI_EXTRACT_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; }
+
+echo "### Installing UEFIExtract"
+unzip "$UEFIEXTRACT"
+sudo mv UEFIExtract /usr/sbin/
+
+echo "### Downloading VBiosFinder"
+wget https://github.com/coderobe/VBiosFinder/archive/"$VBIOSFINDER".zip
+
+echo "### Verifying expected hash of VBiosFinder"
+echo "$VBIOS_FINDER_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; }
+
+echo "### Installing VBiosFinder"
+unzip "$VBIOSFINDER".zip
+cd VBiosFinder-"$VBIOSFINDER" && bundle install --path=vendor/bundle
+
+echo "### Downloading latest Lenovo bios update for t430"
+wget https://download.lenovo.com/pccbbs/mobiles/"$BIOSUPDATE"
+
+echo "### Verifying expected hash of bios update"
+echo "$BIOS_UPDATE_SHA256SUM" | sha256sum --check || { echo "Failed sha256sum verification..." && exit 1; }
+
+echo "### Finding, extracting and saving vbios"
+./vbiosfinder extract "$extractdir"/rom-parser-"$ROMPARSER"/VBiosFinder-"$VBIOSFINDER"/"$BIOSUPDATE"
+
+echo "Verifying expected hash of extracted roms"
+cd output
+echo "$DGPU_ROM_SHA256SUM" | sha256sum --check || { echo "dGPU rom failed sha256sum verification..." && exit 1; }
+echo "$IGPU_ROM_SHA256SUM" | sha256sum --check || { echo "iGPU rom Failed sha256sum verification..." && exit 1; }
+
+echo "### Moving extracted roms to blobs directory"
+mv vbios_10de_0def_1.rom $BLOBDIR/10de,0def.rom
+mv vbios_8086_0106_1.rom $BLOBDIR/8086,0106.rom
+
+echo "### Cleaning Up"
+cd "$BLOBDIR"
+rm -rf "$extractdir"
diff --git a/boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config b/boards/t430-dgpu-hotp-maximized/t430-dgpu-hotp-maximized.config
@@ -0,0 +1,91 @@
+# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+# This board is designed for a t430 with a dGPU. In order to build this the relevant script in the blobs directory must be run (or self-pulled roms placed in that directory) and after building the rom, the nvramtool must be run on the 12MB rom to change the default graphics mode away from integrated-only graphics (see README_vbios in the blobs directory).
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.13
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-dgpu-hotp-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad T430-dgpu-hotp-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+
+# xx30-*-maximized boards require of you initially call one of the
+#  following to have gbe.bin ifd.bin and me.bin
+#  - blobs/xx30/download_clean_me.sh
+#     To download Lenovo original ME binary, neuter+deactivate ME, produce
+#      reduced IFD ME region and expanded BIOS IFD region.
+#  - blobs/xx30/extract.sh
+#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
+#
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#   
+# As a consequence, this replaces the need of having to flash t430-flash 
+#  and expands available CBFS region (11.5Mb available CBFS space)
+#
+# When flashing via an external programmer it is easiest to have
+# two separate files for these pieces.
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@
+
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@
diff --git a/boards/t430-dgpu-maximized/t430-dgpu-maximized.config b/boards/t430-dgpu-maximized/t430-dgpu-maximized.config
@@ -0,0 +1,90 @@
+# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+# This board is designed for a t430 with a dGPU. In order to build this the relevant script in the blobs directory must be run (or self-pulled roms placed in that directory) and after building the rom, the nvramtool must be run on the 12MB rom to change the default graphics mode away from integrated-only graphics (see README_vbios in the blobs directory).
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.13
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-dgpu-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Thinkpad T430-dgpu-maximized"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+
+# xx30-*-maximized boards require of you initially call one of the
+#  following to have gbe.bin ifd.bin and me.bin
+#  - blobs/xx30/download_clean_me.sh
+#     To download Lenovo original ME binary, neuter+deactivate ME, produce
+#      reduced IFD ME region and expanded BIOS IFD region.
+#  - blobs/xx30/extract.sh
+#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
+#
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#   
+# As a consequence, this replaces the need of having to flash t430-flash 
+#  and expands available CBFS region (11.5Mb available CBFS space)
+#
+# When flashing via an external programmer it is easiest to have
+# two separate files for these pieces.
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
+	@sha256sum $@
+
+all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
+$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
+	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
+	@sha256sum $@
diff --git a/config/coreboot-t430-dgpu-hotp-maximized.config b/config/coreboot-t430-dgpu-hotp-maximized.config
@@ -0,0 +1,29 @@
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
+# CONFIG_USE_BLOBS is not set
+CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_CBFS_SIZE=0xB80000
+CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
+CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_THINKPAD_T430=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_UART_PCI_ADDR=0
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
+CONFIG_VGA_BIOS_DGPU_FILE="../../blobs/xx30/10de,0def.rom"
+CONFIG_VGA_BIOS=y
+CONFIG_VGA_BIOS_FILE="../../blobs/xx30/8086,0106.rom"
+# CONFIG_VGA_BIOS_SECOND is not set
+CONFIG_VGA_ROM_RUN_DEFAULT=y
+CONFIG_VGA_BIOS_DGPU=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t430-dgpu-hotp-maximized/bzImage"
+CONFIG_LINUX_INITRD="../../build/t430-dgpu-hotp-maximized/initrd.cpio.xz"
diff --git a/config/coreboot-t430-dgpu-maximized.config b/config/coreboot-t430-dgpu-maximized.config
@@ -0,0 +1,29 @@
+# CONFIG_USE_BLOBS is not set
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_NO_POST=y
+CONFIG_CBFS_SIZE=0xB80000
+CONFIG_IFD_BIN_PATH="../../blobs/xx30/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/xx30/me.bin"
+CONFIG_GBE_BIN_PATH="../../blobs/xx30/gbe.bin"
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_LENOVO_THINKPAD_T430=y
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_UART_PCI_ADDR=0
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+CONFIG_VGA_BIOS_DGPU_ID="10de,0def"
+CONFIG_VGA_BIOS_DGPU_FILE="../../blobs/xx30/10de,0def.rom"
+CONFIG_VGA_BIOS=y
+CONFIG_VGA_BIOS_FILE="../../blobs/xx30/8086,0106.rom"
+# CONFIG_VGA_BIOS_SECOND is not set
+CONFIG_VGA_ROM_RUN_DEFAULT=y
+CONFIG_VGA_BIOS_DGPU=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t430-dgpu-maximized/bzImage"
+CONFIG_LINUX_INITRD="../../build/t430-dgpu-maximized/initrd.cpio.xz"