Merge osresearch/master: resolve conflicts in initrd/bin/reboot and initrd/bin/kexec-seal-key

Author: tlaurion

.circleci/config.yml

@@ -195,7 +195,7 @@ jobs:
             - build/ppc64/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c
             - build/x86/coreboot-4.11
             - build/x86/coreboot-24.02.01
-            - build/x86/coreboot-24.12
+            - build/x86/coreboot-25.09
             - build/x86/coreboot-dasharo
             - build/x86/coreboot-purism
             - build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c
@@ -213,6 +213,7 @@ jobs:
 workflows:
   version: 2
   build_and_test:
+    max_auto_reruns: 3
     jobs:
       - prep_env
 
@@ -252,7 +253,7 @@ workflows:
           requires:
             - novacustom-nv4x_adl
 
-      # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
+      # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
       - build_and_persist:
           name: EOL_t480-hotp-maximized
           target: EOL_t480-hotp-maximized
@@ -285,7 +286,7 @@ workflows:
             - EOL_t480-hotp-maximized
 
       # Those onboarding new boards should add their entries below.
-      # coreboot 24.12 boards
+      # coreboot 25.09 boards
       - build:
           name: EOL_x220-hotp-maximized
           target: EOL_x220-hotp-maximized
@@ -420,29 +421,29 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_t440p-maximized
-          target: EOL_UNTESTED_t440p-maximized
+          name: EOL_t440p-maximized
+          target: EOL_t440p-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_t440p-hotp-maximized
-          target: EOL_UNTESTED_t440p-hotp-maximized
+          name: EOL_t440p-hotp-maximized
+          target: EOL_t440p-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_w541-maximized
-          target: EOL_UNTESTED_w541-maximized
+          name: EOL_w541-maximized
+          target: EOL_w541-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_w541-hotp-maximized
-          target: EOL_UNTESTED_w541-hotp-maximized
+          name: EOL_w541-hotp-maximized
+          target: EOL_w541-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -455,15 +456,15 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_z220-cmt-maximized
-          target: EOL_UNTESTED_z220-cmt-maximized
+          name: EOL_z220-cmt-maximized
+          target: EOL_z220-cmt-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_z220-cmt-hotp-maximized
-          target: EOL_UNTESTED_z220-cmt-hotp-maximized
+          name: EOL_z220-cmt-hotp-maximized
+          target: EOL_z220-cmt-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -526,7 +527,7 @@ workflows:
           requires:
             - librem_14
 
-      # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
+      # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
       - build:
           name: EOL_t480-maximized
           target: EOL_t480-maximized

BOARDS_AND_TESTERS.md

@@ -49,13 +49,12 @@ xx30 (Ivy Bridge: Intel 3rd Gen CPU)
 - [ ] w530 (xx30): @eganonoa @zifxify @weyounsix (dGPU: w530-k2000m) @jnscmns (dGPU K1000M) @computer-user123 (w530 / w530 k2000: prefers iGPU) @tlaurio
 - [ ] x230 (xx30): @nestire @tlaurion @merge @jan23 @MrChromebox @shamen123 @eganonoa @bwachter @Thrilleratplay @jnscmns
 - [ ] x230-fhd/edp variant: @n4ru @computer-user123 (nitro caster board) @Tonux599 @househead @pcm720 (eDP 4.0 board and 1440p display) @doob85 https://matrix.to/#/@rsabdpy:matrix.org (agan mod board)
-- [ ] x230t: @fhvyhjriur
 - [ ] t530 (xx30): @fhvyhjriur @3hhh (See: https://github.com/linuxboot/heads/issues/1682)
 
 xx4x (Haswell: Intel 4th Gen CPU)
 ===
-- [ ] t440p: @fhvyhjriur @ThePlexus @srgrint @akunterkontrolle @rbreslow
-- [ ] w541 (similar of t440p): @ResendeGHF @gaspar-ilom (Late tested; at risk of deprecation)
+- [ ] t440p: @MattClifton76 @fhvyhjriur @ThePlexus @srgrint @akunterkontrolle @rbreslow
+- [ ] w541 (similar of t440p): @gaspar-ilom @ResendeGHF
 
 xx8x (Kaby Lake Refresh: Intel 8th Gen Mobile : ESU ended 12/31/2024)
 ===

Makefile

@@ -72,7 +72,14 @@ $(info !!!!!! Build starts !!!!!!)
 DATE=`date --rfc-3339=seconds`
 
 BOARD		?= qemu-coreboot-fbwhiptail-tpm1
+
+# If the board name begins with UNMAINTAINED_, use the
+# unmaintained_boards path.
+ifeq "y" "$(shell echo '$(BOARD)' | grep -E '^UNMAINTAINED_' >/dev/null 2>&1 && echo y)"
+CONFIG		:= $(pwd)/unmaintained_boards/$(BOARD)/$(BOARD).config
+else
 CONFIG		:= $(pwd)/boards/$(BOARD)/$(BOARD).config
+endif
 
 ifneq "y" "$(shell [ -r '$(CONFIG)' ] && echo y)"
 $(error $(CONFIG): board configuration does not exist)
@@ -907,7 +914,7 @@ $(board_build)/$(CB_OUTPUT_BASENAME)-gpg-injected.rom: $(board_build)/$(CB_OUTPU
 
 board.move_untested_to_tested:
 	@echo "Moving $(BOARD) from UNTESTED to tested status"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_//'); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNTESTED_/\1/'); \
 	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
 	NEW_INCLUDE_BOARD=$$(echo $$INCLUDE_BOARD | sed 's/^UNTESTED_//'); \
 	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \
@@ -923,11 +930,12 @@ board.move_untested_to_tested:
 
 board.move_unmaintained_to_tested:
 	@echo "NEW_BOARD variable will remove UNMAINTAINED_ prefix from $(BOARD)"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNMAINTAINED_//'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
-	git mv boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNMAINTAINED_/\1/'); \
+	echo "Renaming unmaintained_boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
+	mkdir -p boards/$$BOARD; \
+	git mv unmaintained_boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
 	echo "Renaming boards/$$BOARD to boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
+	rm -rf boards/$$NEW_BOARD unmaintained_boards/$$BOARD; \
 	git mv boards/$$BOARD boards/$$NEW_BOARD; \
 	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml"; \
 	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml; \
@@ -936,19 +944,19 @@ board.move_unmaintained_to_tested:
 
 board.move_untested_to_unmaintained:
 	@echo "NEW_BOARD variable will move from UNTESTED_ to UNMAINTAINED_ from $(BOARD)"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_/UNMAINTAINED_/g'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNTESTED_/\1UNMAINTAINED_/'); \
+	echo "Renaming boards/$$BOARD to unmaintained_boards/$$NEW_BOARD"; \
 	mkdir -p unmaintained_boards; \
-	git mv boards/$$BOARD/$$BOARD.config unmaintained_boards/$$BOARD/$$NEW_BOARD.config; \
-	echo "Renaming boards/$$BOARD to unmaintainted_boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
 	git mv boards/$$BOARD unmaintained_boards/$$NEW_BOARD; \
+	echo "Renaming unmaintained_boards/$$NEW_BOARD/$$BOARD.config to unmaintained_boards/$$NEW_BOARD/$$NEW_BOARD.config"; \
+	rm -rf boards/$$NEW_BOARD; \
+	git mv unmaintained_boards/$$NEW_BOARD/$$BOARD.config unmaintained_boards/$$NEW_BOARD/$$NEW_BOARD.config; \
 	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml. Delete manually entries"; \
 	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml
 
 board.move_tested_to_untested:
 	@echo "NEW_BOARD variable will add UNTESTED_ prefix to $(BOARD)"
-	@NEW_BOARD=UNTESTED_$(BOARD); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)/\1UNTESTED_/'); \
 	rm -rf boards/$${NEW_BOARD}; \
 	echo "Renaming boards/$(BOARD)/$(BOARD).config to boards/$(BOARD)/$${NEW_BOARD}.config"; \
 	git mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
@@ -970,7 +978,7 @@ board.move_tested_to_EOL:
 
 board.move_tested_to_unmaintained:
 	@echo "Moving $(BOARD) from tested to unmaintained status"
-	@NEW_BOARD=UNMAINTAINED_$(BOARD); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)/\1UNMAINTAINED_/'); \
 	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
 	NEW_INCLUDE_BOARD=UNMAINTAINED_$${INCLUDE_BOARD}; \
 	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \

bin/seed_package_mirror.sh

@@ -56,8 +56,8 @@ echo "Downloading packages..."
 make packages BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp
 make packages BOARD=UNTESTED_talos-2 # newt, PPC
 make packages BOARD=librem_l1um_v2 # TPM2
-make packages BOARD=librem_l1um # coreboot 4.11
-make packages BOARD=x230-maximized # io386
+make packages BOARD=EOL_librem_l1um # coreboot 4.11
+make packages BOARD=EOL_x230-maximized # io386
 echo
 echo "Copying to mirror directory..."
 mkdir -p "$ARG_MIRROR_DIR"

blobs/haswell/.gitignore

@@ -7,14 +7,17 @@
 
 Coreboot on the T440p requires the following binary blobs:
 
-- `mrc.bin` - Consists of Intel’s Memory Reference Code (MRC) and [is used to initialize the DRAM](https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html).
 - `me.bin` - Consists of Intel’s Management Engine (ME), which we modify using [me_cleaner](https://github.com/corna/me_cleaner) to remove all but the modules which are necessary for the CPU to function.
 - `gbe.bin` - Consists of hardware/software configuration data for the Gigabit Ethernet (GbE) controller. Intel publishes the data structure [here](https://web.archive.org/web/20230122164346/https://www.intel.com/content/dam/www/public/us/en/documents/design-guides/i-o-controller-hub-8-9-nvm-map-guide.pdf), and an [ImHex](https://github.com/WerWolv/ImHex) hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_lan_nvm.hexpat).
 - `ifd.bin` - Consists of the Intel Flash Descriptor (IFD). Intel publishes the data structure [here](https://web.archive.org/web/20221208011432/https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/io-controller-hub-8-datasheet.pdf), and an ImHex hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_flash_descriptor.hexpat).
 
 Heads supplies an IFD and GbE blob, which we extracted from a donor board. We changed the MAC address of the GbE blob to `00:de:ad:c0:ff:ee` using [nvmutil](https://libreboot.org/docs/install/nvmutil.html), to support anonymity and build reproducibility.
 
-When building any T440p board variant with `make`, the build system will download a copy of the MRC and Intel ME. We extract `mrc.bin` from a Chromebook firmware image and `me.bin` from a Lenovo firmware update.
+When building any T440p board variant with `make`, the build system will download a copy of the Intel ME. We extract the `me.bin` from a Lenovo firmware update.
+
+### Native Ram Initialization
+
+Note that due to native ram initialization for haswell boards in coreboot it is no longer necessary to use a third party blob (`mrc.bin`) for that.
 
 ## Using Your Own Blobs
 

blobs/haswell/obtain-mrc

@@ -7,14 +7,17 @@
 
 Coreboot on the W541 requires the following binary blobs:
 
-- `mrc.bin` - Consists of Intel’s Memory Reference Code (MRC) and [is used to initialize the DRAM](https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html).
 - `me.bin` - Consists of Intel’s Management Engine (ME), which we modify using [me_cleaner](https://github.com/corna/me_cleaner) to remove all but the modules which are necessary for the CPU to function.
 - `gbe.bin` - Consists of hardware/software configuration data for the Gigabit Ethernet (GbE) controller. Intel publishes the data structure [here](https://web.archive.org/web/20230122164346/https://www.intel.com/content/dam/www/public/us/en/documents/design-guides/i-o-controller-hub-8-9-nvm-map-guide.pdf), and an [ImHex](https://github.com/WerWolv/ImHex) hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_lan_nvm.hexpat).
 - `ifd.bin` - Consists of the Intel Flash Descriptor (IFD). Intel publishes the data structure [here](https://web.archive.org/web/20221208011432/https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/io-controller-hub-8-datasheet.pdf), and an ImHex hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_flash_descriptor.hexpat).
 
 Heads supplies an IFD and GbE blob, which we extracted from a donor board. We changed the MAC address of the GbE blob to `00:de:ad:c0:ff:ee` using [nvmutil](https://libreboot.org/docs/install/nvmutil.html), to support anonymity and build reproducibility.
 
-When building any W541 board variant with `make`, the build system will download a copy of the MRC and Intel ME. We extract `mrc.bin` from a Chromebook firmware image and `me.bin` from a Lenovo firmware update.
+When building any W541 board variant with `make`, the build system will download a copy of the Intel ME. We extract the `me.bin` from a Lenovo firmware update.
+
+### Native Ram Initialization
+
+Note that due to native ram initialization for haswell boards in coreboot it is no longer necessary to use a third party blob (`mrc.bin`)
 
 ## Using Your Own Blobs
 
@@ -37,4 +40,4 @@ Now, you can rebuild Heads:
 
 ```console
 $ make BOARD=w541-hotp-maximized
-```
+```

blobs/t440p/README.md

@@ -34,11 +34,17 @@ if [[ ! -f "${output_dir}/IVB_BIOSAC_PRODUCTION.bin" ]] || [[ ! -f "${output_dir
     #Download sinit
     # Original URL got rid of needed file, keeping original URL. Let's use archive.org
     #wget https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip
-    wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip
-    unzip sinit.zip
-    mv 630744_002/SNB_IVB_SINIT_20190708_PW.bin "${output_dir}/" 
-    
-    popd || exit
+    if wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip; then
+      unzip sinit.zip
+      mv 630744_002/SNB_IVB_SINIT_20190708_PW.bin "${output_dir}/"
+      popd || exit
+    elif wget https://dl.3mdeb.com/mirror/intel/acm/SNB_IVB_SINIT_20190708_PW.bin -O "${output_dir}/SNB_IVB_SINIT_20190708_PW.bin"; then
+      # As per https://github.com/Dasharo/dasharo-issues/issues/1283#issuecomment-3178940096 : use 3mdeb's intel mirror for sinit blob
+      popd || exit
+    else
+      echo "Can't download sinit blob, failing"
+      exit 1
+    fi
 fi
 
 if ! echo "${EC_BLOB_HASH} ${output_dir}/sch5545_ecfw.bin" | sha256sum --check; then

blobs/w541/README.md

@@ -7,9 +7,10 @@ The following blobs are needed:
 * `me.bin`
 * `tb.bin` (optional but recommended flashing this blob to the separate Thunderbolt SPI chip to fix a bug in the original firmware)
 
-## me.bin: automatically extract, neuter and deguard
+## me.bin: automatically extract, deactivate, partially neuter and deguard
 
-download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin
+download_clean_deguard_me_pad_tb.sh : Download vulnerable ME from Dell, verify checksum, extract ME, deactivate ME and paritally neuter it, then apply the deguard patch and place it into me.bin.
+For the technical details please read the documentation in the script itself, as removing modules is limited on the platform.
 
 The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
 
@@ -31,7 +32,7 @@ The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE MAC`
 ## tb.bin
 
 This blob was extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
-It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T430-maximized-flashing/
+It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T480-maximized-flashing/
 
 ## Integrity
 
@@ -50,4 +51,6 @@ See the board configs `boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config
 # Documentation
 
 A guide on how to flash this board (both the Heads rom and the Thunderbolt `tb.bin` blob) can be found here:
-https://osresearch.net/T430-maximized-flashing/
+https://osresearch.net/T480-maximized-flashing/
+
+The upstream documentation is available here. It includes a list of known issues: https://doc.coreboot.org/mainboard/lenovo/t480.html