Merge remote-tracking branch 'osresearch/master' into ext4_orphan_kernel_bump

Author: tlaurion

.circleci/config.yml

@@ -45,7 +45,7 @@ commands:
 jobs:
   prep_env:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.1
+      - image: tlaurion/heads-dev-env:v0.2.3
     resource_class: large
     working_directory: ~/heads
     steps:
@@ -87,6 +87,10 @@ jobs:
           name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
           command: |
             ./blobs/xx20/download_parse_me.sh
+      - run:
+          name: Download Optiplex 7010/9010 blobs
+          command: |
+            ./blobs/xx30/optiplex_7010_9010.sh ./blobs/xx30
       - run:
           # me_cleaner.py present under heads xx30 blobs dir comes from https://github.com/corna/me_cleaner/blob/43612a630c79f3bc6f2653bfe90dfe0b7b137e08/me_cleaner.py
           name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
@@ -111,7 +115,7 @@ jobs:
 
   build_and_persist:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.1
+      - image: tlaurion/heads-dev-env:v0.2.3
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -139,7 +143,7 @@ jobs:
 
   build:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.1
+      - image: tlaurion/heads-dev-env:v0.2.3
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -160,7 +164,7 @@ jobs:
 
   save_cache:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.1
+      - image: tlaurion/heads-dev-env:v0.2.3
     resource_class: large
     working_directory: ~/heads
     steps:
@@ -327,6 +331,35 @@ workflows:
           requires:
             - x230-hotp-maximized
 
+      #TODO: move away of 24.02.01 coreboot and depend on optiplex specific dasharo commit
+      - build:
+          name: optiplex-7010_9010-maximized
+          target: optiplex-7010_9010-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: optiplex-7010_9010-hotp-maximized
+          target: optiplex-7010_9010-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: optiplex-7010_9010_TXT-maximized
+          target: optiplex-7010_9010_TXT-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
+      - build:
+          name: optiplex-7010_9010_TXT-hotp-maximized
+          target: optiplex-7010_9010_TXT-hotp-maximized
+          subcommand: ""
+          requires:
+            - x230-hotp-maximized
+
       - build:
           name: x230-maximized-fhd_edp
           target: x230-maximized-fhd_edp

BOARD_TESTERS.md

@@ -15,21 +15,22 @@ Laptops
 
 xx20 (Sandy):
 ===
-- [ ] t420 (xx20): @alexmaloteaux @natterangell (iGPU) @akfhasodh @doob85
-- [ ] x220 (xx20): @Thrilleratplay @BlackMaria @srgrint
+- [ ] t420 (xx20): @natterangell(iGPU) @alexmaloteaux @akfhasodh @doob85
+- [ ] x220 (xx20): @srgrint @Thrilleratplay
 
 xx30 (Ivy):
 ===
 - [ ] t430 (xx30): @nestire(t430-legacy, t430-maximized) @Thrilleratplay @alexmaloteaux @lsafd @bwachter(iGPU maximized) @shamen123 @eganonoa(iGPU) @nitrosimon @jans23 @icequbes1 (iGPU) @weyounsix (t430-dgpu)
-- [ ] w530 (xx30): @eganonoa @zifxify @weyounsix (dGPU: w530-k2000m) @jnscmns (dGPU K1000M) @computer-user123 (w530 / & w530 k2000 : prefers iGPU)
+- [ ] w530 (xx30): @eganonoa @zifxify @weyounsix (dGPU: w530-k2000m) @jnscmns (dGPU K1000M) @computer-user123 (w530 / & w530 k2000 : prefers iGPU) @tlaurion
 - [ ] x230 (xx30): @nestire(x230-legacy, x230-maximized) @tlaurion(maximized) @osresearch @merge @jan23 @MrChromebox @shamen123 @eganonoa @bwachter @Thrilleratplay @jnscmns @doob85 @natterangell (x230i variant: irrelevant individual board)
 - [ ] x230-fhd/edp variant: @n4ru @computer-user123 (nitro caster board) @Tonux599 @househead @pcm720 (eDP 4.0 board and 1440p display)
+- [ ] x230t : @fhvyhjriur
 - [ ] t530 (xx30): @fhvyhjriur @3hhh (Opportunity to mainstream and close https://github.com/linuxboot/heads/issues/1682)
 
 xx4x(Haswell):
 ===
-- [ ] t440p: @ThePlexus @srgrint @akunterkontrolle @rbreslow
-- [ ] w541 (similar to t440p): @resende-gustavo @gaspar-ilom
+- [ ] t440p: @fhvyhjriur @ThePlexus @srgrint @akunterkontrolle @rbreslow
+- [ ] w541 (similar to t440p): @ResendeGHF @gaspar-ilom (Always tested late: Needs more responsive board testers or risk to become unmaintained.)
 
 Librems:
 ===
@@ -43,13 +44,13 @@ Librems:
 Clevo:
 ===
 - [ ] Nitropad NS50 (AlderLake) : @daringer
-- [ ] Nitropad NV41 (AlderLake) : @daringer, @tlaurion
+- [ ] Nitropad NV41 (AlderLake) : @tlaurion @daringer
 
 
 Desktops/Servers
 ==
-- [ ] kgpe-d16 (AMD fam15h) (dropped in coreboot 4.12): @tlaurion @Tonux599 @zifxify @arhabd
+- [ ] kgpe-d16 (AMD fam15h) (dropped in coreboot 4.12): @arhabd @Tonux599 @zifxify @tlaurion
 - [ ] Librem L1UM v1 (Broadwell): @JonathonHall-Purism
 - [ ] Librem L1Um v2 (CoffeeLake): @JonathonHall-Purism
-- [ ] Talos II (PPC64LE, Power9) : @tlaurion
+- [ ] Talos II (PPC64LE, Power9) : @tlaurion (Will become untested, no other known users, not worth my time nor effort even though massive investment of all forms)
 - [ ] z220-cmt (HP Z220 CMT): @d-wid

Makefile

@@ -604,6 +604,7 @@ bin_modules-$(CONFIG_KEXEC) += kexec
 bin_modules-$(CONFIG_TPMTOTP) += tpmtotp
 bin_modules-$(CONFIG_PCIUTILS) += pciutils
 bin_modules-$(CONFIG_FLASHROM) += flashrom
+bin_modules-$(CONFIG_FLASHPROG) += flashprog
 bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup
 bin_modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
 bin_modules-$(CONFIG_GPG) += gpg
@@ -791,15 +792,20 @@ modules.clean:
 	done
 
 board.move_untested_to_tested:
-	@echo "NEW_BOARD variable will remove UNTESTED_ prefix from $(BOARD)"
+	@echo "Moving $(BOARD) from UNTESTED to tested status"
 	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_//'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
-	mv boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
-	echo "Renaming boards/$$BOARD to boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
-	mv boards/$$BOARD boards/$$NEW_BOARD; \
-	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml"; \
-	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml
+	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
+	NEW_INCLUDE_BOARD=$$(echo $$INCLUDE_BOARD | sed 's/^UNTESTED_//'); \
+	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \
+	sed -i 's/$(BOARD)/'$${NEW_BOARD}'/g' boards/$(BOARD)/$(BOARD).config; \
+	sed -i 's/'$$INCLUDE_BOARD'/'$$NEW_INCLUDE_BOARD'/g' boards/$(BOARD)/$(BOARD).config; \
+	echo "Renaming config file to $${NEW_BOARD}.config"; \
+	mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
+	echo "Renaming board directory to $${NEW_BOARD}"; \
+	mv boards/$(BOARD) boards/$${NEW_BOARD}; \
+	echo "Updating .circleci/config.yml"; \
+	sed -i "s/$(BOARD)/$${NEW_BOARD}/g" .circleci/config.yml; \
+	echo "Operation completed for $(BOARD) -> $${NEW_BOARD}"
 
 board.move_unmaintained_to_tested:
 	@echo "NEW_BOARD variable will remove UNMAINTAINED_ prefix from $(BOARD)"
@@ -830,11 +836,13 @@ board.move_tested_to_untested:
 	@echo "NEW_BOARD variable will add UNTESTED_ prefix to $(BOARD)"
 	@NEW_BOARD=UNTESTED_$(BOARD); \
 	rm -rf boards/$${NEW_BOARD}; \
+	echo "changing $(BOARD) name under boards/$(BOARD)/$(BOARD).config to $${NEW_BOARD}"; \
+	sed boards/$(BOARD)/$(BOARD).config 's/$(BOARD)/$${NEW_BOARD}/g'; \
 	echo "Renaming boards/$(BOARD)/$(BOARD).config to boards/$(BOARD)/$${NEW_BOARD}.config"; \
 	mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
 	echo "Renaming boards/$(BOARD) to boards/$${NEW_BOARD}"; \
 	mv boards/$(BOARD) boards/$${NEW_BOARD}; \
-	echo "Replacing $(BOARD) with $${NEW_BOARD} in .circleci/config.yml"; \
+	echo "Replacing $(BOARD) with $${NEW_BOARD} in .circleci/config.yml"; \
 	sed -i "s/$(BOARD)/$${NEW_BOARD}/g" .circleci/config.yml
 
 board.move_tested_to_unmaintained:

WP_NOTES.md

@@ -0,0 +1,22 @@
+Flashrom was passed to flashprog under https://github.com/linuxboot/heads/pull/1769
+
+Those are notes for @i-c-o-n and others wanting to move WP forward but track issues and users
+
+The problem with WP is that it is desired but even if partial write protection regions is present, WP is widely unused.
+
+Some random notes since support is incomplete (depends on chips, really)
+-QDPI is problematic for WP (same IO2 PIN)
+  - Might be turned on by chipset for ME read https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$NCNidoPsw1ze6zv3m2jlPuGuNrdlDQmDcU81If-q55A?via=matrix.org&via=nitro.chat&via=tchncs.de
+- WP wanted, WP done, WP unused
+  - WP wanted https://github.com/flashrom/flashrom/issues/185 https://github.com/linuxboot/heads/issues/985
+  - WP done: https://github.com/linuxboot/heads/issues/1741 https://github.com/linuxboot/heads/issues/1546
+   - Documented https://docs.dasharo.com/variants/asus_kgpe_d16/spi-wp/
+  - WP still unused
+
+Alternative, as suggested by @i-c-o-n is Chipset Platform Locking (PR0) which is enforced at platform's chipset level for a boot
+- This is implemented and enforced on <= Haswell from this PR merged : https://github.com/linuxboot/heads/pull/1373
+- Non-upstreamed work has been made from @root-hardenedvault work in vaultboot downstream fork of Heads at https://github.com/hardenedvault/vaultboot/blob/master/patches/coreboot/0001-x11.patch
+- Discussion point under flashrom-> flashprog PR under https://github.com/linuxboot/heads/pull/1769/files/f8eb0a27c3dcb17a8c6fcb85dd7f03e8513798ae#r1752395865 tagging @i-c-o-n
+
+
+Not sure what is the way forward here, but lets keep this file in tree to track improvements over time.

bin/fetch_source_archive.sh

@@ -4,6 +4,7 @@ set -eo pipefail
 # Mirror URLs, make sure these end in slashes.
 BACKUP_MIRRORS=(
 	https://storage.puri.sm/heads-packages/
+	https://storage.puri.st/heads-packages/
 )
 
 usage()

blobs/optiplex_9010/README.md

@@ -0,0 +1,16 @@
+This blobs/optiplex_9010/ifd.bin is a configuration blob, and comes from my optiplex 9010 backup.
+It was put in place with:
+
+python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/optiplex_9010/ifd.bin -M /tmp/temporary_me.bin optiplex_9010-internal_backup.rom
+./build/x86/coreboot-24.02.01/util/ifdtool/ifdtool -n blobs/optiplex_9010/layout.txt blobs/optiplex_9010/ifd.bin -O blobs/optiplex_9010/ifd.bin
+
+NOTE: We rely on blobs/optiplex_9010/layout.txt which changes the size of the ME region to match Lenovo xx30 blob used in x230 and others.
+
+----
+
+blobs/optiplex_9010/ifd_t16650.bin comes from https://codeberg.org/libreboot/lbmk/src/branch/master/config/ifd/t1650/12_ifd
+Libreboot uses xx30 ME (downloaded from Lenovo, extracted+ neutered) as well, and reuses the dell t1650 IFD for their build, which we borrowed here with:
+
+wget https://codeberg.org/libreboot/lbmk/raw/branch/master/config/ifd/t1650/12_ifd -O ifd.bin
+
+Doc: https://libreboot.org/docs/install/dell7010.html

blobs/optiplex_9010/ifd.bin

@@ -0,0 +1,4 @@
+00000000:00000fff fd
+00001000:00004fff gbe
+00005000:0001cfff me
+0001d000:00bfffff bios

blobs/optiplex_9010/ifd_t16650.bin

@@ -1 +1,4 @@
 me.bin
+IVB_BIOSAC_PRODUCTION.bin
+SNB_IVB_SINIT_20190708_PW.bin
+sch5545_ecfw.bin