Merge pull request #2007 from gaspar-ilom/coreboot-25-09

Bump coreboot to 25.09

Author: tlaurion

.circleci/config.yml

@@ -195,7 +195,7 @@ jobs:
             - build/ppc64/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c
             - build/x86/coreboot-4.11
             - build/x86/coreboot-24.02.01
-            - build/x86/coreboot-24.12
+            - build/x86/coreboot-25.09
             - build/x86/coreboot-dasharo
             - build/x86/coreboot-purism
             - build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c
@@ -253,7 +253,7 @@ workflows:
           requires:
             - novacustom-nv4x_adl
 
-      # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
+      # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
       - build_and_persist:
           name: EOL_t480-hotp-maximized
           target: EOL_t480-hotp-maximized
@@ -286,7 +286,7 @@ workflows:
             - EOL_t480-hotp-maximized
 
       # Those onboarding new boards should add their entries below.
-      # coreboot 24.12 boards
+      # coreboot 25.09 boards
       - build:
           name: EOL_x220-hotp-maximized
           target: EOL_x220-hotp-maximized
@@ -330,29 +330,29 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_optiplex-7010_9010-maximized
-          target: EOL_optiplex-7010_9010-maximized
+          name: EOL_UNTESTED_optiplex-7010_9010-maximized
+          target: EOL_UNTESTED_optiplex-7010_9010-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_optiplex-7010_9010-hotp-maximized
-          target: EOL_optiplex-7010_9010-hotp-maximized
+          name: EOL_UNTESTED_optiplex-7010_9010-hotp-maximized
+          target: EOL_UNTESTED_optiplex-7010_9010-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_optiplex-7010_9010_TXT-maximized
-          target: EOL_optiplex-7010_9010_TXT-maximized
+          name: EOL_UNTESTED_optiplex-7010_9010_TXT-maximized
+          target: EOL_UNTESTED_optiplex-7010_9010_TXT-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_optiplex-7010_9010_TXT-hotp-maximized
-          target: EOL_optiplex-7010_9010_TXT-hotp-maximized
+          name: EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized
+          target: EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -386,8 +386,8 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_w530-hotp-maximized
-          target: EOL_w530-hotp-maximized
+          name: EOL_UNTESTED_w530-hotp-maximized
+          target: EOL_UNTESTED_w530-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -400,8 +400,8 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_w530-maximized
-          target: EOL_w530-maximized
+          name: EOL_UNTESTED_w530-maximized
+          target: EOL_UNTESTED_w530-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -435,15 +435,15 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_w541-maximized
-          target: EOL_UNTESTED_w541-maximized
+          name: EOL_w541-maximized
+          target: EOL_w541-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_w541-hotp-maximized
-          target: EOL_UNTESTED_w541-hotp-maximized
+          name: EOL_w541-hotp-maximized
+          target: EOL_w541-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -456,15 +456,15 @@ workflows:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_z220-cmt-maximized
-          target: EOL_UNTESTED_z220-cmt-maximized
+          name: EOL_z220-cmt-maximized
+          target: EOL_z220-cmt-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
       - build:
-          name: EOL_UNTESTED_z220-cmt-hotp-maximized
-          target: EOL_UNTESTED_z220-cmt-hotp-maximized
+          name: EOL_z220-cmt-hotp-maximized
+          target: EOL_z220-cmt-hotp-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
@@ -527,7 +527,7 @@ workflows:
           requires:
             - librem_14
 
-      # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
+      # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
       - build:
           name: EOL_t480-maximized
           target: EOL_t480-maximized

Makefile

@@ -72,7 +72,12 @@ $(info !!!!!! Build starts !!!!!!)
 DATE=`date --rfc-3339=seconds`
 
 BOARD		?= qemu-coreboot-fbwhiptail-tpm1
+
+ifeq "y" "$(shell [[ $(BOARD) =~ (^EOL_|^)UNMAINTAINED_.* ]] && echo y)""
+CONFIG		:= $(pwd)/unmaintained_boards/$(BOARD)/$(BOARD).config
+else
 CONFIG		:= $(pwd)/boards/$(BOARD)/$(BOARD).config
+endif
 
 ifneq "y" "$(shell [ -r '$(CONFIG)' ] && echo y)"
 $(error $(CONFIG): board configuration does not exist)
@@ -907,7 +912,7 @@ $(board_build)/$(CB_OUTPUT_BASENAME)-gpg-injected.rom: $(board_build)/$(CB_OUTPU
 
 board.move_untested_to_tested:
 	@echo "Moving $(BOARD) from UNTESTED to tested status"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_//'); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNTESTED_/\1/'); \
 	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
 	NEW_INCLUDE_BOARD=$$(echo $$INCLUDE_BOARD | sed 's/^UNTESTED_//'); \
 	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \
@@ -923,11 +928,12 @@ board.move_untested_to_tested:
 
 board.move_unmaintained_to_tested:
 	@echo "NEW_BOARD variable will remove UNMAINTAINED_ prefix from $(BOARD)"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNMAINTAINED_//'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
-	git mv boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNMAINTAINED_/\1/'); \
+	echo "Renaming unmaintained_boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
+	mkdir -p boards/$$BOARD; \
+	git mv unmaintained_boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
 	echo "Renaming boards/$$BOARD to boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
+	rm -rf boards/$$NEW_BOARD unmaintained_boards/$$BOARD; \
 	git mv boards/$$BOARD boards/$$NEW_BOARD; \
 	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml"; \
 	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml; \
@@ -936,19 +942,19 @@ board.move_unmaintained_to_tested:
 
 board.move_untested_to_unmaintained:
 	@echo "NEW_BOARD variable will move from UNTESTED_ to UNMAINTAINED_ from $(BOARD)"
-	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_/UNMAINTAINED_/g'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)UNTESTED_/\1UNMAINTAINED_/'); \
+	echo "Renaming boards/$$BOARD to unmaintained_boards/$$NEW_BOARD"; \
 	mkdir -p unmaintained_boards; \
-	git mv boards/$$BOARD/$$BOARD.config unmaintained_boards/$$BOARD/$$NEW_BOARD.config; \
-	echo "Renaming boards/$$BOARD to unmaintainted_boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
 	git mv boards/$$BOARD unmaintained_boards/$$NEW_BOARD; \
+	echo "Renaming unmaintained_boards/$$NEW_BOARD/$$BOARD.config to unmaintained_boards/$$NEW_BOARD/$$NEW_BOARD.config"; \
+	rm -rf boards/$$NEW_BOARD; \
+	git mv unmaintained_boards/$$NEW_BOARD/$$BOARD.config unmaintained_boards/$$NEW_BOARD/$$NEW_BOARD.config; \
 	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml. Delete manually entries"; \
 	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml
 
 board.move_tested_to_untested:
 	@echo "NEW_BOARD variable will add UNTESTED_ prefix to $(BOARD)"
-	@NEW_BOARD=UNTESTED_$(BOARD); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)/\1UNTESTED_/'); \
 	rm -rf boards/$${NEW_BOARD}; \
 	echo "Renaming boards/$(BOARD)/$(BOARD).config to boards/$(BOARD)/$${NEW_BOARD}.config"; \
 	git mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
@@ -970,7 +976,7 @@ board.move_tested_to_EOL:
 
 board.move_tested_to_unmaintained:
 	@echo "Moving $(BOARD) from tested to unmaintained status"
-	@NEW_BOARD=UNMAINTAINED_$(BOARD); \
+	@NEW_BOARD=$$(echo $(BOARD) | sed -E 's/(^EOL_|^)/\1UNMAINTAINED_/'); \
 	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
 	NEW_INCLUDE_BOARD=UNMAINTAINED_$${INCLUDE_BOARD}; \
 	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \

blobs/w541/README.md

@@ -8,6 +8,7 @@
 Coreboot on the W541 requires the following binary blobs:
 
 - `mrc.bin` - Consists of Intel’s Memory Reference Code (MRC) and [is used to initialize the DRAM](https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html).
+  - Known issues with ram initilization are listed below.
 - `me.bin` - Consists of Intel’s Management Engine (ME), which we modify using [me_cleaner](https://github.com/corna/me_cleaner) to remove all but the modules which are necessary for the CPU to function.
 - `gbe.bin` - Consists of hardware/software configuration data for the Gigabit Ethernet (GbE) controller. Intel publishes the data structure [here](https://web.archive.org/web/20230122164346/https://www.intel.com/content/dam/www/public/us/en/documents/design-guides/i-o-controller-hub-8-9-nvm-map-guide.pdf), and an [ImHex](https://github.com/WerWolv/ImHex) hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_lan_nvm.hexpat).
 - `ifd.bin` - Consists of the Intel Flash Descriptor (IFD). Intel publishes the data structure [here](https://web.archive.org/web/20221208011432/https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/io-controller-hub-8-datasheet.pdf), and an ImHex hex editor pattern is available [here](https://github.com/rbreslow/ImHex-Patterns/blob/rb/intel-ich8/patterns/intel/ich8_flash_descriptor.hexpat).
@@ -38,3 +39,7 @@ Now, you can rebuild Heads:
 ```console
 $ make BOARD=w541-hotp-maximized
 ```
+
+# Known Issues
+- Ram initialization with the MRC blob is very slow (~40s until boot splash) and so far native ram init (NRI) which was merged upstream has not been able to resolve the issue under heads. Work on HRI is tracked here: https://github.com/linuxboot/heads/pull/1923
+- S3 resume from suspend has been reported as flaky on some boards (4 DIMMs with a total of 32GB ram).

blobs/xx80/README.md

@@ -7,9 +7,10 @@ The following blobs are needed:
 * `me.bin`
 * `tb.bin` (optional but recommended flashing this blob to the separate Thunderbolt SPI chip to fix a bug in the original firmware)
 
-## me.bin: automatically extract, neuter and deguard
+## me.bin: automatically extract, deactivate, partially neuter and deguard
 
-download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin
+download_clean_deguard_me_pad_tb.sh : Download vulnerable ME from Dell, verify checksum, extract ME, deactivate ME and paritally neuter it, then apply the deguard patch and place it into me.bin.
+For the technical details please read the documentation in the script itself, as removing modules is limited on the platform.
 
 The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
 
@@ -31,7 +32,7 @@ The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE MAC`
 ## tb.bin
 
 This blob was extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
-It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T430-maximized-flashing/
+It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T480-maximized-flashing/
 
 ## Integrity
 
@@ -50,4 +51,6 @@ See the board configs `boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config
 # Documentation
 
 A guide on how to flash this board (both the Heads rom and the Thunderbolt `tb.bin` blob) can be found here:
-https://osresearch.net/T430-maximized-flashing/
+https://osresearch.net/T480-maximized-flashing/
+
+The upstream documentation is available here. It includes a list of known issues: https://doc.coreboot.org/mainboard/lenovo/t480.html

blobs/xx80/download_clean_deguard_me_pad_tb.sh

@@ -71,14 +71,17 @@ function download_and_clean() {
 
 	extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin"
 
-	# Neutralize and shrink Intel ME. Note that this doesn't include
+	# Deactivate, partially neuter and shrink Intel ME. Note that this doesn't include
 	# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
 	# High Assurance Program) bits, as they are defined within the Flash
 	# Descriptor.
 	# However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function.
+	# For ME 11.x this means we must keep the rbe, bup, kernel and syslib modules.
+	# https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F#me-versions-from-11x-skylake-1
+	# Furthermore, deguard requires keeping the MFS, the HAP bit set, and we cannot relocate the FTPR partition.
+	# Some more general info on shrinking:
 	# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
 
-	# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
 	python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}"
 	rm -rf ./*
 	popd || exit

…optiplex-7010_9010-hotp-maximized.config …optiplex-7010_9010-hotp-maximized.configboards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010-hotp-maximized/EOL_UNTESTED_optiplex-7010_9010-hotp-maximized.config boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010-hotp-maximized/EOL_UNTESTED_optiplex-7010_9010-hotp-maximized.config

@@ -8,7 +8,7 @@
 #
 # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_COREBOOT_VERSION=25.09
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config

…/EOL_optiplex-7010_9010-maximized.config …STED_optiplex-7010_9010-maximized.configboards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010-maximized/EOL_UNTESTED_optiplex-7010_9010-maximized.config boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010-maximized/EOL_UNTESTED_optiplex-7010_9010-maximized.config

@@ -8,7 +8,7 @@
 #
 # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_COREBOOT_VERSION=25.09
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config

…plex-7010_9010_TXT-hotp-maximized.config …plex-7010_9010_TXT-hotp-maximized.configboards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized/EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized.config boards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized/EOL_UNTESTED_optiplex-7010_9010_TXT-hotp-maximized.config

@@ -8,7 +8,7 @@
 #
 # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_COREBOOT_VERSION=25.09
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config

…_optiplex-7010_9010_TXT-maximized.config …_optiplex-7010_9010_TXT-maximized.configboards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010_TXT-maximized/EOL_UNTESTED_optiplex-7010_9010_TXT-maximized.config boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config renamed to boards/EOL_UNTESTED_optiplex-7010_9010_TXT-maximized/EOL_UNTESTED_optiplex-7010_9010_TXT-maximized.config

@@ -8,7 +8,7 @@
 #
 # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_COREBOOT_VERSION=25.09
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config

boards/EOL_UNTESTED_t440p-hotp-maximized/EOL_UNTESTED_t440p-hotp-maximized.config

@@ -5,7 +5,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-t440p.config
 CONFIG_LINUX_CONFIG=config/linux-t440p.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_COREBOOT_VERSION=25.09
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y