t480s port

.circleci/config.yml

@@ -102,7 +102,8 @@ jobs:
       - run:
           name: Download, neuter and deguard xx80 ME (keep generated GBE and extracted IFD in tree)
           command: |
-            ./blobs/xx80/download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/
+            ./blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/
+            ./blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/
       - run:
           name: Download and extract t530 vbios roms for dgpu boards
           command: |
@@ -527,14 +528,28 @@ workflows:
           requires:
             - librem_14
 
-      # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache
+      # t480 is based on 25.09 coreboot release
       - build:
           name: EOL_t480-maximized
           target: EOL_t480-maximized
           subcommand: ""
           requires:
             - EOL_t480-hotp-maximized
 
+      - build:
+          name: EOL_t480s-hotp-maximized
+          target: EOL_t480s-hotp-maximized
+          subcommand: ""
+          requires:
+            - EOL_t480-hotp-maximized
+
+      - build:
+          name: EOL_t480s-maximized
+          target: EOL_t480s-maximized
+          subcommand: ""
+          requires:
+            - EOL_t480-hotp-maximized
+
       # dasharo release, share 24.02.01 utils/crossgcc
       - build:
           name: UNTESTED_nitropad-ns50
@@ -543,7 +558,7 @@ workflows:
           requires:
             - novacustom-nv4x_adl
 
-      #NovaCustom v56 boards are based on coreboot 24.02.01 fork, so depend on x230
+      #NovaCustom v56 boards are based on coreboot 24.02.01 fork, so depend on nv4x_adl
       - build:
           name: novacustom-v560tu
           target: novacustom-v560tu

BOARDS_AND_TESTERS.md

@@ -60,6 +60,7 @@ xx4x (Haswell: Intel 4th Gen CPU)
 xx8x (Kaby Lake Refresh: Intel 8th Gen Mobile : ESU ended 12/31/2024)
 ===
 - [ ] t480: @gaspar-ilom @doritos4mlady @MattClifton76 @notgivenby @akunterkontrolle
+- [ ] t480s: @thickfont @kjkent @HarleyGodfrey @nestire
 
 Librem
 ===

blobs/xx30/optiplex_7010_9010.sh

@@ -32,15 +32,15 @@ if [[ ! -f "${output_dir}/IVB_BIOSAC_PRODUCTION.bin" ]] || [[ ! -f "${output_dir
     mv IVB_BIOSAC_PRODUCTION.bin "${output_dir}/"
 
     #Download sinit
+    if wget https://dl.3mdeb.com/mirror/intel/acm/SNB_IVB_SINIT_20190708_PW.bin -O "${output_dir}/SNB_IVB_SINIT_20190708_PW.bin"; then
+      # As per https://github.com/Dasharo/dasharo-issues/issues/1283#issuecomment-3178940096 : use 3mdeb's intel mirror for sinit blob
+      popd || exit
     # Original URL got rid of needed file, keeping original URL. Let's use archive.org
     #wget https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip
-    if wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip; then
+    elif wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip; then
       unzip sinit.zip
       mv 630744_002/SNB_IVB_SINIT_20190708_PW.bin "${output_dir}/"
       popd || exit
-    elif wget https://dl.3mdeb.com/mirror/intel/acm/SNB_IVB_SINIT_20190708_PW.bin -O "${output_dir}/SNB_IVB_SINIT_20190708_PW.bin"; then
-      # As per https://github.com/Dasharo/dasharo-issues/issues/1283#issuecomment-3178940096 : use 3mdeb's intel mirror for sinit blob
-      popd || exit
     else
       echo "Can't download sinit blob, failing"
       exit 1

blobs/xx80/.gitignore

@@ -1,2 +1,6 @@
 me.bin
 tb.bin
+t480_tb.bin
+t480s_tb.bin
+t480_me.bin
+t480s_me.bin

blobs/xx80/hashes.txt

@@ -1,4 +1,10 @@
-d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642  gbe.bin
-f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf  ifd.bin
-1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b  me.bin
-fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388  tb.bin
+#T480:
+1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b  t480_me.bin
+fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388  t480_tb.bin
+d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642  t480_gbe.bin
+f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf  t480_ifd.bin
+#T480s:
+7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b  t480s_me.bin
+b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119  t480s_tb.bin
+caf6393cd5c4ff305b677f50c258658710c42439080868c1fb8ea7584cffb204  t480s_ifd.bin
+36be39ecd0d06fa3f7893ca2746f702271c46b75de52bc599467a058bab8e271  t480s_gbe.bin

blobs/xx80/download_clean_deguard_me_pad_tb.sh → blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh

@@ -82,6 +82,7 @@ function download_and_clean() {
 	# Some more general info on shrinking:
 	# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
 
+	# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
 	python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}"
 	rm -rf ./*
 	popd || exit
@@ -171,8 +172,8 @@ function parse_params() {
 		usage_err "No valid output dir found"
 	fi
 	me_cleaned="${output_dir}/me_cleaned.bin"
-	me_deguarded="${output_dir}/me.bin"
-	tb_flashable="${output_dir}/tb.bin"
+	me_deguarded="${output_dir}/t480_me.bin"
+	tb_flashable="${output_dir}/t480_tb.bin"
 	echo "Writing cleaned and deguarded ME to ${me_deguarded}"
 	echo "Writing flashable TB to ${tb_flashable}"
 }

blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh

@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+
+# These variables are all for the deguard tool.
+# They would need to be changed if using the tool for other devices like the T480s or with a different ME version...
+ME_delta="thinkpad_t480s"
+ME_version="11.6.0.1126"
+ME_sku="2M"
+ME_pch="LP"
+
+# Thunderbolt firmware offset in bytes to pad to 1M
+TBFW_SIZE=1048575
+
+# Integrity checks for the vendor provided ME blob...
+ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0"
+# ...and the cleaned and deguarded version from that blob.
+DEGUARDED_ME_BIN_HASH="7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b"
+# Integrity checks for the vendor provided Thunderbolt blob...
+TB_DOWNLOAD_HASH="090d0085af4a20bcdfba8a75f1bce735ff80afbfea968bbe276a80a0c4c18706"
+# ...and the padded and flashable version from that blob.
+TB_BIN_HASH="b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119"
+
+
+function usage() {
+	echo -n \
+		"Usage: $(basename "$0") -m <me_cleaner>(optional) path_to_output_directory
+Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS.
+Download Thunderbolt firmware from Lenovo and pad it for flashing externally.
+"
+}
+
+function chk_sha256sum() {
+	sha256_hash="$1"
+	filename="$2"
+	echo "$sha256_hash" "$filename" "$(pwd)"
+	sha256sum "$filename"
+	if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then
+		echo "ERROR: SHA256 checksum for ${filename} doesn't match."
+		exit 1
+	fi
+}
+
+function chk_exists_and_matches() {
+	if [[ -f "$1" ]]; then
+		if echo "${2} ${1}" | sha256sum --check; then
+			echo "SKIPPING: SHA256 checksum for $1 matches."
+			[[ "$3" = ME ]] && me_exists="y"
+			[[ "$3" = TB ]] && tb_exists="y"
+		fi
+		echo "$1 exists but checksum doesn't match. Continuing..."
+	fi
+}
+
+function download_and_clean() {
+	me_cleaner="$(realpath "${1}")"
+	me_output="$(realpath "${2}")"
+
+	# Download and unpack the Dell installer into a temporary directory and
+	# extract the deguardable Intel ME blob.
+	pushd "$(mktemp -d)" || exit
+
+	# Download the installer that contains the ME blob
+	me_installer_filename="Inspiron_5468_1.3.0.exe"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+	curl -A "$user_agent" -s -O "https://dl.dell.com/FOLDER04573471M/1/${me_installer_filename}"
+	chk_sha256sum "$ME_DOWNLOAD_HASH" "$me_installer_filename"
+
+	# Download the tool to unpack Dell's installer and unpack the ME blob.
+	git clone https://github.com/platomav/BIOSUtilities
+	git -C BIOSUtilities checkout ef50b75ae115ae8162fa8b0a7b8c42b1d2db894b
+
+	python "BIOSUtilities/Dell_PFS_Extract.py" "${me_installer_filename}" -e || exit
+
+	extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin"
+
+	# Deactivate, partially neuter and shrink Intel ME. Note that this doesn't include
+	# --soft-disable to set the "ME Disable" or "ME Disable B" (e.g.,
+	# High Assurance Program) bits, as they are defined within the Flash
+	# Descriptor.
+	# However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function.
+	# For ME 11.x this means we must keep the rbe, bup, kernel and syslib modules.
+	# https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F#me-versions-from-11x-skylake-1
+	# Furthermore, deguard requires keeping the MFS, the HAP bit set, and we cannot relocate the FTPR partition.
+	# Some more general info on shrinking:
+	# https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot
+
+	# MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition
+	python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}"
+	rm -rf ./*
+	popd || exit
+}
+
+function deguard() {
+	me_input="$(realpath "${1}")"
+	me_output="$(realpath "${2}")"
+
+	# Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob.
+	pushd "$(mktemp -d)" || exit
+	git clone https://github.com/coreboot/deguard
+	pushd deguard || exit
+	git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2
+
+	python ./finalimage.py \
+		--delta "data/delta/$ME_delta" \
+		--version "$ME_version" \
+		--pch "$ME_pch" \
+		--sku "$ME_sku" \
+		--fake-fpfs data/fpfs/zero \
+		--input "$me_input" \
+		--output "$me_output"
+
+	popd || exit
+	#Cleanup
+	rm -rf ./*
+	popd || exit
+}
+
+function download_and_pad_tb() {
+	tb_output="$(realpath "${1}")"
+
+	# Download and unpack the Lenovo installer into a temporary directory and
+	# extract the TB blob.
+	pushd "$(mktemp -d)" || exit
+
+	# Download the installer that contains the T480s TB blob
+	tb_installer_filename=""n22th11w.exe""
+	user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+	curl -A "$user_agent" -s -O "https://download.lenovo.com/pccbbs/mobiles/${tb_installer_filename}"
+	chk_sha256sum "$TB_DOWNLOAD_HASH" "$tb_installer_filename"
+
+	# https://www.reddit.com/r/thinkpad/comments/9rnimi/ladies_and_gentlemen_i_present_to_you_the/
+	innoextract n22th11w.exe -d .
+	mv ./code\$GetExtractPath\$/TBT.bin tb.bin
+	# pad with zeros
+	dd if=/dev/zero of=tb.bin bs=1 seek="$TBFW_SIZE" count=1
+	mv "tb.bin" "$tb_output"
+
+	rm -rf ./*
+	popd || exit
+}
+
+function usage_err() {
+	echo "$1"
+	usage
+	exit 1
+}
+
+function parse_params() {
+	while getopts ":m:" opt; do
+		case $opt in
+		m)
+			if [[ -x "$OPTARG" ]]; then
+				me_cleaner="$OPTARG"
+			fi
+			;;
+		?)
+			usage_err "Invalid Option: -$OPTARG"
+			;;
+		esac
+	done
+
+	if [[ -z "${me_cleaner}" ]]; then
+		if [[ -z "${COREBOOT_DIR}" ]]; then
+			usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable."
+		else
+			me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py"
+		fi
+	fi
+	echo "Using me_cleaner from ${me_cleaner}"
+
+	shift $(($OPTIND - 1))
+	output_dir="$(realpath "${1:-./}")"
+	if [[ ! -d "${output_dir}" ]]; then
+		usage_err "No valid output dir found"
+	fi
+	me_cleaned="${output_dir}/me_cleaned.bin"
+	me_deguarded="${output_dir}/t480s_me.bin"
+	tb_flashable="${output_dir}/t480s_tb.bin"
+	echo "Writing cleaned and deguarded ME to ${me_deguarded}"
+	echo "Writing flashable TB to ${tb_flashable}"
+}
+
+if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
+	if [[ "${1:-}" == "--help" ]]; then
+		usage
+		exit 0
+	fi
+
+	parse_params "$@"
+	chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME
+	chk_exists_and_matches "$tb_flashable" "$TB_BIN_HASH" TB
+
+	if [[ -z "$me_exists" ]]; then
+		download_and_clean "$me_cleaner" "$me_cleaned"
+		deguard "$me_cleaned" "$me_deguarded"
+		rm -f "$me_cleaned"
+	fi
+
+	if [[ -z "$tb_exists" ]]; then
+		download_and_pad_tb "$tb_flashable"
+	fi
+
+	chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded"
+	chk_sha256sum "$TB_BIN_HASH" "$tb_flashable"
+fi

boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config

@@ -97,4 +97,4 @@ export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized"
 export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-BOARD_TARGETS := xx80_me_blobs
+BOARD_TARGETS := t480_me_blobs

boards/EOL_t480-maximized/EOL_t480-maximized.config

@@ -97,4 +97,4 @@ export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad T480-maximized"
 export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-BOARD_TARGETS := xx80_me_blobs
+BOARD_TARGETS := t480_me_blobs