Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add google parrot config #966

Draft
wants to merge 15 commits into
base: master
Choose a base branch
from
48 changes: 48 additions & 0 deletions blobs/parrot/download_clean_me.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
function printusage {
echo "Usage: $0 -m <me_cleaner>(optional)"
}

BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

if [ "$#" -eq 0 ]; then printusage; fi

while getopts ":m:" opt; do
case $opt in
m)
if [ -x "$OPTARG" ]; then
MECLEAN="$OPTARG"
fi
;;
esac
done

FINAL_ME_BIN_SHA256SUM="e985feb4a2879a99fb792f2d425c17a68ee07ba8bc0fd39a7f9eb65d8c6d5f11 $BLOBDIR/me.bin"
ME_SHA256SUM="1790fabc16afc36ab1bcfd52e10b805855d5e2a4eb96ea78781ffb60a0941928 me.bin"


if [ -z "$MECLEAN" ]; then
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1`
if [ -z "$MECLEAN" ]; then
echo "me_cleaner.py required but not found or specified with -m. Aborting."
exit 1;
fi
fi

echo "### Creating temp dir"
extractdir=$(mktemp -d)
cd "$extractdir"

echo "### Downloading: https://github.com/coreboot/blobs/raw/master/mainboard/google/parrot/me.bin..."
gompa marked this conversation as resolved.
Show resolved Hide resolved
wget https://github.com/coreboot/blobs/raw/353f2469be53919b6b359148469485a9040e5a8b/mainboard/google/parrot/me.bin || ( echo "ERROR: wget not found" && exit 1 )
echo "### Verifying expected hash of me.bin"
echo "$ME_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 )

echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... "
$MECLEAN -r -t -O "$BLOBDIR/me.bin" me.bin
echo "### Verifying expected hash of me.bin"
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 )


echo "###Cleaning up..."
cd -
rm -r "$extractdir"
Binary file added blobs/parrot/ifd_shrinked.bin
Binary file not shown.
53 changes: 53 additions & 0 deletions boards/Parrot/Parrot.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Configuration for a Parrot running Qubes and other OSes
gompa marked this conversation as resolved.
Show resolved Hide resolved
#
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A note here on how you obtained and reproduced the shrinked ifd would be helpful for people wanting to reproduce.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gompa would still be required!

# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doestn match coreboot config line

# dropbear support(ssh client/server)
# e1000e (ethernet driver)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.13
export CONFIG_LINUX_VERSION=5.4.69

CONFIG_COREBOOT_CONFIG=config/coreboot-parrot.config
CONFIG_LINUX_CONFIG=config/linux-parrot_common.config

CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y

#CONFIG_SLANG=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y

CONFIG_LINUX_USB=y

#SSH client/server
CONFIG_DROPBEAR=n
#Ethernet driver (Heads only)
CONFIG_LINUX_E1000E=n
Copy link
Collaborator

@tlaurion tlaurion Jan 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Havent checked the specs of platform but no GBE in rom means that creating a full rom like we do here with ME and ifd results in the equivalent of a maximized board.

Putting ME and creating an expended ifd taking advantage of the freed space means that the IFD put into repo is unlocked with ifdtool. is that the case? If so it should be documented properly, stating how the result was obtained.

If such, the flashrom upgrade line into board config should remove --ifd --image BIOS as in maximized boards configs

Question is: you were successful flashing it externally with ifd and ME included in coreboot image? If there is no Ethernet port (I read eth0 somethwere... No need for a gbe blob?), and then no GBE region needed here, then it is candidate for maximized board and the flash options below should be changed accordingly. If there is eth0, its not e1000e based?

Otherwise, if IFD was not unlocked (for some reason) and we do not want to be able to upgrade ME later on or reflash whole SPI region internally, leave it be with specifying --ifd --image BIOS below. This means that on firmware future internal firmware upgrades, only the BIOS region (fixed in both ifd provided matching CBFS_REGION in coreboot config) will be modifiable. If ME is upgraded in repo later on, and IFD was not unlocked, it means that external reflashing would be required to write ifd, ME changing size.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question is: you were successful flashing it externally with ifd and ME included in coreboot image? If there is no Ethernet port (I read eth0 somethwere... No need for a gbe blob?), and then no GBE region needed here, then it is candidate for maximized board and the flash options below should be changed accordingly. If there is eth0, its not e1000e based?

yeah i was succesfull flashing it externaly, first time i flashed it internaly i "bricked" it. (probably locked ifd)
the nic is a tg3 broadcom card and i dont think it needs a gbe blob

Otherwise, if IFD was not unlocked (for some reason) and we do not want to be able to upgrade ME later on or reflash whole SPI region internally, leave it be with specifying --ifd --image BIOS below. This means that on firmware future internal firmware upgrades, only the BIOS region (fixed in both ifd provided matching CBFS_REGION in coreboot config) will be modifiable. If ME is upgraded in repo later on, and IFD was not unlocked, it means that external reflashing would be required to write ifd, ME changing size.

the ifd is not unlocked mostly because i forgot to unlock it and flashed it externaly , i could unlock it ? i dont know what's prefered

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gompa: Other boards (non maximized) take into consideration that blobs are extracted from backups (could be another script called extract, as in x230 maximized blobs dir), where the script calls ifdtool -u by default, where the user can decide for himself to not unlock it.

If the goal is to have maintained fwupd board, where a new commit of Heads could lead to new ME bin in coreboot in newer coreboot version, then only unlocked ifd with corrected new maximized free space + updated ME (from unlocked region) would permit such upgrade. (Code is pending review under QubesOS and FWUPD as of right now, where helper script will need to be developped under Heads to verify and ask user to flash on later version.)

Not unlocking ifd means that the board config would need to stay as is only specifying BIOS to be flashable, where future ME upgrade (if that is even a thing, I have not researched this board at all) would require the board to be externally reflashed. Is there a screw that needs to be unscrewed to flash SPI? I have no idea here, so I leave you the choice of implementation.

In all case, if we want a fully upgradeable ROM from fwupd, it would need ifd to be unlocked.
There is no consensus on this as of now and there was debates on the subject before around, if you look. My opinion is that IFD should be unlocked so whole SPI can be inspected/upgraded.


export CONFIG_TPM=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
export CONFIG_BOOT_KERNEL_REMOVE="quiet"
export CONFIG_BOOT_DEV="/dev/sda2"
export CONFIG_BOARD_NAME="Parrot"
export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"
Copy link
Collaborator

@tlaurion tlaurion Jan 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change to "--force --noverify-all -p internal" if BIOS image is complete, and no GBE is needed (so that we can internally reflash everything from within Heads, the whole SPI flash; not just the BIOS region).

If GBE image needed, another extraction script needs to be put in blobs directory, so that the user has to run it to extract his GBE from original rom backup, and coreboot config needs to depend on it.

Otherwise, we have another maximized board, where CBFS region should be reviewed in coreboot config, and ifd reviewed one last time to make sure that BIOS region is taking all the space left from ME, considering your ifd is unlocked with ifdtool and the documentation is added into board config to replicate what you have done to be able to provide such ifd. (See x230-maximized blobs dir documentation for example)

Copy link
Collaborator

@tlaurion tlaurion Jan 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On X230, the absence of GBE makes the initialization of the ethernet card impossible, since the MAC address is defined under GBE blob. That is why I ask so many questions about it... And to document this board's PR so others can review steps needed to produce a functional port inside of Heads. #700

Thanks for your contribution!


# This board has one SPI flash chip an 8 MB that holds the IFD,
# the ME image and part of the coreboot image and bios
#
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing
18 changes: 18 additions & 0 deletions config/coreboot-parrot.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
CONFIG_TPM_MEASURED_BOOT=y
CONFIG_VENDOR_GOOGLE=y
CONFIG_BOARD_GOOGLE_PARROT=y
CONFIG_CBFS_SIZE=0x780000
CONFIG_BOARD_GOOGLE_PARROT=y
CONFIG_IFD_BIN_PATH="../../blobs/parrot/ifd_shrinked.bin"
CONFIG_ME_BIN_PATH="../../blobs/parrot/me.bin"
CONFIG_NATIVE_RAMINIT_IGNORE_MAX_MEM_FUSES=y
CONFIG_NO_POST=y
CONFIG_TPM_RDRESP_NEED_DELAY=y
CONFIG_UART_PCI_ADDR=0
CONFIG_NO_GFX_INIT=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
Copy link
Contributor

@MrChromebox MrChromebox Mar 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CONFIG_UART_PCI_ADDR=0
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y

these aren't needed

CONFIG_BOARD_GOOGLE_PARROT=y

is duplicated

# CONFIG_DRIVERS_UART_8250IO is not set

should be added

CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="../../build/Parrot/bzImage"
CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
CONFIG_LINUX_INITRD="../../build/Parrot/initrd.cpio.xz"
Loading