From d48a9e17ec564063bf3b08ca116631006e4496cb Mon Sep 17 00:00:00 2001 From: thickfont Date: Wed, 30 Apr 2025 06:35:25 +0000 Subject: [PATCH 01/14] Blobs: pulled from libreboot - gbe blob has mac address modifed - source: https://codeberg.org/libreboot/lbmk/src/branch/master/config/ifd/t480s Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- blobs/xx80/hashes.txt | 2 ++ blobs/xx80/t480s_gbe.bin | Bin 0 -> 8192 bytes blobs/xx80/t480s_ifd.bin | Bin 0 -> 4096 bytes 3 files changed, 2 insertions(+) create mode 100644 blobs/xx80/t480s_gbe.bin create mode 100644 blobs/xx80/t480s_ifd.bin diff --git a/blobs/xx80/hashes.txt b/blobs/xx80/hashes.txt index 1b4a87e5c..6b91dfcbd 100644 --- a/blobs/xx80/hashes.txt +++ b/blobs/xx80/hashes.txt @@ -2,3 +2,5 @@ d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin 1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 tb.bin +caf6393cd5c4ff305b677f50c258658710c42439080868c1fb8ea7584cffb204 t480s_ifd.bin +36be39ecd0d06fa3f7893ca2746f702271c46b75de52bc599467a058bab8e271 t480s_gbe.bin diff --git a/blobs/xx80/t480s_gbe.bin b/blobs/xx80/t480s_gbe.bin new file mode 100644 index 0000000000000000000000000000000000000000..13ad80945213c50290f1be196b00c179d3cbf9db GIT binary patch literal 8192 zcmZR$xAwsQcZ?kW|BEnOWMF7u5cvQ9ut0>;D)Ael3^35Zx?IPAK>*0*Nz!8Aa^?_b zye_(S*LBewU=qXvYHeWfYvTZEVP{}aPyjLbfS8fNK|_e$;XejoVEX@G+#93}6Ce~% z*}%ZT#lSLQgS&&up@WLQ8xrIh7(4_R9Dp>-ML`B;E+L?Hc?Rw+20(ia8CZa{F_2~h z(y~CB@vi}c&KyGqpKS&VtUx}(usV z?Hdh&K@$R_{eR+mYoq;t;=*ZE73m=`XbOW-hm3~6Xb6mkz-S1JhQMeD&?N*0y8jOV DvxR`P literal 0 HcmV?d00001 diff --git a/blobs/xx80/t480s_ifd.bin b/blobs/xx80/t480s_ifd.bin new file mode 100644 index 0000000000000000000000000000000000000000..dbbd99cb0e80d664d1ca1430a982a52b64ee5b0d GIT binary patch literal 4096 zcmeHKu}T9$6r8=yVG_igMBxGf*CMS%#o7=!Y-|Lt5eo%BAdQ7pQrTPi1(w#Lr3ik8 zpJ0lJ&A~cvFN#MrWstaY%zH3z_r2ZO>Z~o|=w?{cD4`rg-L~FDv1;ubj}l@7@bxcOc!aIu5pN7P*pih1vN(NPLN!>l`wJ;VzgbFc;{Jo{}*N;;#&=t5s5n< z-U07`cfdQ~9qpLyXXbrrFE$oLzV7bzb;?HFd#1 GD1HDphmo-W literal 0 HcmV?d00001 From b5063f87cef7764ef8a682a4e6e4003589aa7834 Mon Sep 17 00:00:00 2001 From: thickfont Date: Wed, 30 Apr 2025 06:38:58 +0000 Subject: [PATCH 02/14] board.config: copy of T480 configuration Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- .../t480s-hotp-maximized.config | 99 +++++++++++++++++++ boards/t480s-maximized/t480s-maximized.config | 99 +++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 boards/t480s-hotp-maximized/t480s-hotp-maximized.config create mode 100644 boards/t480s-maximized/t480s-maximized.config diff --git a/boards/t480s-hotp-maximized/t480s-hotp-maximized.config b/boards/t480s-hotp-maximized/t480s-hotp-maximized.config new file mode 100644 index 000000000..dfbbf725b --- /dev/null +++ b/boards/t480s-hotp-maximized/t480s-hotp-maximized.config @@ -0,0 +1,99 @@ +# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) +# +# CAVEATS: +# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. +# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. +# Also it can be used to extract FDE keys from a TPM. +# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 +# Make sure you understand the implications of the attack for your threat model before using this board. +# +# Includes +# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions +# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe +# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, +# which is not the same as the 16MB chip to which the heads rom is flashed. +# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. +# You can find a guide here: https://osresearch.net/T430-maximized-flashing/ +# +# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.12 +export CONFIG_LINUX_VERSION=6.1.8 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t480s-maximized.config +CONFIG_LINUX_CONFIG=config/linux-t480.config + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y +CONFIG_MOBILE_TETHERING=y + +#Modules packed into tools.cpio +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y +export CONFIG_DEBUG_OUTPUT=n +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n +#Enable TPM2 pcap output under /tmp +export CONFIG_TPM2_CAPTURE_PCAP=n +#Enable quiet mode: technical information logged under /tmp/debug.log +export CONFIG_QUIET_MODE=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad T480S-hotp-maximized" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" + +#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP +BOARD_TARGETS := xx80_me_blobs diff --git a/boards/t480s-maximized/t480s-maximized.config b/boards/t480s-maximized/t480s-maximized.config new file mode 100644 index 000000000..0995c0fb5 --- /dev/null +++ b/boards/t480s-maximized/t480s-maximized.config @@ -0,0 +1,99 @@ +# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) +# +# CAVEATS: +# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. +# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. +# Also it can be used to extract FDE keys from a TPM. +# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 +# Make sure you understand the implications of the attack for your threat model before using this board. +# +# Includes +# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions +# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh) +# - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set +# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe +# - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, +# which is not the same as the 16MB chip to which the heads rom is flashed. +# External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. +# You can find a guide here: https://osresearch.net/T430-maximized-flashing/ +# +# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.12 +export CONFIG_LINUX_VERSION=6.1.8 + +CONFIG_COREBOOT_CONFIG=config/coreboot-t480s-maximized.config +CONFIG_LINUX_CONFIG=config/linux-t480.config + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y +CONFIG_MOBILE_TETHERING=y + +#Modules packed into tools.cpio +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + +#Remote attestation support +# TPM2 requirements +CONFIG_TPM2_TSS=y +CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +#CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n + +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +export CONFIG_TPM2_TOOLS=y +export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +#export CONFIG_TPM=y +export CONFIG_DEBUG_OUTPUT=n +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n +#Enable TPM2 pcap output under /tmp +export CONFIG_TPM2_CAPTURE_PCAP=n +#Enable quiet mode: technical information logged under /tmp/debug.log +export CONFIG_QUIET_MODE=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="" +export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOARD_NAME="Thinkpad T480S-maximized" +export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" + +#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP +BOARD_TARGETS := xx80_me_blobs From 38ee2fbc753ff3be3791fa0a6d19f1d6e1050495 Mon Sep 17 00:00:00 2001 From: thickfont Date: Wed, 30 Apr 2025 06:42:04 +0000 Subject: [PATCH 03/14] coreboot.config: copy of T480 configuration with T480s board variant selected and separate blobs Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- config/coreboot-t480s-maximized.config | 885 +++++++++++++++++++++++++ 1 file changed, 885 insertions(+) create mode 100644 config/coreboot-t480s-maximized.config diff --git a/config/coreboot-t480s-maximized.config b/config/coreboot-t480s-maximized.config new file mode 100644 index 000000000..41cd2493b --- /dev/null +++ b/config/coreboot-t480s-maximized.config @@ -0,0 +1,885 @@ +# +# Automatically generated file; DO NOT EDIT. +# coreboot configuration +# + +# +# General setup +# +CONFIG_LOCALVERSION="" +CONFIG_CBFS_PREFIX="fallback" +CONFIG_COMPILER_GCC=y +# CONFIG_COMPILER_LLVM_CLANG is not set +# CONFIG_ANY_TOOLCHAIN is not set +# CONFIG_CCACHE is not set +# CONFIG_LTO is not set +# CONFIG_IWYU is not set +# CONFIG_FMD_GENPARSER is not set +# CONFIG_UTIL_GENPARSER is not set +CONFIG_OPTION_BACKEND_NONE=y +CONFIG_COMPRESS_RAMSTAGE_LZMA=y +# CONFIG_COMPRESS_RAMSTAGE_LZ4 is not set +CONFIG_SEPARATE_ROMSTAGE=y +CONFIG_INCLUDE_CONFIG_FILE=y +CONFIG_COLLECT_TIMESTAMPS=y +# CONFIG_TIMESTAMPS_ON_CONSOLE is not set +CONFIG_USE_BLOBS=y +# CONFIG_USE_AMD_BLOBS is not set +# CONFIG_USE_QC_BLOBS is not set +# CONFIG_COVERAGE is not set +# CONFIG_UBSAN is not set +CONFIG_HAVE_ASAN_IN_RAMSTAGE=y +# CONFIG_ASAN is not set +# CONFIG_NO_STAGE_CACHE is not set +CONFIG_TSEG_STAGE_CACHE=y +# CONFIG_UPDATE_IMAGE is not set +CONFIG_BOOTSPLASH_IMAGE=y +CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg" +CONFIG_BOOTSPLASH_CONVERT=y +CONFIG_BOOTSPLASH_CONVERT_QUALITY=90 +# CONFIG_BOOTSPLASH_CONVERT_RESIZE is not set +# CONFIG_BOOTSPLASH_CONVERT_COLORSWAP is not set + +# +# Software Bill Of Materials (SBOM) +# +# CONFIG_SBOM is not set +# end of Software Bill Of Materials (SBOM) +# end of General setup + +# +# Mainboard +# + +# +# Important: Run 'make distclean' before switching boards +# +# CONFIG_VENDOR_51NB is not set +# CONFIG_VENDOR_ACER is not set +# CONFIG_VENDOR_AMD is not set +# CONFIG_VENDOR_AOOSTAR is not set +# CONFIG_VENDOR_AOPEN is not set +# CONFIG_VENDOR_APPLE is not set +# CONFIG_VENDOR_ARM is not set +# CONFIG_VENDOR_ASROCK is not set +# CONFIG_VENDOR_ASUS is not set +# CONFIG_VENDOR_BIOSTAR is not set +# CONFIG_VENDOR_BOSTENTECH is not set +# CONFIG_VENDOR_BYTEDANCE is not set +# CONFIG_VENDOR_CAVIUM is not set +# CONFIG_VENDOR_CLEVO is not set +# CONFIG_VENDOR_COMPULAB is not set +# CONFIG_VENDOR_CWWK is not set +# CONFIG_VENDOR_DELL is not set +# CONFIG_VENDOR_EMULATION is not set +# CONFIG_VENDOR_ERYING is not set +# CONFIG_VENDOR_EXAMPLE is not set +# CONFIG_VENDOR_FACEBOOK is not set +# CONFIG_VENDOR_FOXCONN is not set +# CONFIG_VENDOR_FRAMEWORK is not set +# CONFIG_VENDOR_GETAC is not set +# CONFIG_VENDOR_GIGABYTE is not set +# CONFIG_VENDOR_GOOGLE is not set +# CONFIG_VENDOR_HARDKERNEL is not set +# CONFIG_VENDOR_HP is not set +# CONFIG_VENDOR_IBASE is not set +# CONFIG_VENDOR_IBM is not set +# CONFIG_VENDOR_INTEL is not set +# CONFIG_VENDOR_INVENTEC is not set +# CONFIG_VENDOR_KONTRON is not set +# CONFIG_VENDOR_LATTEPANDA is not set +CONFIG_VENDOR_LENOVO=y +# CONFIG_VENDOR_LIBRETREND is not set +# CONFIG_VENDOR_MITAC_COMPUTING is not set +# CONFIG_VENDOR_MSI is not set +# CONFIG_VENDOR_OCP is not set +# CONFIG_VENDOR_OPENCELLULAR is not set +# CONFIG_VENDOR_PACKARDBELL is not set +# CONFIG_VENDOR_PCENGINES is not set +# CONFIG_VENDOR_PINE64 is not set +# CONFIG_VENDOR_PORTWELL is not set +# CONFIG_VENDOR_PRODRIVE is not set +# CONFIG_VENDOR_PROTECTLI is not set +# CONFIG_VENDOR_PURISM is not set +# CONFIG_VENDOR_RAPTOR_CS is not set +# CONFIG_VENDOR_RAZER is not set +# CONFIG_VENDOR_RODA is not set +# CONFIG_VENDOR_SAMSUNG is not set +# CONFIG_VENDOR_SAPPHIRE is not set +# CONFIG_VENDOR_SIEMENS is not set +# CONFIG_VENDOR_SIFIVE is not set +# CONFIG_VENDOR_STARLABS is not set +# CONFIG_VENDOR_SUPERMICRO is not set +# CONFIG_VENDOR_SYSTEM76 is not set +# CONFIG_VENDOR_TI is not set +# CONFIG_VENDOR_TOPTON is not set +# CONFIG_VENDOR_UP is not set +# CONFIG_VENDOR_VIA is not set +CONFIG_MAINBOARD_FAMILY="T480S" +CONFIG_MAINBOARD_PART_NUMBER="T480S" +CONFIG_MAINBOARD_VERSION="1.0" +CONFIG_MAINBOARD_DIR="lenovo/sklkbl_thinkpad" +CONFIG_VGA_BIOS_ID="8086,0406" +CONFIG_DIMM_MAX=2 +CONFIG_DIMM_SPD_SIZE=512 +CONFIG_FMDFILE="" +CONFIG_NO_POST=y +CONFIG_MAINBOARD_VENDOR="LENOVO" +CONFIG_CBFS_SIZE=0xEEC000 +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT=1600 +CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH=2560 +CONFIG_MAINBOARD_SUPPORTS_KABYLAKE_DUAL=y +CONFIG_MAINBOARD_SUPPORTS_KABYLAKE_QUAD=y +CONFIG_MAX_CPUS=8 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_VARIANT_DIR="t480s" +CONFIG_OVERRIDE_DEVICETREE="variants/$(CONFIG_VARIANT_DIR)/overridetree.cb" +CONFIG_DEVICETREE="devicetree.cb" +# CONFIG_VBOOT is not set +# CONFIG_VGA_BIOS is not set +CONFIG_PCIEXP_ASPM=y +CONFIG_PCIEXP_L1_SUB_STATE=y +CONFIG_PCIEXP_CLK_PM=y +CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="LENOVO" +CONFIG_ECAM_MMCONF_BASE_ADDRESS=0xe0000000 +CONFIG_ECAM_MMCONF_BUS_NUMBER=256 +CONFIG_MEMLAYOUT_LD_FILE="src/arch/x86/memlayout.ld" +# CONFIG_FATAL_ASSERTS is not set +CONFIG_INTEL_GMA_VBT_FILE="src/mainboard/$(MAINBOARDDIR)/variants/$(VARIANT_DIR)/data.vbt" +# CONFIG_DISABLE_HECI1_AT_PRE_BOOT is not set +CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00 +CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="T480S" +CONFIG_MAX_SOCKET=1 +CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0 +CONFIG_TPM_PIRQ=0x0 +CONFIG_USE_PM_ACPI_TIMER=y +CONFIG_DCACHE_RAM_BASE=0xfef00000 +CONFIG_DCACHE_RAM_SIZE=0x40000 +CONFIG_C_ENV_BOOTBLOCK_SIZE=0x40000 +CONFIG_DCACHE_BSP_STACK_SIZE=0x4000 +CONFIG_MAX_ACPI_TABLE_SIZE_KB=144 +CONFIG_HAVE_INTEL_FIRMWARE=y +CONFIG_USE_LEGACY_8254_TIMER=y +CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000 +# CONFIG_DRIVERS_INTEL_WIFI is not set +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/t480s_ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/t480s_me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/t480s_gbe.bin" +CONFIG_MAINBOARD_SUPPORTS_SKYLAKE_CPU=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 +CONFIG_CARDBUS_PLUGIN_SUPPORT=y +CONFIG_SPI_FLASH_DONT_INCLUDE_ALL_DRIVERS=y +# CONFIG_DEBUG_SMI is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_ENABLE is not set +CONFIG_HAVE_IFD_BIN=y +CONFIG_PCIEXP_HOTPLUG_BUSES=8 +CONFIG_PCIEXP_HOTPLUG_MEM=0x800000 +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 +# CONFIG_BOARD_LENOVO_THINKPAD_T440P is not set +# CONFIG_BOARD_LENOVO_THINKPAD_W541 is not set +# CONFIG_BOARD_LENOVO_L520 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_M900_TINY is not set +# CONFIG_BOARD_LENOVO_M920Q is not set +# CONFIG_BOARD_LENOVO_S230U is not set +# CONFIG_BOARD_LENOVO_T480 is not set +CONFIG_BOARD_LENOVO_T480S=y +# CONFIG_BOARD_LENOVO_T400 is not set +# CONFIG_BOARD_LENOVO_T500 is not set +# CONFIG_BOARD_LENOVO_R400 is not set +# CONFIG_BOARD_LENOVO_R500 is not set +# CONFIG_BOARD_LENOVO_W500 is not set +# CONFIG_BOARD_LENOVO_T410 is not set +# CONFIG_BOARD_LENOVO_T420 is not set +# CONFIG_BOARD_LENOVO_T420S is not set +# CONFIG_BOARD_LENOVO_THINKPAD_T430 is not set +# CONFIG_BOARD_LENOVO_T430S is not set +# CONFIG_BOARD_LENOVO_T431S is not set +# CONFIG_BOARD_LENOVO_T520 is not set +# CONFIG_BOARD_LENOVO_W520 is not set +# CONFIG_BOARD_LENOVO_T530 is not set +# CONFIG_BOARD_LENOVO_W530 is not set +# CONFIG_BOARD_LENOVO_T60 is not set +# CONFIG_BOARD_LENOVO_Z61T is not set +# CONFIG_BOARD_LENOVO_R60 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_A58 is not set +# CONFIG_BOARD_LENOVO_THINKCENTRE_M710S is not set +# CONFIG_BOARD_LENOVO_X131E is not set +# CONFIG_BOARD_LENOVO_X1_CARBON_GEN1 is not set +# CONFIG_BOARD_LENOVO_X200 is not set +# CONFIG_BOARD_LENOVO_X301 is not set +# CONFIG_BOARD_LENOVO_X201 is not set +# CONFIG_BOARD_LENOVO_X220 is not set +# CONFIG_BOARD_LENOVO_X220I is not set +# CONFIG_BOARD_LENOVO_X1 is not set +# CONFIG_BOARD_LENOVO_X230 is not set +# CONFIG_BOARD_LENOVO_X230T is not set +# CONFIG_BOARD_LENOVO_X230S is not set +# CONFIG_BOARD_LENOVO_X230_EDP is not set +# CONFIG_BOARD_LENOVO_X60 is not set +CONFIG_PS2K_EISAID="PNP0303" +CONFIG_PS2M_EISAID="PNP0F13" +CONFIG_THINKPADEC_HKEY_EISAID="IBM0068" +CONFIG_GFX_GMA_PANEL_1_PORT="eDP" +CONFIG_BOARD_LENOVO_SKLKBL_THINKPAD_COMMON=y +# CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set +CONFIG_POWER_STATE_DEFAULT_ON_AFTER_FAILURE=y +CONFIG_D3COLD_SUPPORT=y +CONFIG_GFX_GMA_PANEL_1_ON_EDP=y +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_PC_CMOS_BASE_PORT_BANK1=0x72 +CONFIG_HEAP_SIZE=0x100000 +CONFIG_EC_GPE_SCI=0x50 +CONFIG_EC_STARLABS_BATTERY_MODEL="Unknown" +CONFIG_EC_STARLABS_BATTERY_TYPE="LION" +CONFIG_EC_STARLABS_BATTERY_OEM="Unknown" +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_LINUX_COMMAND_LINE="quiet loglevel=2" +CONFIG_BOARD_ROMSIZE_KB_16384=y +# CONFIG_COREBOOT_ROMSIZE_KB_256 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_512 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_1024 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_2048 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_4096 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_5120 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_6144 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_8192 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_10240 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_12288 is not set +CONFIG_COREBOOT_ROMSIZE_KB_16384=y +# CONFIG_COREBOOT_ROMSIZE_KB_24576 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_32768 is not set +# CONFIG_COREBOOT_ROMSIZE_KB_65536 is not set +CONFIG_COREBOOT_ROMSIZE_KB=16384 +CONFIG_ROM_SIZE=0x01000000 +CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y +CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +# CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set +# CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 +# end of Mainboard + +CONFIG_SYSTEM_TYPE_LAPTOP=y + +# +# Chipset +# + +# +# SoC +# +CONFIG_CHIPSET_DEVICETREE="soc/intel/skylake/chipset.cb" +CONFIG_FSP_M_FILE="$(obj)/Fsp_M.fd" +CONFIG_FSP_S_FILE="$(obj)/Fsp_S.fd" +CONFIG_CBFS_MCACHE_SIZE=0x4000 +CONFIG_ROMSTAGE_ADDR=0x2000000 +CONFIG_VERSTAGE_ADDR=0x2000000 +CONFIG_SMM_TSEG_SIZE=0x800000 +CONFIG_SMM_RESERVED_SIZE=0x200000 +CONFIG_SMM_MODULE_STACK_SIZE=0x800 +CONFIG_ACPI_BERT_SIZE=0x0 +CONFIG_DRIVERS_I2C_DESIGNWARE_CLOCK_MHZ=120 +CONFIG_PRERAM_CBFS_CACHE_SIZE=0x4000 +CONFIG_DOMAIN_RESOURCE_32BIT_LIMIT=0xe0000000 +CONFIG_ACPI_CPU_STRING="CP%02X" +CONFIG_STACK_SIZE=0x2000 +CONFIG_IFD_CHIPSET="sklkbl" +CONFIG_IED_REGION_SIZE=0x400000 +CONFIG_MAX_ROOT_PORTS=24 +CONFIG_PCR_BASE_ADDRESS=0xfd000000 +CONFIG_CPU_BCLK_MHZ=100 +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI_CLOCK_MHZ=120 +CONFIG_CPU_XTAL_HZ=24000000 +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI_MAX=2 +CONFIG_SOC_INTEL_I2C_DEV_MAX=6 +# CONFIG_ENABLE_SATA_TEST_MODE is not set +CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_M_VAL=0x30 +CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_N_VAL=0xc35 +CONFIG_FSP_HEADER_PATH="3rdparty/fsp/KabylakeFspBinPkg/Include/" +CONFIG_FSP_FD_PATH="3rdparty/fsp/KabylakeFspBinPkg/Fsp.fd" +CONFIG_SOC_INTEL_COMMON_DEBUG_CONSENT=0 +CONFIG_INTEL_GMA_BCLV_OFFSET=0xc8254 +CONFIG_INTEL_GMA_BCLV_WIDTH=16 +CONFIG_INTEL_GMA_BCLM_OFFSET=0xc8256 +CONFIG_INTEL_GMA_BCLM_WIDTH=16 +CONFIG_FSP_PUBLISH_MBP_HOB=y +CONFIG_FSP_STATUS_GLOBAL_RESET=0x40000003 +CONFIG_MAX_HECI_DEVICES=5 +CONFIG_BOOTBLOCK_IN_CBFS=y +CONFIG_HAVE_PAM0_REGISTER=y +CONFIG_PCIEXP_COMMON_CLOCK=y +CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT=0x40000 +CONFIG_CPU_INTEL_NUM_FIT_ENTRIES=10 +CONFIG_SOC_INTEL_GFX_FRAMEBUFFER_OFFSET=0x0 +CONFIG_PCIE_LTR_MAX_SNOOP_LATENCY=0x1003 +CONFIG_PCIE_LTR_MAX_NO_SNOOP_LATENCY=0x1003 +CONFIG_SOC_PHYSICAL_ADDRESS_WIDTH=0 +CONFIG_SOC_INTEL_COMMON_SKYLAKE_BASE=y +CONFIG_SOC_INTEL_KABYLAKE=y +CONFIG_FSP_T_LOCATION=0xfffe0000 +CONFIG_SOC_INTEL_COMMON_BLOCK_P2SB=y +CONFIG_FIXED_SMBUS_IO_BASE=0xefa0 +CONFIG_CBFS_CACHE_ALIGN=8 +CONFIG_SOC_INTEL_COMMON=y + +# +# Intel SoC Common Code for IP blocks +# +CONFIG_SOC_INTEL_COMMON_BLOCK=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_GPIO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_LPIT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_PEP=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ACPI_CPPC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CHIP_CONFIG=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU_MPINIT=y +CONFIG_USE_FSP_FEATURE_PROGRAM_ON_APS=y +# CONFIG_USE_COREBOOT_MP_INIT is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_CPU_SMMRELOCATE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CAR=y +CONFIG_INTEL_CAR_NEM_ENHANCED=y +# CONFIG_USE_INTEL_FSP_MP_INIT is not set +CONFIG_CPU_SUPPORTS_PM_TIMER_EMULATION=y +CONFIG_HAVE_HYPERTHREADING=y +CONFIG_FSP_HYPERTHREADING=y +# CONFIG_INTEL_KEYLOCKER is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_MAX is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_256MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_128MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_64MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_32MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_16MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_8MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_4MB is not set +# CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_2MB is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_0MB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_CSE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PCR=y +CONFIG_SOC_INTEL_CSE_FMAP_NAME="SI_ME" +CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME="ME_RW_A" +CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME="ME_RW_B" +CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME="me_rw" +CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME="me_rw.hash" +CONFIG_SOC_INTEL_CSE_RW_VERSION_CBFS_NAME="me_rw.version" +CONFIG_SOC_INTEL_CSE_RW_FILE="" +CONFIG_SOC_INTEL_CSE_RW_VERSION="" +CONFIG_SOC_INTEL_CSE_IOM_CBFS_NAME="cse_iom" +CONFIG_SOC_INTEL_CSE_IOM_CBFS_FILE="" +CONFIG_SOC_INTEL_CSE_NPHY_CBFS_NAME="cse_nphy" +CONFIG_SOC_INTEL_CSE_NPHY_CBFS_FILE="" +CONFIG_SOC_INTEL_COMMON_BLOCK_DSP=y +CONFIG_SOC_INTEL_COMMON_BLOCK_FAST_SPI=y +CONFIG_FAST_SPI_DISABLE_WRITE_STATUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_ITSS_POL_CFG=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_PADCFG_PADTOL=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPIO_DUAL_ROUTE_SUPPORT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GPMR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_GRAPHICS=y +CONFIG_SOC_INTEL_GFX_HAVE_DDI_A_BIFURCATION=y +# CONFIG_SOC_INTEL_DISABLE_IGD is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_GSPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HDA=y +CONFIG_SOC_INTEL_COMMON_BLOCK_HDA_VERB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_I2C=y +CONFIG_SOC_INTEL_COMMON_BLOCK_ITSS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPC_MIRROR_TO_GPMR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_LPSS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_BASE_P2SB=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PCIE=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PCR=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PMC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_PMC_DISCOVERABLE=y +CONFIG_PMC_GLOBAL_RESET_ENABLE_LOCK=y +CONFIG_SOC_INTEL_COMMON_BLOCK_POWER_LIMIT=y +CONFIG_SOC_INTEL_COMMON_BLOCK_RTC=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SATA=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SCS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SGX=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMBUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TCO=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TCO_ENABLE_THROUGH_SMBUS=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_IO_TRAP=y +# CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE is not set +CONFIG_SOC_INTEL_COMMON_BLOCK_SMM_S5_DELAY_MS=0 +CONFIG_SOC_INTEL_COMMON_BLOCK_SPI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SA=y +CONFIG_SA_ENABLE_DPR=y +CONFIG_HAVE_CAPID_A_REGISTER=y +CONFIG_HAVE_BDSM_BGSM_REGISTER=y +CONFIG_SOC_INTEL_COMMON_BLOCK_THERMAL=y +CONFIG_SOC_INTEL_COMMON_BLOCK_THERMAL_PCI_DEV=y +CONFIG_SOC_INTEL_COMMON_BLOCK_TIMER=y +CONFIG_SOC_INTEL_COMMON_BLOCK_UART=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XDCI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI=y +CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y + +# +# Intel SoC Common PCH Code +# +CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y +CONFIG_SOC_INTEL_COMMON_PCH_BASE=y +CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y +CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y +CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y +CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y + +# +# Intel SoC Common coreboot stages and non-IP blocks +# +CONFIG_SOC_INTEL_COMMON_BASECODE=y +CONFIG_SOC_INTEL_COMMON_RESET=y +CONFIG_SOC_INTEL_COMMON_ACPI_WAKE_SOURCE=y +CONFIG_PAVP=y +# CONFIG_MMA is not set +CONFIG_SOC_INTEL_COMMON_NHLT=y +# CONFIG_SOC_INTEL_DEBUG_CONSENT is not set + +# +# CPU +# +CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE=y +CONFIG_CPU_INTEL_COMMON=y +CONFIG_ENABLE_VMX=y +CONFIG_SET_IA32_FC_LOCK_BIT=y +CONFIG_SET_MSR_AESNI_LOCK_BIT=y +CONFIG_CPU_INTEL_COMMON_SMM=y +CONFIG_PARALLEL_MP=y +CONFIG_PARALLEL_MP_AP_WORK=y +CONFIG_XAPIC_ONLY=y +# CONFIG_X2APIC_ONLY is not set +# CONFIG_X2APIC_RUNTIME is not set +# CONFIG_X2APIC_LATE_WORKAROUND is not set +CONFIG_UDELAY_TSC=y +CONFIG_TSC_MONOTONIC_TIMER=y +CONFIG_TSC_SYNC_MFENCE=y +CONFIG_HAVE_SMI_HANDLER=y +CONFIG_SMM_TSEG=y +CONFIG_SMM_PCI_RESOURCE_STORE_NUM_SLOTS=8 +CONFIG_AP_STACK_SIZE=0x800 +CONFIG_SMP=y +CONFIG_SSE=y +CONFIG_SSE2=y +CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y +CONFIG_USE_CPU_MICROCODE_CBFS_BINS=y +CONFIG_CPU_MICROCODE_CBFS_DEFAULT_BINS=y +# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS is not set +# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set +# CONFIG_CPU_MICROCODE_CBFS_NONE is not set + +# +# Northbridge +# + +# +# Southbridge +# +CONFIG_PCIEXP_HOTPLUG=y +CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y +CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y +CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y +# CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 +CONFIG_RCBA_LENGTH=0x4000 + +# +# Super I/O +# + +# +# Embedded Controllers +# +CONFIG_EC_ACPI=y +CONFIG_EC_LENOVO_H8=y +CONFIG_H8_BEEP_ON_DEATH=y +CONFIG_H8_FLASH_LEDS_ON_DEATH=y +# CONFIG_H8_SUPPORT_BT_ON_WIFI is not set +# CONFIG_H8_FN_CTRL_SWAP is not set +CONFIG_H8_HAS_BAT_THRESHOLDS_IMPL=y +CONFIG_H8_HAS_PRIMARY_FN_KEYS=y +CONFIG_H8_HAS_LEDLOGO=y +CONFIG_EC_LENOVO_PMH7=y + +# +# Intel Firmware +# +CONFIG_HAVE_ME_BIN=y +# CONFIG_STITCH_ME_BIN is not set +# CONFIG_CHECK_ME is not set +# CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS is not set +# CONFIG_USE_ME_CLEANER is not set +CONFIG_MAINBOARD_USES_IFD_GBE_REGION=y +CONFIG_HAVE_GBE_BIN=y +# CONFIG_DO_NOT_TOUCH_DESCRIPTOR_REGION is not set +# CONFIG_LOCK_MANAGEMENT_ENGINE is not set +CONFIG_UNLOCK_FLASH_REGIONS=y +CONFIG_ACPI_FNKEY_GEN_SCANCODE=0 +CONFIG_UDK_BASE=y +CONFIG_UDK_2017_BINDING=y +CONFIG_UDK_2013_VERSION=2013 +CONFIG_UDK_2017_VERSION=2017 +CONFIG_UDK_202005_VERSION=202005 +CONFIG_UDK_202111_VERSION=202111 +CONFIG_UDK_202302_VERSION=202302 +CONFIG_UDK_202305_VERSION=202305 +CONFIG_UDK_VERSION=2017 +CONFIG_ARCH_X86=y +CONFIG_ARCH_BOOTBLOCK_X86_32=y +CONFIG_ARCH_VERSTAGE_X86_32=y +CONFIG_ARCH_ROMSTAGE_X86_32=y +CONFIG_ARCH_POSTCAR_X86_32=y +CONFIG_ARCH_RAMSTAGE_X86_32=y +CONFIG_ARCH_ALL_STAGES_X86_32=y +CONFIG_RESERVED_PHYSICAL_ADDRESS_BITS_SUPPORT=y +CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y +CONFIG_POSTRAM_CBFS_CACHE_IN_BSS=y +CONFIG_RAMSTAGE_CBFS_CACHE_SIZE=0x4000 +CONFIG_PC80_SYSTEM=y +CONFIG_POSTCAR_STAGE=y +CONFIG_BOOTBLOCK_SIMPLE=y +# CONFIG_BOOTBLOCK_NORMAL is not set +CONFIG_COLLECT_TIMESTAMPS_TSC=y +CONFIG_HAVE_CF9_RESET=y +CONFIG_DEBUG_HW_BREAKPOINTS=y +CONFIG_DEBUG_NULL_DEREF_BREAKPOINTS=y +# CONFIG_DUMP_SMBIOS_TYPE17 is not set +CONFIG_X86_BOOTBLOCK_EXTRA_PROGRAM_SZ=0 +CONFIG_DEFAULT_EBDA_LOWMEM=0x100000 +CONFIG_DEFAULT_EBDA_SEGMENT=0xF600 +CONFIG_DEFAULT_EBDA_SIZE=0x400 +# end of Chipset + +# +# Devices +# +CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y +CONFIG_HAVE_LINEAR_FRAMEBUFFER=y +CONFIG_HAVE_FSP_GOP=y +CONFIG_MAINBOARD_HAS_LIBGFXINIT=y +CONFIG_MAINBOARD_USE_LIBGFXINIT=y +# CONFIG_VGA_ROM_RUN is not set +# CONFIG_RUN_FSP_GOP is not set +# CONFIG_NO_GFX_INIT is not set +CONFIG_NO_EARLY_GFX_INIT=y + +# +# Display +# +# CONFIG_VGA_TEXT_FRAMEBUFFER is not set +CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y +CONFIG_LINEAR_FRAMEBUFFER=y +CONFIG_BOOTSPLASH=y +CONFIG_DEFAULT_SCREEN_ROTATION_NONE=y +# CONFIG_DEFAULT_SCREEN_ROTATION_90 is not set +# CONFIG_DEFAULT_SCREEN_ROTATION_180 is not set +# CONFIG_DEFAULT_SCREEN_ROTATION_270 is not set +CONFIG_DEFAULT_SCREEN_ROTATION_INT=0 +# end of Display + +CONFIG_PCI=y +CONFIG_ECAM_MMCONF_SUPPORT=y +CONFIG_PCIX_PLUGIN_SUPPORT=y +CONFIG_AZALIA_HDA_CODEC_SUPPORT=y +CONFIG_PCIEXP_PLUGIN_SUPPORT=y +CONFIG_ECAM_MMCONF_LENGTH=0x10000000 +CONFIG_PCI_ALLOW_BUS_MASTER=y +CONFIG_PCI_SET_BUS_MASTER_PCI_BRIDGES=y +CONFIG_PCI_ALLOW_BUS_MASTER_ANY_DEVICE=y +# CONFIG_PCIEXP_SUPPORT_RESIZABLE_BARS is not set +# CONFIG_PCIEXP_LANE_ERR_STAT_CLEAR is not set +CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM_ABOVE_4G=y +# CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM_BELOW_4G is not set +CONFIG_PCIEXP_HOTPLUG_IO=0x800 +# CONFIG_EARLY_PCI_BRIDGE is not set +CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 +CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 +CONFIG_INTEL_GMA_HAVE_VBT=y +CONFIG_INTEL_GMA_ADD_VBT=y +# CONFIG_SOFTWARE_I2C is not set +CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 +CONFIG_RESOURCE_ALLOCATION_TOP_DOWN=y +# end of Devices + +# +# Generic Drivers +# +CONFIG_CRB_TPM_BASE_ADDRESS=0xfed40000 +# CONFIG_DRIVERS_EFI_VARIABLE_STORE is not set +# CONFIG_DRIVERS_EFI_FW_INFO is not set +# CONFIG_ELOG is not set +CONFIG_CACHE_MRC_SETTINGS=y +CONFIG_MRC_SETTINGS_PROTECT=y +# CONFIG_DRIVERS_OPTION_CFR is not set +# CONFIG_SMMSTORE is not set +CONFIG_SPI_FLASH=y +CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y +CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y +# CONFIG_SPI_FLASH_NO_FAST_READ is not set +CONFIG_TPM_INIT_RAMSTAGE=y +# CONFIG_TPM_PPI is not set +CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_OXPCIE is not set +# CONFIG_VPD is not set +# CONFIG_DRIVERS_GENERIC_CBFS_SERIAL is not set +# CONFIG_DRIVERS_GENERIC_CBFS_UUID is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9750 is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9755 is not set +# CONFIG_DRIVERS_GENESYSLOGIC_GL9763E is not set +CONFIG_DRIVERS_I2C_DESIGNWARE=y +# CONFIG_DRIVERS_I2C_MAX98396 is not set +CONFIG_FSP_USE_REPO=y +# CONFIG_DISPLAY_HOBS is not set +# CONFIG_DISPLAY_UPD_DATA is not set +# CONFIG_BMP_LOGO is not set +CONFIG_PLATFORM_USES_FSP2_0=y +CONFIG_PLATFORM_USES_FSP2_X86_32=y +CONFIG_HAVE_INTEL_FSP_REPO=y +CONFIG_ADD_FSP_BINARIES=y +CONFIG_FSP_S_CBFS="fsps.bin" +CONFIG_FSP_M_CBFS="fspm.bin" +CONFIG_FSP_FULL_FD=y +CONFIG_FSP_T_RESERVED_SIZE=0x0 +CONFIG_FSP_M_XIP=y +CONFIG_HAVE_FSP_LOGO_SUPPORT=y +CONFIG_FSP_COMPRESS_FSP_S_LZ4=y +CONFIG_SOC_INTEL_COMMON_FSP_RESET=y +CONFIG_USE_FSP_NOTIFY_PHASE_POST_PCI_ENUM=y +CONFIG_USE_FSP_NOTIFY_PHASE_READY_TO_BOOT=y +CONFIG_USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE=y +# CONFIG_DISPLAY_FSP_TIMESTAMPS is not set +# CONFIG_BUILDING_WITH_DEBUG_FSP is not set +CONFIG_INTEL_INT15=y +CONFIG_INTEL_GMA_ACPI=y +CONFIG_VBT_CBFS_COMPRESSION_LZMA=y +# CONFIG_VBT_CBFS_COMPRESSION_LZ4 is not set +# CONFIG_VBT_CBFS_COMPRESSION_NONE is not set +CONFIG_VBT_CBFS_COMPRESSION_ALGORITHM="lzma" +CONFIG_GFX_GMA=y +CONFIG_GFX_GMA_DYN_CPU=y +CONFIG_GFX_GMA_GENERATION="Skylake" +CONFIG_GFX_GMA_PCH="Sunrise_Point" +CONFIG_GFX_GMA_PANEL_2_PORT="Disabled" +CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC" +# CONFIG_DRIVERS_NXP_UWB_SR1XX is not set +# CONFIG_DRIVERS_PS2_KEYBOARD is not set +CONFIG_DRIVERS_MC146818=y +CONFIG_USE_PC_CMOS_ALTCENTURY=y +CONFIG_PC_CMOS_BASE_PORT_BANK0=0x70 +CONFIG_MEMORY_MAPPED_TPM=y +CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000 +# CONFIG_DRIVERS_SIL_3114 is not set +CONFIG_DRIVERS_USB_ACPI=y +CONFIG_DRIVERS_WIFI_GENERIC=y +CONFIG_DRIVERS_MTK_WIFI=y +# end of Generic Drivers + +# +# Security +# + +# +# CBFS verification +# +# CONFIG_CBFS_VERIFICATION is not set +# end of CBFS verification + +# +# Verified Boot (vboot) +# +CONFIG_VBOOT_LIB=y +# end of Verified Boot (vboot) + +# +# Trusted Platform Module +# +# CONFIG_TPM1 is not set +CONFIG_TPM2=y +CONFIG_TPM=y +CONFIG_MAINBOARD_HAS_TPM2=y +# CONFIG_DEBUG_TPM is not set +# CONFIG_TPM_LOG_CB is not set +CONFIG_TPM_LOG_TPM2=y +# CONFIG_TPM_HASH_SHA1 is not set +CONFIG_TPM_HASH_SHA256=y +# CONFIG_TPM_HASH_SHA384 is not set +# CONFIG_TPM_HASH_SHA512 is not set +CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA="" +CONFIG_PCR_BOOT_MODE=1 +CONFIG_PCR_HWID=1 +CONFIG_PCR_SRTM=2 +CONFIG_PCR_FW_VER=10 +CONFIG_PCR_RUNTIME_DATA=3 +# end of Trusted Platform Module + +# +# Memory initialization +# +CONFIG_PLATFORM_HAS_DRAM_CLEAR=y +# CONFIG_SECURITY_CLEAR_DRAM_ON_REGULAR_BOOT is not set +# end of Memory initialization + +# CONFIG_INTEL_TXT is not set +# CONFIG_STM is not set +# CONFIG_INTEL_CBNT_SUPPORT is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +# CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set +# CONFIG_BOOTMEDIA_SMM_BWP is not set +# end of Security + +CONFIG_ACPI_HAVE_PCAT_8259=y +CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y +CONFIG_ACPI_SOC_NVS=y +CONFIG_ACPI_CUSTOM_MADT=y +CONFIG_ACPI_NO_CUSTOM_MADT=y +CONFIG_ACPI_COMMON_MADT_LAPIC=y +CONFIG_ACPI_COMMON_MADT_IOAPIC=y +CONFIG_HAVE_ACPI_TABLES=y +CONFIG_ACPI_LPIT=y +CONFIG_BOOT_DEVICE_SPI_FLASH=y +CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y +CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y +CONFIG_RTC=y + +# +# Console +# +CONFIG_BOOTBLOCK_CONSOLE=y +CONFIG_POSTCAR_CONSOLE=y +CONFIG_SQUELCH_EARLY_SMP=y +# CONFIG_SPKMODEM is not set +# CONFIG_CONSOLE_NE2K is not set +CONFIG_CONSOLE_CBMEM=y +# CONFIG_CONSOLE_CBMEM_DUMP_TO_UART is not set +# CONFIG_CONSOLE_SPI_FLASH is not set +# CONFIG_CONSOLE_I2C_SMBUS is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8 is not set +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_7=y +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_4 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_3 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_2 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_1 is not set +# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0 is not set +CONFIG_DEFAULT_CONSOLE_LOGLEVEL=7 +CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX=y +CONFIG_CONSOLE_USE_ANSI_ESCAPES=y +CONFIG_HWBASE_DEBUG_CB=y +# end of Console + +CONFIG_ACPI_S1_NOT_SUPPORTED=y +CONFIG_HAVE_ACPI_RESUME=y +CONFIG_RESUME_PATH_SAME_AS_BOOT=y +CONFIG_HAVE_MONOTONIC_TIMER=y +CONFIG_IOAPIC=y +CONFIG_ACPI_NHLT=y + +# +# System tables +# +CONFIG_GENERATE_SMBIOS_TABLES=y +CONFIG_BIOS_VENDOR="coreboot" +CONFIG_MAINBOARD_SERIAL_NUMBER="123456789" +# end of System tables + +# +# Payload +# +# CONFIG_PAYLOAD_NONE is not set +# CONFIG_PAYLOAD_ELF is not set +# CONFIG_PAYLOAD_FLAT_BINARY is not set +# CONFIG_PAYLOAD_BOOTBOOT is not set +# CONFIG_PAYLOAD_FILO is not set +# CONFIG_PAYLOAD_GRUB2 is not set +# CONFIG_PAYLOAD_SEAGRUB is not set +# CONFIG_PAYLOAD_LINUXBOOT is not set +# CONFIG_PAYLOAD_SEABIOS is not set +# CONFIG_PAYLOAD_UBOOT is not set +# CONFIG_PAYLOAD_EDK2 is not set +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" +# CONFIG_PXE is not set +CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" +CONFIG_COMPRESS_SECONDARY_PAYLOAD=y + +# +# Secondary Payloads +# +# CONFIG_COREINFO_SECONDARY_PAYLOAD is not set +# CONFIG_GRUB2_SECONDARY_PAYLOAD is not set +# CONFIG_MEMTEST_SECONDARY_PAYLOAD is not set +# CONFIG_SEABIOS_SECONDARY_PAYLOAD is not set +# CONFIG_TINT_SECONDARY_PAYLOAD is not set +# CONFIG_COREDOOM_SECONDARY_PAYLOAD is not set +# end of Secondary Payloads +# end of Payload + +# +# Debugging +# + +# +# CPU Debug Settings +# +# CONFIG_DISPLAY_MTRRS is not set + +# +# Vendorcode Debug Settings +# + +# +# BLOB Debug Settings +# +# CONFIG_DISPLAY_FSP_CALLS_AND_STATUS is not set +# CONFIG_DISPLAY_FSP_HEADER is not set +# CONFIG_VERIFY_HOBS is not set +# CONFIG_DISPLAY_FSP_VERSION_INFO is not set +CONFIG_HAVE_GPIO_SNAPSHOT_VERIFY_SUPPORT=y +# CONFIG_CHECK_GPIO_CONFIG_CHANGES is not set + +# +# General Debug Settings +# +# CONFIG_GDB_STUB is not set +CONFIG_HAVE_DEBUG_GPIO=y +# CONFIG_DEBUG_GPIO is not set +# CONFIG_DEBUG_CBFS is not set +CONFIG_HAVE_DEBUG_SMBUS=y +# CONFIG_DEBUG_SMBUS is not set +# CONFIG_DEBUG_MALLOC is not set +# CONFIG_DEBUG_CONSOLE_INIT is not set +# CONFIG_DEBUG_SPI_FLASH is not set +# CONFIG_DEBUG_BOOT_STATE is not set +# CONFIG_DEBUG_ADA_CODE is not set +CONFIG_HAVE_EM100_SUPPORT=y +# CONFIG_EM100 is not set +# CONFIG_DEBUG_ACPICA_COMPATIBLE is not set +# end of Debugging + +CONFIG_RAMSTAGE_ADA=y +CONFIG_RAMSTAGE_LIBHWBASE=y +CONFIG_SPD_READ_BY_WORD=y +CONFIG_HWBASE_DYNAMIC_MMIO=y +CONFIG_HWBASE_DEFAULT_MMCONF=0xe0000000 +CONFIG_HWBASE_DIRECT_PCIDEV=y +CONFIG_DECOMPRESS_OFAST=y +CONFIG_WARNINGS_ARE_ERRORS=y +CONFIG_MAX_REBOOT_CNT=3 +CONFIG_RELOCATABLE_MODULES=y +CONFIG_GENERIC_GPIO_LIB=y +CONFIG_HAVE_BOOTBLOCK=y +CONFIG_HAVE_ROMSTAGE=y +CONFIG_HAVE_RAMSTAGE=y From 31d640b487acc1cc2a944a218582e3730e4501cc Mon Sep 17 00:00:00 2001 From: thickfont <207300056+thickfont@users.noreply.github.com> Date: Thu, 1 May 2025 04:08:21 +0000 Subject: [PATCH 04/14] circleci: added T480s support Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- .circleci/config.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ec4607f41..0c6c3e5cf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -102,7 +102,8 @@ jobs: - run: name: Download, neuter and deguard xx80 ME (keep generated GBE and extracted IFD in tree) command: | - ./blobs/xx80/download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ + ./blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ + ./blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh -m $(readlink -f ./blobs/utils/me_cleaner/me_cleaner.py) ./blobs/xx80/ - run: name: Download and extract t530 vbios roms for dgpu boards command: | @@ -527,6 +528,22 @@ workflows: requires: - t480-hotp-maximized + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + - build: + name: t480s-hotp-maximized + target: t480s-hotp-maximized + subcommand: "" + requires: + - t480-hotp-maximized + + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + - build: + name: t480s-maximized + target: t480s-maximized + subcommand: "" + requires: + - t480s-hotp-maximized + # dasharo release, share 24.02.01 utils/crossgcc - build: name: UNTESTED_nitropad-ns50 From 2962d164bcf75955912855c76ffa3a4b30bbdb2f Mon Sep 17 00:00:00 2001 From: thickfont <207300056+thickfont@users.noreply.github.com> Date: Sun, 4 May 2025 07:55:17 +0000 Subject: [PATCH 05/14] blobs: add separate t480s blob script Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- ... t480_download_clean_deguard_me_pad_tb.sh} | 4 +- .../t480s_download_clean_deguard_me_pad_tb.sh | 200 ++++++++++++++++++ .../t480-hotp-maximized.config | 2 +- boards/t480-maximized/t480-maximized.config | 2 +- .../t480s-hotp-maximized.config | 2 +- boards/t480s-maximized/t480s-maximized.config | 2 +- .../{xx80_me_blobs.mk => t480_me_blobs.mk} | 10 +- targets/t480s_me_blobs.mk | 21 ++ 8 files changed, 232 insertions(+), 11 deletions(-) rename blobs/xx80/{download_clean_deguard_me_pad_tb.sh => t480_download_clean_deguard_me_pad_tb.sh} (98%) create mode 100755 blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh rename targets/{xx80_me_blobs.mk => t480_me_blobs.mk} (70%) create mode 100644 targets/t480s_me_blobs.mk diff --git a/blobs/xx80/download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh similarity index 98% rename from blobs/xx80/download_clean_deguard_me_pad_tb.sh rename to blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh index 290ca416b..55610470b 100755 --- a/blobs/xx80/download_clean_deguard_me_pad_tb.sh +++ b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh @@ -168,8 +168,8 @@ function parse_params() { usage_err "No valid output dir found" fi me_cleaned="${output_dir}/me_cleaned.bin" - me_deguarded="${output_dir}/me.bin" - tb_flashable="${output_dir}/tb.bin" + me_deguarded="${output_dir}/t480_me.bin" + tb_flashable="${output_dir}/t480_tb.bin" echo "Writing cleaned and deguarded ME to ${me_deguarded}" echo "Writing flashable TB to ${tb_flashable}" } diff --git a/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh new file mode 100755 index 000000000..727973122 --- /dev/null +++ b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh @@ -0,0 +1,200 @@ +#!/usr/bin/env bash + +# These variables are all for the deguard tool. +# They would need to be changed if using the tool for other devices like the T480s or with a different ME version... +ME_delta="thinkpad_t480s" +ME_version="11.6.0.1126" +ME_sku="2M" +ME_pch="LP" + +# Thunderbolt firmware offset in bytes to pad to 1M +TBFW_SIZE=1048575 + +# Integrity checks for the vendor provided ME blob... +ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0" +# ...and the cleaned and deguarded version from that blob. +DEGUARDED_ME_BIN_HASH="7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b" +# Integrity checks for the vendor provided Thunderbolt blob... +TB_DOWNLOAD_HASH="090d0085af4a20bcdfba8a75f1bce735ff80afbfea968bbe276a80a0c4c18706" +# ...and the padded and flashable version from that blob. +TB_BIN_HASH="b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119" + + +function usage() { + echo -n \ + "Usage: $(basename "$0") -m (optional) path_to_output_directory +Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS. +Download Thunderbolt firmware from Lenovo and pad it for flashing externally. +" +} + +function chk_sha256sum() { + sha256_hash="$1" + filename="$2" + echo "$sha256_hash" "$filename" "$(pwd)" + sha256sum "$filename" + if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then + echo "ERROR: SHA256 checksum for ${filename} doesn't match." + exit 1 + fi +} + +function chk_exists_and_matches() { + if [[ -f "$1" ]]; then + if echo "${2} ${1}" | sha256sum --check; then + echo "SKIPPING: SHA256 checksum for $1 matches." + [[ "$3" = ME ]] && me_exists="y" + [[ "$3" = TB ]] && tb_exists="y" + fi + echo "$1 exists but checksum doesn't match. Continuing..." + fi +} + +function download_and_clean() { + me_cleaner="$(realpath "${1}")" + me_output="$(realpath "${2}")" + + # Download and unpack the Dell installer into a temporary directory and + # extract the deguardable Intel ME blob. + pushd "$(mktemp -d)" || exit + + # Download the installer that contains the ME blob + me_installer_filename="Inspiron_5468_1.3.0.exe" + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" + curl -A "$user_agent" -s -O "https://dl.dell.com/FOLDER04573471M/1/${me_installer_filename}" + chk_sha256sum "$ME_DOWNLOAD_HASH" "$me_installer_filename" + + # Download the tool to unpack Dell's installer and unpack the ME blob. + git clone https://github.com/platomav/BIOSUtilities + git -C BIOSUtilities checkout ef50b75ae115ae8162fa8b0a7b8c42b1d2db894b + + python "BIOSUtilities/Dell_PFS_Extract.py" "${me_installer_filename}" -e || exit + + extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin" + + # Neutralize and shrink Intel ME. Note that this doesn't include + # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., + # High Assurance Program) bits, as they are defined within the Flash + # Descriptor. + # However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function. + # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot + + # MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition + python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" + rm -rf ./* + popd || exit +} + +function deguard() { + me_input="$(realpath "${1}")" + me_output="$(realpath "${2}")" + + # Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob. + pushd "$(mktemp -d)" || exit + git clone https://github.com/coreboot/deguard + pushd deguard || exit + git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2 + + python ./finalimage.py \ + --delta "data/delta/$ME_delta" \ + --version "$ME_version" \ + --pch "$ME_pch" \ + --sku "$ME_sku" \ + --fake-fpfs data/fpfs/zero \ + --input "$me_input" \ + --output "$me_output" + + popd || exit + #Cleanup + rm -rf ./* + popd || exit +} + +function download_and_pad_tb() { + tb_output="$(realpath "${1}")" + + # Download and unpack the Lenovo installer into a temporary directory and + # extract the TB blob. + pushd "$(mktemp -d)" || exit + + # Download the installer that contains the T480s TB blob + tb_installer_filename=""n22th11w.exe"" + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" + curl -A "$user_agent" -s -O "https://download.lenovo.com/pccbbs/mobiles/${tb_installer_filename}" + chk_sha256sum "$TB_DOWNLOAD_HASH" "$tb_installer_filename" + + # https://www.reddit.com/r/thinkpad/comments/9rnimi/ladies_and_gentlemen_i_present_to_you_the/ + innoextract n22th11w.exe -d . + mv ./code\$GetExtractPath\$/TBT.bin tb.bin + # pad with zeros + dd if=/dev/zero of=tb.bin bs=1 seek="$TBFW_SIZE" count=1 + mv "tb.bin" "$tb_output" + + rm -rf ./* + popd || exit +} + +function usage_err() { + echo "$1" + usage + exit 1 +} + +function parse_params() { + while getopts ":m:" opt; do + case $opt in + m) + if [[ -x "$OPTARG" ]]; then + me_cleaner="$OPTARG" + fi + ;; + ?) + usage_err "Invalid Option: -$OPTARG" + ;; + esac + done + + if [[ -z "${me_cleaner}" ]]; then + if [[ -z "${COREBOOT_DIR}" ]]; then + usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable." + else + me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py" + fi + fi + echo "Using me_cleaner from ${me_cleaner}" + + shift $(($OPTIND - 1)) + output_dir="$(realpath "${1:-./}")" + if [[ ! -d "${output_dir}" ]]; then + usage_err "No valid output dir found" + fi + me_cleaned="${output_dir}/me_cleaned.bin" + me_deguarded="${output_dir}/t480s_me.bin" + tb_flashable="${output_dir}/t480s_tb.bin" + echo "Writing cleaned and deguarded ME to ${me_deguarded}" + echo "Writing flashable TB to ${tb_flashable}" +} + +if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then + if [[ "${1:-}" == "--help" ]]; then + usage + exit 0 + fi + + parse_params "$@" + chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME + chk_exists_and_matches "$tb_flashable" "$TB_BIN_HASH" TB + + if [[ -z "$me_exists" ]]; then + download_and_clean "$me_cleaner" "$me_cleaned" + deguard "$me_cleaned" "$me_deguarded" + rm -f "$me_cleaned" + fi + + if [[ -z "$tb_exists" ]]; then + download_and_pad_tb "$tb_flashable" + fi + + chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded" + chk_sha256sum "$TB_BIN_HASH" "$tb_flashable" +fi diff --git a/boards/t480-hotp-maximized/t480-hotp-maximized.config b/boards/t480-hotp-maximized/t480-hotp-maximized.config index 42506658a..2f81ee1f4 100644 --- a/boards/t480-hotp-maximized/t480-hotp-maximized.config +++ b/boards/t480-hotp-maximized/t480-hotp-maximized.config @@ -96,4 +96,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs diff --git a/boards/t480-maximized/t480-maximized.config b/boards/t480-maximized/t480-maximized.config index 92fcacd87..cd8ccfbbd 100644 --- a/boards/t480-maximized/t480-maximized.config +++ b/boards/t480-maximized/t480-maximized.config @@ -96,4 +96,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs diff --git a/boards/t480s-hotp-maximized/t480s-hotp-maximized.config b/boards/t480s-hotp-maximized/t480s-hotp-maximized.config index dfbbf725b..ea1417711 100644 --- a/boards/t480s-hotp-maximized/t480s-hotp-maximized.config +++ b/boards/t480s-hotp-maximized/t480s-hotp-maximized.config @@ -96,4 +96,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480S-hotp-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480s_me_blobs diff --git a/boards/t480s-maximized/t480s-maximized.config b/boards/t480s-maximized/t480s-maximized.config index 0995c0fb5..997fd8369 100644 --- a/boards/t480s-maximized/t480s-maximized.config +++ b/boards/t480s-maximized/t480s-maximized.config @@ -96,4 +96,4 @@ export CONFIG_BOARD_NAME="Thinkpad T480S-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" #Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480s_me_blobs diff --git a/targets/xx80_me_blobs.mk b/targets/t480_me_blobs.mk similarity index 70% rename from targets/xx80_me_blobs.mk rename to targets/t480_me_blobs.mk index ebc32bd40..d339b0f18 100644 --- a/targets/xx80_me_blobs.mk +++ b/targets/t480_me_blobs.mk @@ -11,11 +11,11 @@ # Make the Coreboot build depend on the following 3rd party blobs: $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ - $(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD)/tb.bin + $(pwd)/blobs/xx80/t480_me.bin $(pwd)/blobs/xx80/t480_tb.bin $(build)/$(BOARD)/t480_tb.bin -$(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin &: - $(pwd)/blobs/xx80/download_clean_deguard_me_pad_tb.sh \ +$(pwd)/blobs/xx80/t480_me.bin $(pwd)/blobs/xx80/t480_tb.bin &: + $(pwd)/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh \ -m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80 -$(build)/$(BOARD)/tb.bin: $(pwd)/blobs/xx80/tb.bin - cp $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD) +$(build)/$(BOARD)/t480_tb.bin: $(pwd)/blobs/xx80/t480_tb.bin + cp $(pwd)/blobs/xx80/t480_tb.bin $(build)/$(BOARD) diff --git a/targets/t480s_me_blobs.mk b/targets/t480s_me_blobs.mk new file mode 100644 index 000000000..a41bde991 --- /dev/null +++ b/targets/t480s_me_blobs.mk @@ -0,0 +1,21 @@ +# Targets for downloading xx80 ME blob, neutering it and deactivating ME. +# This also uses the deguard tool to bypass Intel Boot Guard exploiting CVE-2017-5705. +# See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html + +# xx80-*-maximized boards require of you initially call one of the +# following to have gbe.bin ifd.bin and me.bin +# - blobs/xx80/download_clean_me_and_deguard.sh +# To download Lenovo original ME binary, neuter+deactivate ME, produce +# reduced IFD ME region and expanded BIOS IFD region. +# Also creates the tb.bin blob to flash the Thunderbolt SPI. + +# Make the Coreboot build depend on the following 3rd party blobs: +$(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ + $(pwd)/blobs/xx80/t480s_me.bin $(pwd)/blobs/xx80/t480s_tb.bin $(build)/$(BOARD)/t480s_tb.bin + +$(pwd)/blobs/xx80/t480s_me.bin $(pwd)/blobs/xx80/t480s_tb.bin &: + $(pwd)/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh \ + -m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80 + +$(build)/$(BOARD)/t480s_tb.bin: $(pwd)/blobs/xx80/t480s_tb.bin + cp $(pwd)/blobs/xx80/t480s_tb.bin $(build)/$(BOARD) From 7facb1bf5878d33e57d25afeb6ab679979be951f Mon Sep 17 00:00:00 2001 From: thickfont <207300056+thickfont@users.noreply.github.com> Date: Sun, 4 May 2025 07:56:44 +0000 Subject: [PATCH 06/14] blobs: rename T480 blobs (and add t480s tb.bin hash to hashes.txt) Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- blobs/xx80/hashes.txt | 12 ++++++++---- blobs/xx80/{gbe.bin => t480_gbe.bin} | Bin blobs/xx80/{ifd.bin => t480_ifd.bin} | Bin config/coreboot-t480-maximized.config | 6 +++--- 4 files changed, 11 insertions(+), 7 deletions(-) rename blobs/xx80/{gbe.bin => t480_gbe.bin} (100%) rename blobs/xx80/{ifd.bin => t480_ifd.bin} (100%) diff --git a/blobs/xx80/hashes.txt b/blobs/xx80/hashes.txt index 6b91dfcbd..e3b6df2fd 100644 --- a/blobs/xx80/hashes.txt +++ b/blobs/xx80/hashes.txt @@ -1,6 +1,10 @@ -d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin -f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin -1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin -fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 tb.bin +#T480: +1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b t480_me.bin +fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 t480_tb.bin +d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 t480_gbe.bin +f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf t480_ifd.bin +#T480s: +7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b t480s_me.bin +b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119 t480s_tb.bin caf6393cd5c4ff305b677f50c258658710c42439080868c1fb8ea7584cffb204 t480s_ifd.bin 36be39ecd0d06fa3f7893ca2746f702271c46b75de52bc599467a058bab8e271 t480s_gbe.bin diff --git a/blobs/xx80/gbe.bin b/blobs/xx80/t480_gbe.bin similarity index 100% rename from blobs/xx80/gbe.bin rename to blobs/xx80/t480_gbe.bin diff --git a/blobs/xx80/ifd.bin b/blobs/xx80/t480_ifd.bin similarity index 100% rename from blobs/xx80/ifd.bin rename to blobs/xx80/t480_ifd.bin diff --git a/config/coreboot-t480-maximized.config b/config/coreboot-t480-maximized.config index 48b70fc5a..a7a6847a1 100644 --- a/config/coreboot-t480-maximized.config +++ b/config/coreboot-t480-maximized.config @@ -163,9 +163,9 @@ CONFIG_HAVE_INTEL_FIRMWARE=y CONFIG_USE_LEGACY_8254_TIMER=y CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000 # CONFIG_DRIVERS_INTEL_WIFI is not set -CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/ifd.bin" -CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/me.bin" -CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/gbe.bin" +CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/t480_ifd.bin" +CONFIG_ME_BIN_PATH="@BLOB_DIR@/xx80/t480_me.bin" +CONFIG_GBE_BIN_PATH="@BLOB_DIR@/xx80/t480_gbe.bin" CONFIG_MAINBOARD_SUPPORTS_SKYLAKE_CPU=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_CARDBUS_PLUGIN_SUPPORT=y From 45c4d736e28c2b42f3ac529758d96c622ff0f180 Mon Sep 17 00:00:00 2001 From: thickfont <207300056+thickfont@users.noreply.github.com> Date: Wed, 7 May 2025 03:20:52 +0000 Subject: [PATCH 07/14] blobs: update gitignore for new tb blobs Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com> --- blobs/xx80/.gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/blobs/xx80/.gitignore b/blobs/xx80/.gitignore index 326bba658..f9cc243ba 100644 --- a/blobs/xx80/.gitignore +++ b/blobs/xx80/.gitignore @@ -1,2 +1,6 @@ me.bin tb.bin +t480_tb.bin +t480s_tb.bin +t480_me.bin +t480s_me.bin From e6ba702acbc7d66e4b9c71541a41bc448a9f3a3d Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 17 Sep 2025 10:05:32 -0400 Subject: [PATCH 08/14] T480s : depend on EOL t480 cache for build, which was renamed in master since CVE-2017-5715 (all Intel <=gen 8th cpu vulnerable without patches) Signed-off-by: Thierry Laurion --- .circleci/config.yml | 20 +++++++++---------- .../EOL_t480s-hotp-maximized.config} | 1 + .../EOL_t480s-maximized.config} | 1 + 3 files changed, 12 insertions(+), 10 deletions(-) rename boards/{t480s-hotp-maximized/t480s-hotp-maximized.config => EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config} (89%) rename boards/{t480s-maximized/t480s-maximized.config => EOL_t480s-maximized/EOL_t480s-maximized.config} (89%) diff --git a/.circleci/config.yml b/.circleci/config.yml index cebb68429..0473a4e77 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -253,7 +253,7 @@ workflows: requires: - novacustom-nv4x_adl - # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build_and_persist: name: EOL_t480-hotp-maximized target: EOL_t480-hotp-maximized @@ -527,7 +527,7 @@ workflows: requires: - librem_14 - # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480 is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: name: EOL_t480-maximized target: EOL_t480-maximized @@ -535,21 +535,21 @@ workflows: requires: - EOL_t480-hotp-maximized - # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: - name: t480s-hotp-maximized - target: t480s-hotp-maximized + name: EOL_t480s-hotp-maximized + target: EOL_t480s-hotp-maximized subcommand: "" requires: - - t480-hotp-maximized + - EOL_t480-hotp-maximized - # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: - name: t480s-maximized - target: t480s-maximized + name: EOL_t480s-maximized + target: EOL_t480s-maximized subcommand: "" requires: - - t480s-hotp-maximized + - EOL_t480-hotp-maximized # dasharo release, share 24.02.01 utils/crossgcc - build: diff --git a/boards/t480s-hotp-maximized/t480s-hotp-maximized.config b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config similarity index 89% rename from boards/t480s-hotp-maximized/t480s-hotp-maximized.config rename to boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config index ea1417711..d6f3024b5 100644 --- a/boards/t480s-hotp-maximized/t480s-hotp-maximized.config +++ b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config @@ -1,3 +1,4 @@ +# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use # Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) # # CAVEATS: diff --git a/boards/t480s-maximized/t480s-maximized.config b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config similarity index 89% rename from boards/t480s-maximized/t480s-maximized.config rename to boards/EOL_t480s-maximized/EOL_t480s-maximized.config index 997fd8369..fb27389dd 100644 --- a/boards/t480s-maximized/t480s-maximized.config +++ b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config @@ -1,3 +1,4 @@ +# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use # Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec) # # CAVEATS: From 61b5cf5d296fd3195b4c092a7af30ab4bbe59ea4 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 16 Nov 2025 16:59:06 -0500 Subject: [PATCH 09/14] t480/t480s - add patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch Repro: git fetch https://review.coreboot.org/coreboot refs/changes/23/90023/2 && git format-patch -1 --stdout FETCH_HEAD > patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch echo "bogus" | sudo tee build/x86/coreboot-25.09/.canary ./repro_prod.sh BOARD=EOL-t480s-maximized This can be seen per https://review.coreboot.org/c/coreboot/+/90023: - click download button - copy paste section "format patch" : "git fetch https://review.coreboot.org/coreboot refs/changes/23/90023/2 && git format-patch -1 --stdout FETCH_HEAD" - append redirection to where patch is desired "> patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch" - this gives the patch command line + redirection to file so Heads applies it - overwrite coreboot canary file with bogus content so that next build resync coreboot tree and reapplies patches - launch build for board Signed-off-by: Thierry Laurion --- ...06-mb-lenovo-t480-Fix-headphone-jack.patch | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch diff --git a/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch b/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch new file mode 100644 index 000000000..482b31c8c --- /dev/null +++ b/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch @@ -0,0 +1,79 @@ +From 95532d31c348cfa3d847885e7c4d7d2b97b1d7d7 Mon Sep 17 00:00:00 2001 +From: Arthur Heymans +Date: Thu, 13 Nov 2025 15:45:46 +0100 +Subject: [PATCH] mb/lenovo/t480: Fix headphone jack + +Add additional register configuration for the Realtek ALC257 audio +codec on the Lenovo ThinkPad T480. This includes: + +- Hidden register SW reset sequence +- ClassD 2W amplifier configuration +- Jack detection (JD1) setup for headphone port +- Silence data mode threshold setting at -84dB + +Shamelessly taken from google/brya/variants/pujjolo/hda_verb.c + +Change-Id: Ib77138d782ceb9feeaef82935bc1c0d5c3066183 +Signed-off-by: Arthur Heymans +--- + .../sklkbl_thinkpad/variants/t480/hda_verb.c | 37 ++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c b/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c +index 3a951ce0dab..e0caff3db51 100644 +--- a/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c ++++ b/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c +@@ -5,7 +5,7 @@ + const u32 cim_verb_data[] = { + 0x10ec0257, // Vendor/Device ID: Realtek ALC257 + 0x17aa225d, // Subsystem ID +- 11, ++ 18, + AZALIA_SUBVENDOR(0, 0x17aa225d), + + AZALIA_PIN_CFG(0, 0x12, AZALIA_PIN_DESC( +@@ -51,6 +51,41 @@ const u32 cim_verb_data[] = { + 1, 15 + )), + ++ //==========Widget node 0x20 - 0 :Hidden register SW reset ++ 0x0205001A, ++ 0x0204C003, ++ 0x0205001A, ++ 0x0204C003, ++ 0x05850000, ++ 0x0584F880, ++ 0x05850000, ++ 0x0584F880, ++ //==========Widget node 0x20 - 1 : ClassD 2W ++ 0x02050038, ++ 0x02048981, ++ 0x0205001B, ++ 0x02040A4B, ++ //==========Widget node 0x20 - 2 ++ 0x0205003C, ++ 0x02043154, ++ 0x0205003C, ++ 0x02043114, ++ //==========Widget node 0x20 - 3 : ++ 0x02050046, ++ 0x02040004, ++ 0x05750003, ++ 0x057409A3, ++ //==========Widget node 0x20 - 4 :JD1 enable 1JD port for HP JD ++ 0x02050009, ++ 0x02046003, ++ 0x0205000A, ++ 0x02047770, ++ //==========Widget node 0x20 - 5 : Silence data mode Threshold (-84dB) ++ 0x02050037, ++ 0x0204FE15, ++ 0x02050030, ++ 0x02049004, ++ + 0x8086280b, // Vendor/Device ID: Intel Kabylake HDMI + 0x80860101, // Subsystem ID + 4, +-- +2.39.5 + From e4a57de4dcfa858f5b2875fb3909d7dc04386e1b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 16 Nov 2025 17:11:12 -0500 Subject: [PATCH 10/14] config/coreboot-t480s-maximized.config: save changes of version bump in oldconfig format Repro ./docker_repro.sh make BOARD=EOL_t480s-maximized coreboot.modify_and_save_oldconfig_in_place Signed-off-by: Thierry Laurion --- config/coreboot-t480s-maximized.config | 48 ++++++++++++++++++-------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/config/coreboot-t480s-maximized.config b/config/coreboot-t480s-maximized.config index 41cd2493b..d3f2b4efc 100644 --- a/config/coreboot-t480s-maximized.config +++ b/config/coreboot-t480s-maximized.config @@ -17,6 +17,7 @@ CONFIG_COMPILER_GCC=y # CONFIG_FMD_GENPARSER is not set # CONFIG_UTIL_GENPARSER is not set CONFIG_OPTION_BACKEND_NONE=y +# CONFIG_USE_CBFS_FILE_OPTION_BACKEND is not set CONFIG_COMPRESS_RAMSTAGE_LZMA=y # CONFIG_COMPRESS_RAMSTAGE_LZ4 is not set CONFIG_SEPARATE_ROMSTAGE=y @@ -92,6 +93,7 @@ CONFIG_VENDOR_LENOVO=y # CONFIG_VENDOR_LIBRETREND is not set # CONFIG_VENDOR_MITAC_COMPUTING is not set # CONFIG_VENDOR_MSI is not set +# CONFIG_VENDOR_NOVACUSTOM is not set # CONFIG_VENDOR_OCP is not set # CONFIG_VENDOR_OPENCELLULAR is not set # CONFIG_VENDOR_PACKARDBELL is not set @@ -150,6 +152,7 @@ CONFIG_INTEL_GMA_VBT_FILE="src/mainboard/$(MAINBOARDDIR)/variants/$(VARIANT_DIR) # CONFIG_DISABLE_HECI1_AT_PRE_BOOT is not set CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00 CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="T480S" +CONFIG_FSP_FD_PATH="3rdparty/fsp/KabylakeFspBinPkg/Fsp.fd" CONFIG_MAX_SOCKET=1 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0 CONFIG_TPM_PIRQ=0x0 @@ -160,7 +163,6 @@ CONFIG_C_ENV_BOOTBLOCK_SIZE=0x40000 CONFIG_DCACHE_BSP_STACK_SIZE=0x4000 CONFIG_MAX_ACPI_TABLE_SIZE_KB=144 CONFIG_HAVE_INTEL_FIRMWARE=y -CONFIG_USE_LEGACY_8254_TIMER=y CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000 # CONFIG_DRIVERS_INTEL_WIFI is not set CONFIG_IFD_BIN_PATH="@BLOB_DIR@/xx80/t480s_ifd.bin" @@ -170,6 +172,7 @@ CONFIG_MAINBOARD_SUPPORTS_SKYLAKE_CPU=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_CARDBUS_PLUGIN_SUPPORT=y CONFIG_SPI_FLASH_DONT_INCLUDE_ALL_DRIVERS=y +CONFIG_USE_LEGACY_8254_TIMER=y # CONFIG_DEBUG_SMI is not set # CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_ENABLE is not set CONFIG_HAVE_IFD_BIN=y @@ -179,6 +182,7 @@ CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x10000000 # CONFIG_BOARD_LENOVO_THINKPAD_T440P is not set # CONFIG_BOARD_LENOVO_THINKPAD_W541 is not set # CONFIG_BOARD_LENOVO_L520 is not set +# CONFIG_BOARD_LENOVO_M900 is not set # CONFIG_BOARD_LENOVO_THINKCENTRE_M900_TINY is not set # CONFIG_BOARD_LENOVO_M920Q is not set # CONFIG_BOARD_LENOVO_S230U is not set @@ -217,11 +221,14 @@ CONFIG_BOARD_LENOVO_T480S=y # CONFIG_BOARD_LENOVO_X230S is not set # CONFIG_BOARD_LENOVO_X230_EDP is not set # CONFIG_BOARD_LENOVO_X60 is not set -CONFIG_PS2K_EISAID="PNP0303" -CONFIG_PS2M_EISAID="PNP0F13" -CONFIG_THINKPADEC_HKEY_EISAID="IBM0068" +CONFIG_PS2K_EISAID="LEN0071" +CONFIG_PS2M_EISAID="LEN0094" +CONFIG_THINKPADEC_HKEY_EISAID="LEN0268" CONFIG_GFX_GMA_PANEL_1_PORT="eDP" CONFIG_BOARD_LENOVO_SKLKBL_THINKPAD_COMMON=y +CONFIG_EDK2_BOOT_MANAGER_ESCAPE=y +CONFIG_EDK2_FOLLOW_BGRT_SPEC=y +CONFIG_VARIANT_HAS_DGPU=y # CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set CONFIG_POWER_STATE_DEFAULT_ON_AFTER_FAILURE=y CONFIG_D3COLD_SUPPORT=y @@ -280,6 +287,7 @@ CONFIG_SMM_RESERVED_SIZE=0x200000 CONFIG_SMM_MODULE_STACK_SIZE=0x800 CONFIG_ACPI_BERT_SIZE=0x0 CONFIG_DRIVERS_I2C_DESIGNWARE_CLOCK_MHZ=120 +CONFIG_CPU_PT_ROM_MAP_GB=512 CONFIG_PRERAM_CBFS_CACHE_SIZE=0x4000 CONFIG_DOMAIN_RESOURCE_32BIT_LIMIT=0xe0000000 CONFIG_ACPI_CPU_STRING="CP%02X" @@ -297,7 +305,6 @@ CONFIG_SOC_INTEL_I2C_DEV_MAX=6 CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_M_VAL=0x30 CONFIG_SOC_INTEL_COMMON_LPSS_UART_CLK_N_VAL=0xc35 CONFIG_FSP_HEADER_PATH="3rdparty/fsp/KabylakeFspBinPkg/Include/" -CONFIG_FSP_FD_PATH="3rdparty/fsp/KabylakeFspBinPkg/Fsp.fd" CONFIG_SOC_INTEL_COMMON_DEBUG_CONSENT=0 CONFIG_INTEL_GMA_BCLV_OFFSET=0xc8254 CONFIG_INTEL_GMA_BCLV_WIDTH=16 @@ -315,12 +322,16 @@ CONFIG_SOC_INTEL_GFX_FRAMEBUFFER_OFFSET=0x0 CONFIG_PCIE_LTR_MAX_SNOOP_LATENCY=0x1003 CONFIG_PCIE_LTR_MAX_NO_SNOOP_LATENCY=0x1003 CONFIG_SOC_PHYSICAL_ADDRESS_WIDTH=0 +CONFIG_DEBUG_STACK_OVERFLOW_BREAKPOINTS=y +CONFIG_RAMSTAGE_CBFS_CACHE_SIZE=0x4000 +CONFIG_CBFS_CACHE_ALIGN=8 CONFIG_SOC_INTEL_COMMON_SKYLAKE_BASE=y CONFIG_SOC_INTEL_KABYLAKE=y +# CONFIG_ALWAYS_ALLOW_ABOVE_4G_ALLOCATION is not set CONFIG_FSP_T_LOCATION=0xfffe0000 CONFIG_SOC_INTEL_COMMON_BLOCK_P2SB=y CONFIG_FIXED_SMBUS_IO_BASE=0xefa0 -CONFIG_CBFS_CACHE_ALIGN=8 +CONFIG_UART_BITBANG_TX_DELAY_MS=5 CONFIG_SOC_INTEL_COMMON=y # @@ -358,10 +369,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_PRMRR_SIZE_0MB=y CONFIG_SOC_INTEL_COMMON_BLOCK_CSE=y CONFIG_SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PCR=y CONFIG_SOC_INTEL_CSE_FMAP_NAME="SI_ME" -CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME="ME_RW_A" -CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME="ME_RW_B" CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME="me_rw" -CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME="me_rw.hash" CONFIG_SOC_INTEL_CSE_RW_VERSION_CBFS_NAME="me_rw.version" CONFIG_SOC_INTEL_CSE_RW_FILE="" CONFIG_SOC_INTEL_CSE_RW_VERSION="" @@ -502,11 +510,12 @@ CONFIG_EC_ACPI=y CONFIG_EC_LENOVO_H8=y CONFIG_H8_BEEP_ON_DEATH=y CONFIG_H8_FLASH_LEDS_ON_DEATH=y -# CONFIG_H8_SUPPORT_BT_ON_WIFI is not set +CONFIG_H8_SUPPORT_BT_ON_WIFI=y # CONFIG_H8_FN_CTRL_SWAP is not set CONFIG_H8_HAS_BAT_THRESHOLDS_IMPL=y CONFIG_H8_HAS_PRIMARY_FN_KEYS=y CONFIG_H8_HAS_LEDLOGO=y +CONFIG_EC_LENOVO_MEC1653=y CONFIG_EC_LENOVO_PMH7=y # @@ -542,7 +551,6 @@ CONFIG_ARCH_ALL_STAGES_X86_32=y CONFIG_RESERVED_PHYSICAL_ADDRESS_BITS_SUPPORT=y CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y CONFIG_POSTRAM_CBFS_CACHE_IN_BSS=y -CONFIG_RAMSTAGE_CBFS_CACHE_SIZE=0x4000 CONFIG_PC80_SYSTEM=y CONFIG_POSTCAR_STAGE=y CONFIG_BOOTBLOCK_SIMPLE=y @@ -607,6 +615,8 @@ CONFIG_INTEL_GMA_ADD_VBT=y # CONFIG_SOFTWARE_I2C is not set CONFIG_I2C_TRANSFER_TIMEOUT_US=500000 CONFIG_RESOURCE_ALLOCATION_TOP_DOWN=y +CONFIG_DRAM_SUPPORT_DDR4=y +CONFIG_DRAM_SUPPORT_DDR3=y # end of Devices # @@ -630,6 +640,7 @@ CONFIG_TPM_INIT_RAMSTAGE=y CONFIG_DRIVERS_UART=y # CONFIG_DRIVERS_UART_OXPCIE is not set # CONFIG_VPD is not set +# CONFIG_DRIVERS_EMULATION_QEMU_FW_CFG is not set # CONFIG_DRIVERS_GENERIC_CBFS_SERIAL is not set # CONFIG_DRIVERS_GENERIC_CBFS_UUID is not set # CONFIG_DRIVERS_GENESYSLOGIC_GL9750 is not set @@ -637,10 +648,10 @@ CONFIG_DRIVERS_UART=y # CONFIG_DRIVERS_GENESYSLOGIC_GL9763E is not set CONFIG_DRIVERS_I2C_DESIGNWARE=y # CONFIG_DRIVERS_I2C_MAX98396 is not set +CONFIG_DRIVERS_INTEL_DTBT=y CONFIG_FSP_USE_REPO=y # CONFIG_DISPLAY_HOBS is not set # CONFIG_DISPLAY_UPD_DATA is not set -# CONFIG_BMP_LOGO is not set CONFIG_PLATFORM_USES_FSP2_0=y CONFIG_PLATFORM_USES_FSP2_X86_32=y CONFIG_HAVE_INTEL_FSP_REPO=y @@ -650,7 +661,6 @@ CONFIG_FSP_M_CBFS="fspm.bin" CONFIG_FSP_FULL_FD=y CONFIG_FSP_T_RESERVED_SIZE=0x0 CONFIG_FSP_M_XIP=y -CONFIG_HAVE_FSP_LOGO_SUPPORT=y CONFIG_FSP_COMPRESS_FSP_S_LZ4=y CONFIG_SOC_INTEL_COMMON_FSP_RESET=y CONFIG_USE_FSP_NOTIFY_PHASE_POST_PCI_ENUM=y @@ -658,7 +668,6 @@ CONFIG_USE_FSP_NOTIFY_PHASE_READY_TO_BOOT=y CONFIG_USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE=y # CONFIG_DISPLAY_FSP_TIMESTAMPS is not set # CONFIG_BUILDING_WITH_DEBUG_FSP is not set -CONFIG_INTEL_INT15=y CONFIG_INTEL_GMA_ACPI=y CONFIG_VBT_CBFS_COMPRESSION_LZMA=y # CONFIG_VBT_CBFS_COMPRESSION_LZ4 is not set @@ -707,6 +716,7 @@ CONFIG_TPM2=y CONFIG_TPM=y CONFIG_MAINBOARD_HAS_TPM2=y # CONFIG_DEBUG_TPM is not set +# CONFIG_TPM_MEASURE_MRC_CACHE is not set # CONFIG_TPM_LOG_CB is not set CONFIG_TPM_LOG_TPM2=y # CONFIG_TPM_HASH_SHA1 is not set @@ -813,6 +823,9 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage" # CONFIG_PXE is not set CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz" +# CONFIG_COMPRESSED_PAYLOAD_NONE is not set +CONFIG_COMPRESSED_PAYLOAD_LZMA=y +# CONFIG_COMPRESSED_PAYLOAD_LZ4 is not set CONFIG_COMPRESS_SECONDARY_PAYLOAD=y # @@ -876,6 +889,13 @@ CONFIG_HWBASE_DYNAMIC_MMIO=y CONFIG_HWBASE_DEFAULT_MMCONF=0xe0000000 CONFIG_HWBASE_DIRECT_PCIDEV=y CONFIG_DECOMPRESS_OFAST=y + +# +# Boot Logo Configuration +# +# CONFIG_BMP_LOGO is not set +# end of Boot Logo Configuration + CONFIG_WARNINGS_ARE_ERRORS=y CONFIG_MAX_REBOOT_CNT=3 CONFIG_RELOCATABLE_MODULES=y From eefd0be5d229a7e0f003cddd670f6e4c692cbc0c Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 16 Nov 2025 17:21:04 -0500 Subject: [PATCH 11/14] .circleci/config.yml + blobs/xx80/t480(s)_download_clean_deguard_me_pad_tb.sh : unify and fix t480s from t480 25.09 coreboot version bump Also fix paths in board configs to targets that were renamed to be different for t480/t480s (This is why we hate bitroting PR) Signed-off-by: Thierry Laurion --- .circleci/config.yml | 6 ++---- blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh | 1 + blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh | 6 +++++- .../EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config | 2 +- boards/EOL_t480-maximized/EOL_t480-maximized.config | 2 +- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4a7e7fd33..13116abf9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -528,7 +528,7 @@ workflows: requires: - librem_14 - # t480 is based on 25.09 coreboot release, not sharing any buildstack from now, depend on muscl-cross cache + # t480 is based on 25.09 coreboot release - build: name: EOL_t480-maximized target: EOL_t480-maximized @@ -536,7 +536,6 @@ workflows: requires: - EOL_t480-hotp-maximized - # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: name: EOL_t480s-hotp-maximized target: EOL_t480s-hotp-maximized @@ -544,7 +543,6 @@ workflows: requires: - EOL_t480-hotp-maximized - # t480s is based on 24.12 coreboot release, not sharing any buildstack from now, depend on muslc-cross cache - build: name: EOL_t480s-maximized target: EOL_t480s-maximized @@ -560,7 +558,7 @@ workflows: requires: - novacustom-nv4x_adl - #NovaCustom v56 boards are based on coreboot 24.02.01 fork, so depend on x230 + #NovaCustom v56 boards are based on coreboot 24.02.01 fork, so depend on nv4x_adl - build: name: novacustom-v560tu target: novacustom-v560tu diff --git a/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh index 46a11f01f..3bd83140e 100755 --- a/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh +++ b/blobs/xx80/t480_download_clean_deguard_me_pad_tb.sh @@ -82,6 +82,7 @@ function download_and_clean() { # Some more general info on shrinking: # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot + # MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" rm -rf ./* popd || exit diff --git a/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh index 727973122..0008cec89 100755 --- a/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh +++ b/blobs/xx80/t480s_download_clean_deguard_me_pad_tb.sh @@ -72,11 +72,15 @@ function download_and_clean() { extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin" - # Neutralize and shrink Intel ME. Note that this doesn't include + # Deactivate, partially neuter and shrink Intel ME. Note that this doesn't include # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., # High Assurance Program) bits, as they are defined within the Flash # Descriptor. # However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function. + # For ME 11.x this means we must keep the rbe, bup, kernel and syslib modules. + # https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F#me-versions-from-11x-skylake-1 + # Furthermore, deguard requires keeping the MFS, the HAP bit set, and we cannot relocate the FTPR partition. + # Some more general info on shrinking: # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot # MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition diff --git a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config index 9d848ea1c..c7cc76787 100644 --- a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config +++ b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config @@ -97,4 +97,4 @@ export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs diff --git a/boards/EOL_t480-maximized/EOL_t480-maximized.config b/boards/EOL_t480-maximized/EOL_t480-maximized.config index a7d2ac491..1a1ff3fc3 100644 --- a/boards/EOL_t480-maximized/EOL_t480-maximized.config +++ b/boards/EOL_t480-maximized/EOL_t480-maximized.config @@ -97,4 +97,4 @@ export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOARD_NAME="Thinkpad T480-maximized" export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" -BOARD_TARGETS := xx80_me_blobs +BOARD_TARGETS := t480_me_blobs From 024c069cc26eb3fae9ed8491229dcc71afcc609f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 16 Nov 2025 18:29:49 -0500 Subject: [PATCH 12/14] BOARDS_AND_TESTERS.md: add t480s self reported board testers in PR @thickfont @kjkent @HarleyGodfrey @nestire Signed-off-by: Thierry Laurion --- BOARDS_AND_TESTERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/BOARDS_AND_TESTERS.md b/BOARDS_AND_TESTERS.md index e1e84f64a..2c52b97bc 100644 --- a/BOARDS_AND_TESTERS.md +++ b/BOARDS_AND_TESTERS.md @@ -60,6 +60,7 @@ xx4x (Haswell: Intel 4th Gen CPU) xx8x (Kaby Lake Refresh: Intel 8th Gen Mobile : ESU ended 12/31/2024) === - [ ] t480: @gaspar-ilom @doritos4mlady @MattClifton76 @notgivenby @akunterkontrolle +- [ ] t480s: @thickfont @kjkent @HarleyGodfrey @nestire Librem === From 44f2a760de4c4745b01c2b3fe22d183199c55c5a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 20 Nov 2025 11:09:30 -0500 Subject: [PATCH 13/14] Revert "t480/t480s - add patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch" This reverts commit 61b5cf5d296fd3195b4c092a7af30ab4bbe59ea4. Repro to resync coreboot repo + reapply patches: echo "bogus" | sudo tee build/x86/coreboot-25.09/.canary ./docker_repro.sh make BOARD=EOL_t480s-maximized patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch was not tested against t480 and this is t480s PR. For those interested into bringing the patch back to t480 and test it, see commit details of 61b5cf5d296fd3195b4c092a7af30ab4bbe59ea4. Signed-off-by: Thierry Laurion --- ...06-mb-lenovo-t480-Fix-headphone-jack.patch | 79 ------------------- 1 file changed, 79 deletions(-) delete mode 100644 patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch diff --git a/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch b/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch deleted file mode 100644 index 482b31c8c..000000000 --- a/patches/coreboot-25.09/0006-mb-lenovo-t480-Fix-headphone-jack.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 95532d31c348cfa3d847885e7c4d7d2b97b1d7d7 Mon Sep 17 00:00:00 2001 -From: Arthur Heymans -Date: Thu, 13 Nov 2025 15:45:46 +0100 -Subject: [PATCH] mb/lenovo/t480: Fix headphone jack - -Add additional register configuration for the Realtek ALC257 audio -codec on the Lenovo ThinkPad T480. This includes: - -- Hidden register SW reset sequence -- ClassD 2W amplifier configuration -- Jack detection (JD1) setup for headphone port -- Silence data mode threshold setting at -84dB - -Shamelessly taken from google/brya/variants/pujjolo/hda_verb.c - -Change-Id: Ib77138d782ceb9feeaef82935bc1c0d5c3066183 -Signed-off-by: Arthur Heymans ---- - .../sklkbl_thinkpad/variants/t480/hda_verb.c | 37 ++++++++++++++++++- - 1 file changed, 36 insertions(+), 1 deletion(-) - -diff --git a/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c b/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c -index 3a951ce0dab..e0caff3db51 100644 ---- a/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c -+++ b/src/mainboard/lenovo/sklkbl_thinkpad/variants/t480/hda_verb.c -@@ -5,7 +5,7 @@ - const u32 cim_verb_data[] = { - 0x10ec0257, // Vendor/Device ID: Realtek ALC257 - 0x17aa225d, // Subsystem ID -- 11, -+ 18, - AZALIA_SUBVENDOR(0, 0x17aa225d), - - AZALIA_PIN_CFG(0, 0x12, AZALIA_PIN_DESC( -@@ -51,6 +51,41 @@ const u32 cim_verb_data[] = { - 1, 15 - )), - -+ //==========Widget node 0x20 - 0 :Hidden register SW reset -+ 0x0205001A, -+ 0x0204C003, -+ 0x0205001A, -+ 0x0204C003, -+ 0x05850000, -+ 0x0584F880, -+ 0x05850000, -+ 0x0584F880, -+ //==========Widget node 0x20 - 1 : ClassD 2W -+ 0x02050038, -+ 0x02048981, -+ 0x0205001B, -+ 0x02040A4B, -+ //==========Widget node 0x20 - 2 -+ 0x0205003C, -+ 0x02043154, -+ 0x0205003C, -+ 0x02043114, -+ //==========Widget node 0x20 - 3 : -+ 0x02050046, -+ 0x02040004, -+ 0x05750003, -+ 0x057409A3, -+ //==========Widget node 0x20 - 4 :JD1 enable 1JD port for HP JD -+ 0x02050009, -+ 0x02046003, -+ 0x0205000A, -+ 0x02047770, -+ //==========Widget node 0x20 - 5 : Silence data mode Threshold (-84dB) -+ 0x02050037, -+ 0x0204FE15, -+ 0x02050030, -+ 0x02049004, -+ - 0x8086280b, // Vendor/Device ID: Intel Kabylake HDMI - 0x80860101, // Subsystem ID - 4, --- -2.39.5 - From d60cb9fa1e4d8fd2b0cd4ffebcbe9c9b32212bcc Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 20 Nov 2025 11:42:08 -0500 Subject: [PATCH 14/14] blobs/xx30/optiplex_7010_9010.sh: unrelated mirror switch for sinit blob; archive.org maintenance (put as backup, not main dl source) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As can be seen on CircleCI: https://app.circleci.com/pipelines/github/linuxboot/heads/989/workflows/df78eba2-c9c3-4012-8b76-74f03ca8ecf7/jobs/25806/parallel-runs/0/steps/0-109 repro: user@heads-master:~/heads$ wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 --2025-11-20 11:37:22-- http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 Resolving web.archive.org (web.archive.org)... 207.241.237.3 Connecting to web.archive.org (web.archive.org)|207.241.237.3|:80... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://web.archive.org/sry [following] --2025-11-20 11:37:22-- https://web.archive.org/sry Connecting to web.archive.org (web.archive.org)|207.241.237.3|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 11834 (12K) [text/html] Saving to: ‘630744’ 630744 100%[=====================================================================================================================>] 11.56K --.-KB/s in 0.001s 2025-11-20 11:37:22 (10.2 MB/s) - ‘630744’ saved [11834/11834] user@heads-master:~/heads$ cat 630744 Internet Archive: Scheduled Maintenance

Temporarily Offline

Internet Archive services are temporarily offline.

Please check our official accounts, including Twitter/X, Bluesky or Mastodon for the latest information.

We apologize for the inconvenience.

Related Bluesky post: https://bsky.app/profile/archive.org/post/3m62vw5dsr22r Signed-off-by: Thierry Laurion --- blobs/xx30/optiplex_7010_9010.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/blobs/xx30/optiplex_7010_9010.sh b/blobs/xx30/optiplex_7010_9010.sh index 8bd753a27..20f71a843 100755 --- a/blobs/xx30/optiplex_7010_9010.sh +++ b/blobs/xx30/optiplex_7010_9010.sh @@ -32,15 +32,15 @@ if [[ ! -f "${output_dir}/IVB_BIOSAC_PRODUCTION.bin" ]] || [[ ! -f "${output_dir mv IVB_BIOSAC_PRODUCTION.bin "${output_dir}/" #Download sinit + if wget https://dl.3mdeb.com/mirror/intel/acm/SNB_IVB_SINIT_20190708_PW.bin -O "${output_dir}/SNB_IVB_SINIT_20190708_PW.bin"; then + # As per https://github.com/Dasharo/dasharo-issues/issues/1283#issuecomment-3178940096 : use 3mdeb's intel mirror for sinit blob + popd || exit # Original URL got rid of needed file, keeping original URL. Let's use archive.org #wget https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip - if wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip; then + elif wget http://web.archive.org/web/20230712081031/https://cdrdv2.intel.com/v1/dl/getContent/630744 -O sinit.zip; then unzip sinit.zip mv 630744_002/SNB_IVB_SINIT_20190708_PW.bin "${output_dir}/" popd || exit - elif wget https://dl.3mdeb.com/mirror/intel/acm/SNB_IVB_SINIT_20190708_PW.bin -O "${output_dir}/SNB_IVB_SINIT_20190708_PW.bin"; then - # As per https://github.com/Dasharo/dasharo-issues/issues/1283#issuecomment-3178940096 : use 3mdeb's intel mirror for sinit blob - popd || exit else echo "Can't download sinit blob, failing" exit 1