Enable vboot on Lenovo devices for measured boot

boards/t420-vboot/t420-vboot.config

@@ -0,0 +1,39 @@
+# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things.
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.12
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t420-vboot.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"

boards/t430-vboot/t430-vboot.config

@@ -0,0 +1,47 @@
+# Configuration for a t430 running Qubes and other OSes
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.12
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-vboot.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad T430 Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"
+
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and t430-flash
+# is installed first.

boards/x220-vboot/x220-vboot.config

@@ -0,0 +1,39 @@
+# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things.
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.12
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x220-vboot.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"

boards/x230-vboot/x230-vboot.config

@@ -0,0 +1,47 @@
+# Configuration for a x230 running Qubes and other OSes
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.12
+export CONFIG_LINUX_VERSION=4.14.62
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-vboot.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"
+
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and x230-flash
+# is installed first.

config/coreboot-t420-vboot.config

@@ -0,0 +1,28 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_ONBOARD_VGA_IS_PRIMARY=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/t420-vboot/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/t420-vboot/me.bin"
+CONFIG_BOARD_LENOVO_T420=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_NO_POST=y
+CONFIG_GBE_BIN_PATH="../../blobs/t420-vboot/gbe.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t420-vboot/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/t420-vboot/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y
+CONFIG_FMDFILE="src/mainboard/lenovo/t420/vboot-ro-me_clean.fmd"
+CONFIG_VBOOT=y
+# CONFIG_VBOOT_SLOTS_RW_A is not set
+# CONFIG_VBOOT_SLOTS_RW_AB is not set

config/coreboot-t430-vboot.config

@@ -0,0 +1,30 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+# CONFIG_POST_IO is not set
+# CONFIG_POST_DEVICE is not set
+CONFIG_DRIVERS_UART_8250IO=y
+CONFIG_BOARD_LENOVO_THINKPAD_T430=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_UART_PCI_ADDR=0
+# CONFIG_CONSOLE_SERIAL is not set
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t430-vboot/bzImage"
+CONFIG_PAYLOAD_OPTIONS=""
+# CONFIG_PXE is not set
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_INITRD="../../build/t430-vboot/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
+CONFIG_FMDFILE="src/mainboard/lenovo/t430/vboot-ro-me_clean.fmd"
+CONFIG_VBOOT=y
+# CONFIG_VBOOT_SLOTS_RW_A is not set
+# CONFIG_VBOOT_SLOTS_RW_AB is not set
+

config/coreboot-x220-vboot.config

@@ -0,0 +1,28 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_ONBOARD_VGA_IS_PRIMARY=y
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_IFD_BIN_PATH="../../blobs/x220-vboot/ifd.bin"
+CONFIG_ME_BIN_PATH="../../blobs/x220-vboot/me.bin"
+CONFIG_BOARD_LENOVO_X220=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_NO_POST=y
+CONFIG_GBE_BIN_PATH="../../blobs/x220-vboot/gbe.bin"
+#CONFIG_DEBUG_TPM=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x220-vboot/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3"
+CONFIG_LINUX_INITRD="../../build/x220-vboot/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y
+CONFIG_FMDFILE="src/mainboard/lenovo/x220/vboot-ro-me_clean.fmd"
+CONFIG_VBOOT=y
+# CONFIG_VBOOT_SLOTS_RW_A is not set
+# CONFIG_VBOOT_SLOTS_RW_AB is not set

config/coreboot-x230-vboot.config

@@ -0,0 +1,32 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x710000
+# CONFIG_POST_IO is not set
+# CONFIG_POST_DEVICE is not set
+CONFIG_DRIVERS_UART_8250IO=y
+CONFIG_BOARD_LENOVO_X230=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_UART_PCI_ADDR=0
+CONFIG_NO_GFX_INIT=y
+# CONFIG_CONSOLE_SERIAL is not set
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x230-vboot/bzImage"
+CONFIG_PAYLOAD_OPTIONS=""
+# CONFIG_PXE is not set
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_INITRD="../../build/x230-vboot/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y
+CONFIG_FMDFILE="src/mainboard/lenovo/x230/vboot-ro-me_clean.fmd"
+CONFIG_VBOOT=y
+# CONFIG_VBOOT_SLOTS_RW_A is not set
+# CONFIG_VBOOT_SLOTS_RW_AB is not set
+