summaryrefslogtreecommitdiff
path: root/config/coreboot/t480_fsp_16mb
AgeCommit message (Collapse)Author
12 dayst480/3050micro: disable hyperthreadingLeah Rowe
Hyperthreading is a risk factor for spectre/meltdown and other attacks. Disabling it is a best practise. Those who need it can always turn this option back on. Otherwise, disabling it by default is a simply courtesy to the average user, in the interest of security. Signed-off-by: Leah Rowe <leah@libreboot.org>
12 dayst480/t480s: Disable TPM2 to mitigate SeaBIOS lagLeah Rowe
SeaBIOS was lagging a lot, on startup and when executing almost any payload, especially when doing anything in the ESC menu. I set the debug level to *21*, and thoroughly analysed the logs. I found entries such as this: Checking for bootsplash WARNING - Timeout at wait_reg8:81! TCGBIOS: Return value from sending TPM2_CC_StirRandom = 0x00000000 WARNING - Timeout at wait_reg8:81! TCGBIOS: Return value from sending TPM2_CC_GetRandom = 0x00000000 WARNING - Timeout at wait_reg8:81! TCGBIOS: Return value from sending TPM2_CC_HierarchyChangeAuth = 0x00000000 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc16e WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc1c5 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc211 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc25d WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc2a9 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc2f5 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc341 WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc38d WARNING - Timeout at wait_reg8:81! TCGBIOS: LASA = 0x7a9fc000, next entry = 0x7a9fc3d9 Searching bootorder for: HALT Mapping hd drive 0x000f49e0 to 0 I'm not quite certain what the problem is, but disabling TPM2 made the problem go away; SeaBIOS is snappy again. TPM is security threatre anyway. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-27add spdx headers to various config filesLeah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-26vendor.sh: Handle FSP insertion post-releaseLeah Rowe
The Libreboot 20241206 release provided FSP pre-assembled and inserted into the ROM images; the only file inserted by vendor.sh was the Intel ME. Direct distribution of an unmodified FSP image is permitted by Intel, provided that the license notice is given among other requirements. Due to how coreboot works, it must split up the FSP into subcomponents, and adjust certain pointers within the -M component (for raminit). Such build-time modifications are perfectly fine in a coreboot context, where it is expected that you are building from source. The end result is simply what you use. In a distribution such as Libreboot, where we provide pre-built images, this becomes problematic. It's a technicality of the license, and it seems that Intel themselves probably intended for Libreboot to use the FSP this way anyway, since it is they who seem to be the author of SplitFspBin.py, which is the utility that coreboot uses for splitting up the FSP image. Due to the technicality of the licensing, the FSP shall now be scrubbed from releases, and re-inserted. Coreboot was inserting the -S component with LZ4 compression, which is bad news for ./mk inject beacuse the act of compression is currently not reproducible. Therefore, coreboot has been modified not to compress this section, and the inject command doesn't compress it either. This means that the S file is using about 180KB in flash, instead of about 140KB. This is totally OK. The _fsp targets are retained, but set to release=n, because these targets *still* don't scrub fsp.bin; if released, they would include fsp files, so they've been set to release=n. These can be used on older Libreboot release archives, for compatibility. The new ROM images released for the affected machines are: t480_vfsp_16mb t480s_vfsp_16mb dell3050micro_vfsp_16mb Note the use of _vfsp instead of _fsp. These images are released, unlike _fsp, and they lack fspm/fsps in the image. FSP S/M must be inserted using ./mk inject. This has been tested and confirmed to boot just fine. The 20241206 images will be re-compiled and re-uploaded with this and other recent changes, to make Libreboot 20241206 rev8. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-18T480/T480S: Support fetching ThunderBolt firmwareLeah Rowe
Though not used in coreboot builds, and not injected into the builds in any way, these files are now created seperately when handling T480/T480s vendor files: vendorfiles/t480/tb.bin vendorfiles/t480s/tb.bin These are created by extracting Lenovo's ThunderBolt firmware from update files. The updated firmware fixes a bug; older firmware enabled debug commands that wrote logs to the TB controller's own flash IC, and it'd get full up with logs, bricking the controller. If you've already been screwed by this, you must flash externally, using a padded firmware from Lenovo's updates. Lenovo's own updater requires creating a boot CD or booting Windows. This patch in lbmk auto-downloads just the firmware, and you can flash it externally. You could simply do this as a matter of course, when installing Libreboot. You are recommended to update the Lenovo UEFI/EC firmwares first, before installing Libreboot; please look at the Libreboot documentation to know exactly which versions. Then dump the ThunderBolt firmware first, to be sure, and then you can flash these files. Flashing these updates will prevent the bug described here: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t480-type-20l5-20l6/20l5/solutions/ht508988 You can download Lenovo's installers for various ThinkPad models there, including T480s/T480s. It is these downloads that this lbmk patch uses, to extract those files directly. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-10fix t480 spd size (512, not 256)Leah Rowe
this was done with the following command: ./mk -u coreboot t480s_fsp_16mb t480_fsp_16mb it was set to 256 but should be 512. the SPD is what contains configuration data for raminit, which training code uses so that the timings will be correct. if the SPD size is wrong, the machine won't boot in practise, lbmk always runs "make oldconfig" on a coreboot config, before building it, so this was already being corrected automatically at build time. however, if that fact ever changes in the future, this wrong configuration would cause the machines not to boot. therefore, this can be considered a preventative or perhaps pre-emptive bug fix. this fix does not need to be applied to the 20241206 release, because of the behaviour described above. the final ROM images do have the spd size set correctly to 512, because of this design feature in lbmk. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-05Revert "Revert "disable u-boot on thinkpad t480""Leah Rowe
Nope! Bootflow menu is cursed on this machine. Too many issues in U-Boot on this machine. I did however boot a Debian installer after it booted, using bootflow. The installed system wouldn't boot with bootflow, but I could then boot it with "bootefi bootmgr". I'll rig up a uart on the T480 when I get round to it and start investigating U-Boot bugs on this board. I don't want people flashing something that doesn't work. GRUB and SeaBIOS work, so ship those, and don't ship U-Boot. This reverts commit 19ec440a6f79dcbb089715fef814808a0fd40ae0.
2024-12-05Revert "disable u-boot on thinkpad t480"Leah Rowe
u-boot does work after a few reboots. it just boot loops. let it run. it should be able to boot from nvme. sata still needs some work (sata only works in grub, on this machine) This reverts commit cd9baca5d664d392316d94ccaa7deb209d4e1828. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-05disable u-boot on thinkpad t480Leah Rowe
it just bootloops and doesn't seem reliable at the moment Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-02Enable legacy 8254 timer on ThinkPad T480Leah Rowe
I also enabled this on T480S, because otherwise SeaBIOS hung. Enabling it shouldn't cause any harm on the T480, though Mate did say that his machine seemed to work with my setup. However, I believe that was when I gave him the ones that lbmk built with the VGA ROM. Now it builds with libgfxinit, because Mate was able to fix libgfxinit on this machine. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-02libgfxinit on Thinkpad T480Leah Rowe
was previously using the VGA ROM. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-02NEW MAINBOARD: ThinkPad T480SLeah Rowe
Added t480s delta to deguard, for MFS config. Updated coreboot/next to latest t480 patch set, which includes t480s. This porting was done by Mate Kukri. also includes experimental t480s support Also added a data.vbt file (not in the gerrit patch) for the T480s. I had to turn on 8254 legacy timer on t480s, otherwise SeaBIOS would hang. Same issue I saw on OptiPlex 3050 Micro. Minor issue: On S3 resume, nvme0n1 for example got renamed to nvme0n2. This caused a crash if running Linux from the nvme. I confirmed this via live USB distro. So this port will need some tweaking before it can be considered stable. Also uses libgfxinit, which Mate recently fixed. I'm going to enable libgfxinit on regular T480 next. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-12-01NEW MAINBOARD: ThinkPad T480Leah Rowe
This uses the excellent deguard utility, written by the excellent Mate Kukri. A few bugs but it mostly works. Documentation to come shortly, in lbwww.git. Signed-off-by: Leah Rowe <leah@libreboot.org>