summaryrefslogtreecommitdiff
path: root/config
AgeCommit message (Collapse)Author
2024-08-13config/coreboot: Add config for Dell Latitude E6330Nicholas Chin
Signed-off-by: Nicholas Chin <nic.c3.14@gmail.com>
2024-08-13config/coreboot: Add config for Dell Latitude E6320Nicholas Chin
Signed-off-by: Nicholas Chin <nic.c3.14@gmail.com>
2024-08-13config/coreboot: Add config for Dell Latitude E6220Nicholas Chin
Signed-off-by: Nicholas Chin <nic.c3.14@gmail.com>
2024-08-12coreboot/x4x: fix build errorLeah Rowe
see relevant patch added in the diff set the clock on x4x boards to 96MHz like on GM45 fixes the following build error on x4x boards: hw-gfx-gma-plls.adb:465:46: error: "INTEL_GMA_DPLL_REF_FREQ" not declared in "Config" make: *** [Makefile:423: build/ramstage/libgfxinit/common/g45/hw-gfx-gma-plls.o] Error 1 Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-11coreboot/default: fix build issue with DDR2 fixLeah Rowe
some of my DDR2 checks were unnecessary, as nicholas pointed out on irc, because they were in places that only ran if DDR2 memory was used anyway. in another, valid place, I was checking the wrong variable for knowing what memory type is used. this patch fixes build errors in lbmk: src/northbridge/intel/gm45/raminit.c: In function 'dram_program_timings': src/northbridge/intel/gm45/raminit.c:1120:29: error: 'sysinfo' undeclared (first use in this function); did you mean 'sysinfo_t'? 1120 | if (sysinfo->spd_type == DDR2) | ^~~~~~~ | sysinfo_t src/northbridge/intel/gm45/raminit.c:1120:29: note: each undeclared identifier is reported only once for each function it appears in src/northbridge/intel/gm45/raminit.c: In function 'ddr2_odt_setup': src/northbridge/intel/gm45/raminit.c:1291:21: error: 'sysinfo' undeclared (first use in this function); did you mean 'sysinfo_t'? 1291 | if (sysinfo->spd_type == DDR2) { | ^~~~~~~ | sysinfo_t make: *** [Makefile:423: build/romstage/northbridge/intel/gm45/raminit.o] Error 1 Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-11fix typo in dell latitude coreboot coreboot configLeah Rowe
these configs were otherwise correct, but i typo'd a variable in them when manually rebasing the old configs, after switching to nicholas's new ports implemented as variants, where the old ones in lbmk were individual board ports for those same boards. Signed-off-by: Leah Rowe <info@minifree.org>
2024-08-11flashprog: bump to 639d563 (2024-08-02)Leah Rowe
The workaround-mx patch was rebased on one section in spi.c, because that part in upstream added QPI support; in the newly rebase mx patch, the workaround_mx behaviour is only honoured if QPI (Quad SPI) is not in use. Quad SPI is not used in practise, on the machines where this workaround is intended (GM45 ThinkPads with Macronix chips). This imports the following upstream changes: * 639d563 README: Update flashprog.org URLs * cbbd601 README: Update dependency list and Linux package names * 79451f1 README: Rename "Packaging" -> "Source Packaging" * 5b4695c README: Dial laptop warning down a little * 7224085 udev rules: Add some more IDs * 448457a ch347_spi: Add CH347F ID and loop over the entries * e39549b ch347_spi: Search for compatible USB interface * dfd0647 ich_descriptors: Refactor component density handling * b2ad9fd ich_descriptors: Make use of SPI_ENGINE_PCH100 marker * 140e22f chipset_enable: Make use of SPI_ENGINE_PCH100 marker * 869f0e7 ichspi: Use `swseq_data' on ICH7 paths too * eeee91b ichspi: Replace all switch/case on `ich_generation' * ecba1d8 ichspi: Drop redundant bail-out cases in ich_set_bbar() * e8babf4 ichspi: Use a single check to enable hwseq for PCH100+ * fda324b ichspi: Introduce SPI_ENGINE_PCH100 marker * a1f6476 ichspi: Split ICH7 init out * 3f75d44 ich_descriptors: Remove `Dual Output Fast Read' for newer gens * 2862011 spi25: Try to set volatile quad-enable (QE) automatically * 4ac536b spi25_statusreg: Allow to write (non-)volatile bits specifically * b1d2bae dediprog: Fix and enable 4BA modes for SF600Plus-G2 * d0afeef dediprog: Disable 4BA modes for SF100 w/ protocol v2 * 1b1deda Implement QPI support * a1b7f35 dediprog: Implement multi-i/o reads * 008a44f dediprog: Split read/write command preparation by protocol * 4760b6e spi25: Implement multi-i/o reads * 0c9af0a spi25: Check quad-enable (QE) bit * 930d421 spi25: Introduce generic spi_prepare_io()/spi_finish_io() * 8d0f465 spi25: Extract 4BA preparations into new `spi25_prepare.c` * 044c9dc Add FT4222H support * fc7c13c linux_gpio2_spi: Implement multi i/o * 5fc3154 bitbang_spi: Implement multi-i/o * d16a911 bitbang_spi: Move API into its own header file * 226bb87 flashchips: Add missing QE-bit definitions * 4fa39c5 flashchips: Fill multi-i/o gaps in MX25U family * 5f50999 flashchips: Fill multi-i/o gaps in MX25R family * 46552c8 flashchips: Fill multi-i/o gaps in MX25L family * 96786d0 flashchips: Fill quad-i/o gaps in XM25Q family * a26a3c6 flashchips: Fill dual-i/o gaps in W25X family * 2133f59 flashchips: Fill quad-i/o gaps in W25Q family * 68573af flashchips: Split GD25Q127C and GD25Q128C * 4da971f flashchips: Fill quad-i/o gaps in GD25*Q families * f7e2d97 spi: Allow to define a quad-enable (QE) configuration bit * 1412d9f spi: Rework FEATURE_QPI * d518563 spi: Prepare for multi i/o and dummy bytes * bd72a47 spi25_statusreg: support reading/writing configuration register * 3d728e7 spi25_statusreg.c: support reading security register * a358b14 flashchips: Split W25Q64.W -> W25Q64DW | W25Q64FW/W25Q64JW...Q * 3127db1 manibuilder: Drop legacy flashrom tag collections * 619d9c0 manibuilder: Use `test_build.sh' * 6560bba manibuilder/almalinux: Install `diffutils' for new `test_build.sh' * c7b549e test_build.sh: Compare output for -L of Make and Meson builds * 72b30a0 test_build.sh: Don't try to run cross-compiled programs * 3d2f212 test_build.sh: Allow to override Make and Meson commands * 4eb9748 test_build.sh: Run tests for both Make and Meson builds * 8279457 manibuilder: Add Alpine Linux 3.18 & 3.19 images * 15e9b10 manibuilder/alpine: Install libjaylink-dev when available * b8b3593 manibuilder: Add images for Fedora 38..40 * 7b05f09 manibuilder: Add images for Ubuntu 24.04 "Noble Numbat" * 5e8b339 manibuilder/anita: Add NetBSD 10.0 i386 & amd64 images * 61da8c7 manibuilder/anita: Export library path for libusb * 39152af manibuilder: Set sourcearcade.org as default source * 20073e7 Properly clear erase-block selection when bigger block is chosen * 3824c8d ichspi: Allow all opcodes when the "opmenu" isn't locked * 0d4354e flashchips: Add W25Q32JV-.M Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-11seabios/default: bump to ec0bc256 (2024-06-24)Leah Rowe
This brings in a single change: commit ec0bc256ae0ea08a32d3e854e329cfbc141f07ad Author: Gerd Hoffmann <kraxel@redhat.com> Date: Mon Jun 24 10:44:09 2024 +0200 limit address space used for pci devices, part two This increases compatibility with i686 hosts, when allocating memory for pci devices. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-11grub/*: Bump to rev b53ec06a1 (2024-06-17)Leah Rowe
Of note: upstream has made several improvements to memory management, and several fixes to file systems. User-friendly change to LUKS: if the passphrase input failed, the user is prompted again for the correct passphrase, instead of GRUB just failing. Similar to cryptsetup luksOpen behaviour under Linux. This pulls in the following changes from upstream (gnu.org): * b53ec06a1 util/grub-mkrescue: Check existence of option arguments * ab9fe8030 loader/efi/fdt: Add fdtdump command to access device tree * 0cfec355d osdep/devmapper/getroot: Unmark 2 strings for translation * f171122f0 loader/emu/linux: Fix determination of program name * 828717833 disk/cryptodisk: Fix translatable message * 9a2134a70 tests: Add test for ZFS zstd * f96df6fe9 fs/zfs/zfs: Add support for zstd compression * 55d35d628 kern/efi/mm: Detect calls to grub_efi_drop_alloc() with wrong page counts * 61f1d0a61 kern/efi/mm: Change grub_efi_allocate_pages_real() to call semantically correct free function * dc0a3a27d kern/efi/mm: Change grub_efi_mm_add_regions() to keep track of map allocation size * b990df0be tests/util/grub-fs-tester: Fix EROFS label tests in grub-fs-tester * d41c64811 tests: Switch to requiring exfatprogs from exfat-utils * c1ee4da6a tests/util/grub-shell-luks-tester: Fix detached header test getting wrong header path * c22e052fe tests/util/grub-shell: Add flexibility in QEMU firmware handling * d2fc9dfcd tests/util/grub-shell: Use pflash instead of -bios to load UEFI firmware * 88a7e64c2 tests/util/grub-shell: Print gdbinfo if on EFI platform * b8d29f114 configure: Add Debian/Ubuntu DejaVu font path * 13b315c0a term/ns8250-spcr: Add one more 16550 debug type * 8abec8e15 loader/i386/multiboot_mbi: Fix handling of errors in broken aout-kludge * d35ff2251 net/drivers/ieee1275/ofnet: Remove 200 ms timeout in get_card_packet() to reduce input latency * 86df79275 commands/efi/tpm: Re-enable measurements on confidential computing platforms * 0b4d01794 util/grub-mkpasswd-pbkdf2: Simplify the main function implementation * fa36f6376 kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power * c464f1ec3 fs/zfs/zfs: Mark vdev_zaps_v2 and head_errlog as supported * 2ffc14ba9 types: Add missing casts in compile-time byteswaps * c6ac49120 font: Add Fedora-specific font paths * 5e8989e4e fs/bfs: Fix improper grub_free() on non-existing files * c806e4dc8 io/gzio: Properly init a table * 243682baa io/gzio: Abort early when get_byte() reads nothing * bb65d81fe cli_lock: Add build option to block command line interface * 56e58828c fs/erofs: Add tests for EROFS in grub-fs-tester * 9d603061a fs/erofs: Add support for the EROFS * 1ba39de62 safemath: Add ALIGN_UP_OVF() which checks for an overflow * d291449ba docs: Fix spelling mistakes * 6cc2e4481 util/grub.d/00_header.in: Quote background image pathname in output * f456add5f disk/lvm: GRUB fails to detect LVM volumes due to an incorrect computation of mda_end * 386b59ddb disk/cryptodisk: Allow user to retry failed passphrase * 99b4c0c38 disk/mdraid1x_linux: Prevent infinite recursion * b272ed230 efi: Fix stack protector issues * 6744840b1 build: Track explicit module dependencies in Makefile.core.def Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-10coreboot/fam15h: only use this, for amd boardsLeah Rowe
it is identical to fam15h_rdimm, with _udimm now removed; the latter had a patch that added certain behaviour only intended for rdimm, but the patch in question breaks various configurations. raminit has always been unreliable on these boards. i'd rather simplify it all, in lbmk. i'll probably update this to the dasharo tree later on, specificalyl for kgpe-d16 Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-10coreboot/default: re-merge coreboot/i945Leah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-10coreboot/default: merge coreboot/haswellLeah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-09coreboot/dell: merge into coreboot/defaultLeah Rowe
The libgfxinit patch and other patches e.g. DDR2 fix, are now provided in coreboot/default. The Latitude E6400 is now using the newer coreboot revision from late July 2024. Some other configs had to change because of this, relating to the new way that Nicholas handles timing on LVDS displays with the E6400 port; a default 96MHz clock is still used for pixel reference clock, overridden with a value of 100MHz on other GM45 machines, where 96MHz was previously hardcoded. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-09coreboot/default: Update to 97bc693ab (2024-07-29)Leah Rowe
Several patches are now merged upstream and no longer needed in lbmk, such as the HP EliteBook 8560w patch, and related patches. Some patches were changed, for example the Dell Latitude ivb/snb laptops are now variants in coreboot, instead of being individual ports; now they re-use the same base code. This this, the corresponding files under config/submodules have changed, for things like 3rdparty submodules e.g. libgfxinit, and tarballs e.g. crossgcc. This is long overdue, and will enable more boards to be added. This newer revision will be used in the next release, and some follow-up patches will merge these trees into default: * coreboot/haswell * coreboot/dell Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-28fix hp8200sff_4mb ifd file (pd region)Leah Rowe
see bug report: https://codeberg.org/libreboot/lbmk/issues/228 The layout specified incorrect boundaries for the pd region. With this change, it should flash and boot reliably. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-28uefitool: Only define ACCESSPERMS on *nixLeah Rowe
I re-read the modified code, and it has defines in place for building on Windows; I was defining ACCESSPERMS universally, but it should only be defined for non-Windows systems, which the context in this code means Linux/BSD. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-28uefitool: Add patch working around musl libc issueLeah Rowe
musl libc is very conservative in what it implements, preferring a very "pure" libc implementation. this means that it lacks many of the niceties found in others like the GNU C Library; the latter implements many BSD libc extensions, for example. ACCESSPERMS is a #define in BSD libc that does: S_IRWXU | S_IRWXG | S_IRWXO Essentially, it provides a bitwise OR providing chmod 0777, which can be used as shorthand in calls to functions such as mkdir() available in all libc implementations. In the case of uefitool, this define is indeed used on mkdir. Conditionally re-define ACCESSPERMS, if undefined, so that musl libc can be used when building uefitool. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-22rom.sh: re-add seabios-only roms and grub keymapsLeah Rowe
this time, only handle multiple keymaps on seagrub images. for images where seabios is first but does not immediately load grub, whether grub is still available in flash, just do one image (US Qwerty) this still results in fewer images per target than Libreboot 20240612, but should prevent most users from being annoyed. i got a few people asking repeatedly, and i hadn't documented yet how to add keymap.gkb or how to remove bootorder, to get a different keymap or disable seagrub respectively. i anticipate that i'll get such questions a lot, even if i do document it, so i'm reversing that decision. it doesn't result in much extra code. the new design in lbmk makes this sort of thing much simpler. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-21include/rom.sh: use ccache when building corebootLeah Rowe
ccache now required, in build dependencies Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-11u-boot: Fix display initialization on gru boardsAlper Nebi Yasak
U-Boot has migrated to using upstream device-tree files for gru boards, but the clock driver doesn't yet support setting rates for a certain clock that upstream uses for the eDP display. It happens to work without it, so for now remove the clock setting until the driver is fixed. Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2024-07-11u-boot: Avoid breaking build for U-Boot-only binman imagesAlper Nebi Yasak
Commit 46e01c0e1dad ("u-boot: Avoid building U-Boot-only binman images") added a patch that prevents an error while building U-Boot, due to some U-Boot images needing a copy of BL31 that we are not passing in. Removing build instructions for these images isn't really necessary, when we can instead tell the build tool that it shouldn't exit with an error. It checks a BINMAN_ALLOW_MISSING environment variable for this, but just unconditionally replace the check with the argument. Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2024-07-11u-boot: Update to v2024.07Alper Nebi Yasak
Set default U-Boot revision to v2024.07 and rebase patches on top of that. One patch that fixes drawing box characters (UTF-8 to CP437) had an alternative merged, another hack we have to fix regulator issues is no longer neccessary as the issue is fixed, and my QEMU patches were merged upstream, so drop these patches. One patch we have to disable binman images can be replaced by a simpler alternative so drop it too. Upstream kconfig status is still unstable, so updating configs with `make oldconfig` would miss important upstream changes, since they rely on carrying defaults via upstream defconfigs. Update the configs as such, like before: - Turn old configs into defconfigs (./update trees -s u-boot) - Save the diff from old upstream defconfig (diffconfig $theirs $ours) - Update U-Boot revision, rebase patches, and clean old trees - Prepare new U-Boot tree (./update trees -f u-boot) - Review the diffconfigs to see if any options were renamed upstream - Copy over the new upstream defconfigs and apply earlier diff - Turn new defconfigs into configs (./update trees -l u-boot) Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2024-07-10trees: remove project-specific hacksLeah Rowe
move the coreboot-specific includes into mkhelper.cfg for that project. on some projects, we need variables from mkhelper.cfg to be global, so I was including serprog and coreboot mkhelper.cfg files in this script. instead, set a new variable "mkhelpercfg" pointing to the config file. if it doesn't exist, create and then point to a temporary (empty) mkhelper.cfg file. the rom.sh include has been moved to coreboot mkhelper.cfg The only remaining project-specific logic, in this trees script, is now the coreboot crossgcc handling, but this needs to be there as it's also used to build U-Boot. The way this now works, certain includes are done twice. For example, include/rom.sh will be included once globally, outside of main(), and then again in configure_project(). This means that certain functions will be defined twice. I'm uncertain if shell has anything equivalent to an ifdef guard as in C, but we actually want this here anyway, and it shouldn't cause any problems. It's a bit of a hack, but otherwise results in much cleaner code. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-09trees: support -d (dry run) for custom build logicLeah Rowe
-d does the same as -b, except for actually building anything! in effect, it does the same as -f (fetch) except that the resulting variable assignments will not be recursive (as with -f). if -d is passed, configuration is still loaded, defconfig files are still cycled through, and more importantly: helper functions are still processed. the grub, serprog and coreboot helper functions have been modified to return early (zero status) if -d is passed. this behaviour will be used to integrate vendor.sh logic in with the trees script, for cases where the user wants to only handle vendor files. e.g.: ./update trees -b coreboot x230_12mb this would download the files as usual, build coreboot, with those files, and then build the payloads. but: ./update trees -d coreboot x230_12mb this would download the files, NOT build coreboot, and NOT build the payloads. this change increases the sloccount a bit, but i'm relying on the fact that the vendor.sh script already re-implements config handling wastefully; the plan is to only use trees. for now, simply stub the same ./vendor download command. there is one additional benefit to doing it this way: this method is *per-kconfig* rather than per-target. this way, one kconfig might specify a given vendor file that is not specified in the other. although the stub still simply handles this per target, it's done in premake, which means that the given .config file has been copied. this means that when i properly re-integrate the logic into script/trees, i'll be able to go for it per-kconfig. the utils command has been removed, e.g. ./update trees -b coreboot utils default the equivalent is now: ./update trees -d coreboot default this would technically download vendor files, but here we are specifying a target for which no kconfigs exist; a check is also in place, to avoid running the vendor file download logic if tree==target the overall effect of this change is that the trees script no longer contains any project-specific logic, except for the crossgcc build logic. it does include some config/data mkhelper files at the top, for serprog and coreboot, so that those variables defined in those files can be global, but another solution to mitigate that will also be implemented in a future commit. the purpose of this and other revisions (in the final push to complete lbmk audit 6 / cbmk audit 2) is to generalise as much logic as possible, removing various ugly hacks. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-07rom.sh: new file, to replace script/romsLeah Rowe
stub it from the trees script. the way it works now, there is less code in the build system. ./build roms this is no longer a thing ./build roms serprog this is also no longer a thing. instead, do: ./update trees -b coreboot targetnamehere ./update trees -b pico-serprog ./update trees -b stm32-vserprog the old commands still works, which causes the new commands to run coreboot roms now appear in elf/, not bin/, as before, but those images now contain payloads. NOTE: to contradict the above: ./build roms is no longer a thing, in that it's now deprecated, but backward compatibility is present for now. it will be removed in a future release. ./build roms list also still works! it will do: ./update trees -b coreboot list also: ./update trees -b grub list this is now possible too if a target "list" is provided, for multi-tree sources, the targets are shown. there is another difference: seagrub roms are now seagrub_, instead of seabios_withgrub. seabios-only roms are no longer provided, where grub is also enabled; only seagrub is used. the user can easily remove the bootorder file, if they want seabios to not try grub first. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-06coreboot: set build_depend on target.cfg filesLeah Rowe
set a default one in mkhelper.cfg Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-06GRUB: only load xhci from grub.cfgLeah Rowe
don't put it in the install modules. this works around a hanging issue on haswell thinkpads. when any usb device is inserted, GRUB will sometimes hang if started from the SeaBIOS payload, *while* the USB device is plugged in. plugging in the USB device after GRUB starts worked. it will have to be investigated more at a later date, but this simply configuration change works. the xhci module is already loaded explicitly, in grub.cfg Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-05trees: just do makeargs on coreboot, not cbmakeargLeah Rowe
stick the makeargs in mkhelper i previously did cbmakeargs because the old revisions had to define makeargs per-target otherwise. mkhelper was done specifically to solve that problem. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-07-01GRUB: use mkhelper.cfg for common variablesLeah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-27trees: don't hardcode use of mkpayload_grubLeah Rowe
instead, make it a helper function, defined in target.cfg this means that we can also do the same with other projects in the future, and it is expected that we will have to. these helper functions are used in cases where we want additional actions to be performed. actually, the helper could be anything. for example, you could write: mkhelper="./build foo bar" and it would do that (at the point of execution, PWD is the root directory of the build system) Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-27trees: avoid kconfig make commands genericallyLeah Rowe
don't hardcode the check based on whether the current project is grub. instead, define "btype" in target.cfg if unset, we assume kconfig and permit kconfig commands e.g. make menuconfig, make silentoldconfig, etc this is to avoid the deadliest of sins: project-specific hacks Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-22roms: only support SeaBIOS/SeaGRUB on x86Leah Rowe
Never, ever build images where GRUB is the primary payload. These options have been removed from target.cfg handling: * seabios_withgrub * grub_withseabios The "payload_grub" variable now does the same thing as the old "seabios_withgrub" variable, if set. The "grubonly" configuration is retained, and enabled by default when SeaGRUB is enabled (non-grubonly also available). Due to lbmk issue #216, it is no longer Libreboot policy to make GRUB the primary payload on any board. GRUB's sheer size and complexity, plus the large number of memory corruption issues similar to it that *have* been fixed over the years, tells me that GRUB is a liability when it is the primary payload. SeaBIOS is a much safer payload to run as primary, on x86, due to its smaller size and much more conservative development; it is simply far less likely to break. If GRUB breaks in the future, the user's machine is not bricked. This is because SeaBIOS is the default payload. Since I no longer wish to ever provide GRUB as a primary payload, supporting it in lbmk adds needless bloat that will later probably break anyway due to lack of testing, so let's just assume SeaGRUB in all cases where the user wants to use a GRUB payload. You can mitigate potential security issues with SeaBIOS by disabling option ROM execution, which can be done at runtime by inserting integers into CBFS. The SeaBIOS documentation says how to do this. Libreboot's GRUB hardening guide still says how to add a bootorder file in CBFS, making SeaBIOS only load GRUB from CBFS, and nothing else. This, combined with the disablement of option ROM execution (if using Intel graphics), pretty much provides the same security benefits as GRUB-as-primary, for example when setting a GRUB password and GPG checks, with encrypted /boot as in the hardening guide. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-22lib.sh: more unified config handlingLeah Rowe
replace it with logic that simply uses "." to load files directly. for this, "vcfg" is added as a variable in coreboot target.cfg files, referring to a directory in config/vendor/ containing a file named pkg.cfg, and this file then contains the same variables as the erstwhile config/vendor/sources config/git files are now directories, also containing pkg.cfg files each with the same variables as before, such as repository link and commit hash this change results in a noticeable reduction in code complexity within the build system. unified reading of config files: new function setcfg() added to lib.sh setcfg checks if a config exists. if a 2nd argument is passed, it is used as a return value for eval, otherwise a string calling err is passed. setcfg output is passed through eval, to set strings based on config; eval must be used, so that the variables are set within the same scope, otherwise they'd be set within setcfg which could lead to some whacky results. there's still a bit more more to do, but this single change results in a substantial reduction in code complexity. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-19roms: don't insert timeout.cfgLeah Rowe
this is bloat, because it's something the user can already do at runtime configuration anyway. set it to a reasonable default of 8 seconds instead of 5, and don't honour the timeout variable in target.cfg. this will be documented in the next release. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-15grub: insert background in memdisk insteadLeah Rowe
the background is only a few kb. the whole rationale before was to limit the space used in memdisk, but this decision was made when the background was much bigger; it has since been optimised greatly, and the grub modules were heavily reduce, so it should be safe. grub's memdisk breaks when you add too much data to it. as part of simplifying the rest of lbmk, this change removes some more bloat from the rest of lbmk. handling this in the memdisk is much simpler than handling it with cbfstool. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-12Libreboot 20240612 release20240612Leah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-12coreboot nasm: use coreboot mirror as backupLeah Rowe
don't use the macports mirror, because it's not certain whether those tarballs will always be there. use the coreboot one as a backup instead, and nasm.us as main Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-12haswell: add Mate's patch fixing IGD port listLeah Rowe
fixes DP++ and adds a DP that wasn't even there before, on all currently supported variants of these machines Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-12haswell: add Nico's patch for IGD PCI IDsLeah Rowe
the patch fixes IGD on certain xeon processors Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-12grub: only enable nvme if needed on a boardLeah Rowe
remove nvme support from the "default" grub tree now there are three trees: * default: no xhci or nvme patches * nvme: contains nvme support * xhci: contains xhci and nvme support this is in case a bug like lbmk issue #216 ever occurs again, as referenced before during lbmk audit 5 there is no indication that the nvme patch causes any issues, but after previous experience i want to be sure Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-11fix nasm download path for coreboot/fam15hLeah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-09re-add ability to use cbfs grub.cfg as defaultLeah Rowe
i removed this before, when making grub multi-tree, because the design i used in an earlier version of the patch actually added the grub.elf generation to grub source itself, but then i decided to hack around the grub build system from lbmk/cbmk instead re-add this functionality, so that users can easily insert their own custom grub.cfg into cbfs without needing to re-build their image. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-09Merge pull request 'Add dependency scripts for Fedora 40 and Ubuntu 24.04' ↵Leah Rowe
(#220) from fuel-pcbox/lbmk:master into master Reviewed-on: https://codeberg.org/libreboot/lbmk/pulls/220
2024-06-09add crossgcc tarballs to config/submodules/Leah Rowe
support redundant downloads, and enable inclusion of these tarballs inside release archives, for offline builds. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-08git.sh: support downloading *files* as submodulesLeah Rowe
when we download coreboot, we currently don't have a way to download crossgcc tarballs, so we rely on coreboot to do it, which means running the coreboot build system to do it; which means we don't get them in release archives, unless we add very hacky logic (which did exist and was removed). the problem with coreboot's build system is that it does not define backup links for each given tarball, instead relying on gnu.org exclusively, which seems OK at first because the gnu.org links actually return an HTTP 302 response leading to a random mirror, HOWEVER: the gnu.org 302 redirect often fails, and the download fails, causing an error. a mitigation for this has been to patch the coreboot build system to download directly from a single mirror that is reliable (in our case mirrorservice.org). while this mitigation mostly works, it's not redundant; the kent mirror is occasionally down too, and again we still have the problem of not being able to cleanly provide crossgcc tarballs inside release archives. do it in config/submodules, like so: module.list shall say the relative path of a given file, once downloaded, relative to the given source tree. module.cfg shall be re-used, in the same way as for git submodules, but: subfile="url" subfile_bkup="backup url" do this, instead of: subrepo="url" subrepo_bkup="backup url" example entries in module.list: util/crossgcc/tarballs/binutils-2.41.tar.xz util/crossgcc/tarballs/gcc-13.2.0.tar.xz util/crossgcc/tarballs/gmp-6.3.0.tar.xz util/crossgcc/tarballs/mpc-1.3.1.tar.gz util/crossgcc/tarballs/mpfr-4.2.1.tar.xz util/crossgcc/tarballs/nasm-2.16.01.tar.bz2 util/crossgcc/tarballs/R06_28_23.tar.gz the "subrev" variable (in module.cfg) has been renamed to "subhash", so that this makes sense, and that name is common to both subfile/subrepo. the download logic from the vendor scripts has been re-used for this purpose, and it verifies files using sha512sum. therefore: when specifying subrepo(git submodule), subhash will still be a sha1 checksum, but: when specifying subfile(file, e.g. tarball), subhash will be a sha512 checksum the logic for both (subrepo and subfile) is unified, and has this rule: subrepo* and subfile* must never *both* be declared. the actual configuration of coreboot crossgcc tarballs will be done in a follow-up commit. this commit simply modifies the code to accomodate this. over time, this feature could be used for many other files within source trees, and could perhaps be expanded to allow extracting source tarballs in leiu of git repositories, but the latter is not yet required and thus not implemented. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-07move uefiextract to elf/uefitool/Leah Rowe
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-07Add dependency scripts for Fedora 40 and Ubuntu 24.04fuel-pcbox
2024-06-07define mdfiles/images in config/submodules/docs/Leah Rowe
again: the "depend" variable must never be used for subprojects that point to a subdirectory of the main project, because there's no clean way of handling this in case of error conditions. make it a submodule under config/submodules/. this is for the documentation, including static site generator documentation, and image files (photos). as of this revision, there are now only those "depend" projects defined in config/git/, where the destination directory of the subject is not a subdirectory of the main project, so: in a subsequest revision, i will mitigate an existing bug whereby failure of the dependency project leaves the main one still intact, breaking builds; this revision enables that to be done. from now on, subproject-to-subdirectory-of-main-project will be avoided in config/git/; config/submodules/ will be used. Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-07libopencm3 to config/submodules/ on stm32-vserprogLeah Rowe
same as the previous patch, we must no longer use "define" variables in config/git/ when the path is a subdirectory of a given project, because it means that the download can only happen after the main one, and currently if that fails, the download of the main repo would remain intact, breaking future builds in ways that we can't control - to be clear, it could be controlled, but with added code complexity in the build system, so: put it in config/submodules/ Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-07add tinyusb to config/submodule/ for pico-sdkLeah Rowe
don't define it as a "depend" variable in config/git/, because it means putting the files in a subdirectory of an existing project was was already then downloaded, and that means it can't be downloaded first; if the download of it fails, the old download is left intact. this bug isn't currently fixed in the build system, at all, so this and other patches are being made to mitigate it. Signed-off-by: Leah Rowe <leah@libreboot.org>