PoC : D16 15h coreboot fork

[tlaurion]

Deprecates #1805 since d16 had kernel version bump as all other boards.

This PR only takes pointed commit per modules/coreboot and point UNMAINTAINED_kgpe-d16_server-whiptail board to it, which should contain all 4.11 needed patches for Heads to support TPM1.2 as well.

Discussions about this should happen under Heads channel or here.

[tlaurion]

@arhabd if this commit is not the latest, someone needs to take the lead and follow fam15h fork updates and redo this PR until success.

[arhabd]

@arhabd if this commit is not the latest, someone needs to take the lead and follow fam15h fork updates and redo this PR until success.

understood i will update the pr as times goes on until its been fully tested

[tlaurion]

On need for CONFIG_BOOT_XEN_ADD CONFIG_BOOT_XEN_REMOVE grub.conf overrides:

Might be needed for #1910 considering latest Xen speculation mitigations slow down the d16 to turtle speed, where sys-net and sys-usb would need to be switched to pv instead of hvm mode see https://15h.org/index.php/QubesOS

Originally posted by @tlaurion in #890

This would be:
CONFIG_BOOT_XEN_ADD="spec-ctrl=ibpb-entry=no-pv" added under kgpe-d16 board configs, with notes there to switch sys-usb and sys-net from hvm to pv mode, pushing user to install qubes with sys-usb and sys-net being disposable vms.

Note that #890 is an issue, not a PR. Meaning a PR implementing this would be needed so that Heads can modify Xen command line arguments on kexec calls, just like it currently do for linux kernel command line arguments, specified under board configs to apply board specifics overrides to what is under grub.conf.

[tlaurion]

@Tonux599 said

Sorry but I have no motivation to continue this because of QubesOS/qubes-issues#9150

Originally posted by @Tonux599 in #1634 (comment)

[tlaurion]

d16 dropped for CircleCI builds under t480 PR #1906 (comment) (coreboot 4.11 build race condition that may or not be fixed with fam15h coreboot 4.11 or future agesa work on top of 4.15, TBD in channel)

Warned d16 club under matrix channel post

[arhabd]

i dont have a bmc so i tested the workstation configuration with the following changes

user@server:~/heads$ git branch
* 15h
  master
user@server:~/heads$ git status
On branch 15h
nothing to commit, working tree clean
user@server:~/heads$ git log -n 3
commit bb07d8713c1e477884a1da8402986f25e9ae1843 (HEAD -> 15h)
Author: root <[email protected]>
Date:   Thu Feb 27 02:30:57 2025 -0500

    test

commit cec700a50a3e9146b42ee2da0d6d9deb2ae148e0
Author: root <[email protected]>
Date:   Thu Feb 27 01:48:18 2025 -0500

    workstation 15h testing

commit eec6ff7f3d101d7053bed4d73c176630ece08f92
Merge: a89e37e2 462c157b
Author: Thierry Laurion <[email protected]>
Date:   Thu Feb 13 12:31:46 2025 -0500

    Merge remote-tracking branch 'osresearch/master' into d16_15h_coreboot_fork

user@server:~/heads$ git diff eec6ff7f3d101d7053bed4d73c176630ece08f92 bb07d8713c1e477884a1da8402986f25e9ae1843 > diff.txt; cat diff.txt
diff --git a/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config b/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
index 0615434b..624f6d30 100644
--- a/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
+++ b/boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
@@ -16,7 +16,7 @@
 
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.11
+export CONFIG_COREBOOT_VERSION=15h
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation.config
diff --git a/config/coreboot-kgpe-d16_workstation.config b/config/coreboot-kgpe-d16_workstation.config
index b4adf654..fc19a3dc 100644
--- a/config/coreboot-kgpe-d16_workstation.config
+++ b/config/coreboot-kgpe-d16_workstation.config
@@ -28,7 +28,6 @@ CONFIG_NO_RELOCATABLE_RAMSTAGE=y
 # CONFIG_RELOCATABLE_RAMSTAGE is not set
 # CONFIG_UPDATE_IMAGE is not set
 # CONFIG_BOOTSPLASH_IMAGE is not set
-CONFIG_MEASURED_BOOT=y
 
 #
 # Mainboard
@@ -104,6 +103,7 @@ CONFIG_ONBOARD_VGA_IS_PRIMARY=y
 CONFIG_DIMM_SPD_SIZE=256
 # CONFIG_VGA_BIOS is not set
 CONFIG_MAINBOARD_SERIAL_NUMBER="123456789"
+CONFIG_VGA_BIOS_FILE="3rdparty/blobs/mainboard/asus/kgpe-d16/VGABIOS.bin"
 CONFIG_C_ENV_BOOTBLOCK_SIZE=0x10000
 CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="ASUS"
 CONFIG_DEVICETREE="devicetree.cb"
@@ -161,6 +161,7 @@ CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="KGPE-D16"
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL=7
 # CONFIG_USBDEBUG is not set
 CONFIG_IPMI_KCS_REGISTER_SPACING=1
+CONFIG_IPMI_FRU_SINGLE_RW_SZ=16
 CONFIG_MAINBOARD_VERSION="1.0"
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_PCIEXP_L1_SUB_STATE=y
@@ -325,6 +326,8 @@ CONFIG_DIMM_VOLTAGE_SET_SUPPORT=y
 CONFIG_LIMIT_HT_DOWN_WIDTH_16=y
 # CONFIG_LIMIT_HT_UP_WIDTH_8 is not set
 CONFIG_LIMIT_HT_UP_WIDTH_16=y
+# CONFIG_AMD_NB_CIMX is not set
+# CONFIG_NORTHBRIDGE_AMD_CIMX_RD890 is not set
 # CONFIG_NORTHBRIDGE_AMD_PI is not set
 
 #
@@ -449,6 +452,7 @@ CONFIG_CRB_TPM_BASE_ADDRESS=0xfed40000
 # CONFIG_MAINBOARD_HAS_CRB_TPM is not set
 # CONFIG_GIC is not set
 CONFIG_IPMI_KCS=y
+CONFIG_IPMI_KCS_TIMEOUT_MS=5000
 # CONFIG_DRIVERS_LENOVO_WACOM is not set
 # CONFIG_RT8168_GET_MAC_FROM_VPD is not set
 # CONFIG_RT8168_SET_LED_MODE is not set
@@ -488,7 +492,6 @@ CONFIG_HAVE_USBDEBUG_OPTIONS=y
 # CONFIG_DRIVERS_AMD_PI is not set
 CONFIG_DRIVERS_ASPEED_AST2050=y
 CONFIG_DRIVERS_ASPEED_AST_COMMON=y
-# CONFIG_DRIVERS_GENERIC_CBFS_SERIAL is not set
 # CONFIG_DRIVERS_I2C_MAX98373 is not set
 # CONFIG_DRIVERS_I2C_MAX98927 is not set
 # CONFIG_DRIVERS_I2C_PCA9538 is not set
@@ -529,6 +532,7 @@ CONFIG_VGA=y
 # CONFIG_NC_FPGA_NOTIFY_CB_READY is not set
 # CONFIG_DRIVERS_SIL_3114 is not set
 # CONFIG_MAINBOARD_HAS_SPI_TPM_CR50 is not set
+# CONFIG_MAINBOARD_HAS_SPI_TPM is not set
 # CONFIG_DRIVER_TI_TPS65090 is not set
 # CONFIG_DRIVERS_TI_TPS65913 is not set
 # CONFIG_DRIVERS_TI_TPS65913_RTC is not set
@@ -542,6 +546,7 @@ CONFIG_VGA=y
 #
 # Verified Boot (vboot)
 #
+CONFIG_VBOOT_LIB=y
 
 #
 # Trusted Platform Module
@@ -551,12 +556,15 @@ CONFIG_TPM1=y
 CONFIG_USER_TPM1=y
 # CONFIG_USER_TPM2 is not set
 # CONFIG_TPM_DEACTIVATE is not set
-# CONFIG_DEBUG_TPM is not set
+CONFIG_DEBUG_TPM=y
 CONFIG_TPM_RDRESP_NEED_DELAY=y
+CONFIG_TPM_MEASURED_BOOT=y
+CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA=""
 
 #
 # Memory initialization
 #
+# CONFIG_STM is not set
 # CONFIG_ACPI_SATA_GENERATOR is not set
 # CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES is not set
 # CONFIG_ACPI_AMD_HARDWARE_SLEEP_VALUES is not set
@@ -691,6 +699,7 @@ CONFIG_HAVE_DEBUG_SMBUS=y
 # CONFIG_DEBUG_MALLOC is not set
 # CONFIG_DEBUG_CONSOLE_INIT is not set
 # CONFIG_DEBUG_SPI_FLASH is not set
+# CONFIG_DEBUG_IPMI is not set
 # CONFIG_TRACE is not set
 # CONFIG_DEBUG_BOOT_STATE is not set
 # CONFIG_DEBUG_ADA_CODE is not set

i had to enable MEASURED_BOOT from menu config to get it to build with the 15h coreboot but other then that it was very straight forward and compiles and runs on my machine it extends the pcrs correctly and i can reset the tpm and generate new secrets and boot os

is there anything in particular that needs to be tested to get this merged? i dont see any reason why it would not work on the server configuration

[tlaurion]

@arhabd can you steal and expand the commit here and do the changes in a PR so others can test the ROMs? Fam15h has probably changed since I did this PR which is already bitorotting.

Please take the lead.

[arhabd]

@arhabd can you steal and expand the commit here and do the changes in a PR so others can test the ROMs? Fam15h has probably changed since I did this PR which is already bitorotting.

Please take the lead.

sure i can look into doing those changes to the pr but no new updates on the tpm-measured-boot branch on 15h.org i just asked mike if it can be merged into the master 15h branch

do not fear the bitrot as i will make sure the coreboot commit is up to date

[tlaurion]

Superseeded by #1929