t480s port #1966
t480s port #1966
Conversation
|
Ah, just realized I'll have to also update the tb.bin too. I manually created this from lenovo's binaries and they had a different resource/URL for the T480s thunderbold firmware, so best not to risk someone bricking their board with the T480 version. Edit: I just realized my commits got unsigned when I retroactively signoff'ed the commits. I will fix later. |
Confused about this. I thought the TB was common between the two boards. As part of testing, you must test tb flasshing. Flashing the t480 tb to observe if only slow charging (bad for t480s) or if fast charging works (good also for t480s), otherwise reverting to stock tb from a backup you took prior of flashing t480 and investing time to bring a distinct t480s tb.bin under xx80 blobs dir. Comparing the t480s/t480 tb.bin from libreboot and exposing results would also help.
Commits are "signed-off" by GitHub not from command line git. Can you sign those ( Also if you could squash the last two commits together so that there is no "CircleCI fix" commit, that would be awesome. You can also search t480 issues/pr and tag t480s users that were interested into the t480s. Once tagged and those users accept to be added into https://github.com/linuxboot/heads/blob/master/BOARD_TESTERS.md, you must also add yoruself there along other responders. Once all that is done, this PR will be mergeable and board testers (including yourself) accountable for testing promptly when there is coreboot/linux/platform specific changes needing to be tested in distinct PRs. Thanks for your contribution @thickfont ! Really much appreciated! |
Apologies, I wasn't clear with my tb.bin comment. I did flash my T480s board with updated thunderbolt firmware directly from lenovo's website using Libreboot's method as documented here: https://libreboot.org/docs/install/t480.html#manual-tbt.bin-extraction-optional I have not flashed the T480 thunderbolt firmware and see no reason to risk doing so if lenovo offers an updated T480s version anyway that we can use. However, I forgot to include my blob in my commit (or the steps to reproduce it similarly to how the T480 one is currently produced). I will have to fix this. I didn't actually test the slow/fast charging after updating it. I'm not sure how to test that beyond manually monitoring the charging speeds, but I'll look into it to see if the updated firmware actually does work.
Appreciate the feedback. Will get to fixing all of the above. (I'm a git newbie :) ) |
|
My point is still valid here: if you are to provide a tb.bin, you will have to test it :) |
|
@thickfont great to see it worked! |
|
@thickfont in case you did not do it yet, it would be really helpful for other less experienced user to have at least one picture of disassembled t480s board on the heads-wiki flashing guide. In my view, it can really reduce the stress level if the location of the SPI chips is different. |
|
@thickfont it looks like the build failed… |
No its #1965 |
…rce: https://codeberg.org/libreboot/lbmk/src/branch/master/config/ifd/t480s Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
|
I added the t480s tb.bin to the blob download script. Both t480 and t480s currently share the tb.bin file name in the blobs/xx80 directory. So if you build t480 board, the tb.bin file will be for t480. Whereas if you build t480s board, the tb.bin file will be for the t480s. In other words both tb.bin files currently can't co-exist in the directory if someone built both boards. Both file hashes co-exist in hashes.txt too (not ideal, but it works if you know to expect an error if you manually run "sha256sum -c hashes.txt"). I would have named the tb.bin files "t480_tb.bin" and "t480s_tb.bin", but that would require modifications to the targets/xx80_me_blobs.mk file (as it references the blobs/xx80/tb.bin file directly). I don't understand the formatting of this file to confidently modify it for both possible tb.bin file names. EDIT:
You can see the first line is the output from this line in the script: Therefore, $sha256_hash is null which is actually $TB_BIN_HASH which is set in my new if/else statement which assumes the local BOARD environment variable is set. $TB_BIN_HASH will only be null if the BOARD environment variable is not set. Is this variable not set in the context of CircleCI's execution of this script? If so, how else can can I determine which board is being built within this script? Is there better logic for this? The second line of the above logs (missing tb.bin) is also explained by the same missing BOARD environment variable. |
|
@akunterkontrolle @mblanqui @kjkent Are any of you guys interested in being official board testers for the T480s? I found you guys displaying varying levels of interest in a t480s port in other threads. Cheers! Ref: https://github.com/linuxboot/heads/blob/master/BOARD_TESTERS.md EDIT: Don't flash anything yet though! I haven't flashed roms from circleci's yet, so I can't guarantee they work even though they should (hashes are different from my locally built and tested roms which I think is normal until the PR is merged?). |
|
@thickfont sure am! Happy to contribute. |
@thickfont the roms should match, where local build artifats differences for same commit are typically linked to non-clean cpio that are not rebuilt. You should arrive to the same CircleCI built artifacts if local is clean, by doing the following if final rom hashes are different This should be fixed with #1961 that should be merged today (which seems to have fixed initrd.cpio-xz rebuild, but if not, another issue should be opened) Also note that CircleCI failing to build has been merged in master just now under #1967. You should be able to merge master into this PR by doing
|
@thickfont as said in previous comment, tb rom differences, and if such difference needed, should be validated and tested prior of me investing time helping for the port here with commits. As previously asked: have you figured out under libreboot why those tb.bin are the different and if needed as requested? if the t480 tb file can be used on t480s then no need for the following. But if needed, here is what is needed: Also, I saw you partially added differential tb bins but reuse same tb.bin instead of duplicated in blob script. The checksum should be unique for each file; no tb.bin should be shared if required to be different, this can lead to bricks and CI as confirmed by CI, logic is wrong: the blob script should should download and reconstruct both on a CircleCI prep_step; therefore i'm not sure your conditional BOARD logic is the right thing to do under a shared shared blob script; either you duplicate the blob script into two t480/t480s, split the scripts into shared degard+me/ separate tb480 + separate tb480s or have a single script that doenloads and reconstructs blobs needed for both t480s and t480. You should figure out which option is better for you and others to understand and maintain (I think splitting blobs download script into t480/t480s and same for target should make things clearer to yyou and easier to reuse existing code)so that they require and point to individual tb files, and for those to be created, depend on individual blob script (that seems to be where you got confused with @gaspar-ilom code which uses variables to point ot checksum and files you didn't completely duplicate in your previous attempt). Current issue with blob script issue and non-duplicated target/xx80: for Makefile logic under target/xx80, same thing: duplicate into t480 and t480s and rename to t480s_tb.bin and t480_tb.bin as your duplicated in xx80/blob download +pad + mv into xx80 blob dir and you should be able to resolve circeci no need to duplicate config/linux-t480s.config here: they do not have a single difference. Just have the board config for t480s point to t480 linux config Time spent currently on t480s review: 2h total. Trying to mentor and code review instead of doing the changes this time. Might take longer but more chances of others to do ports and succeed. We can see #1658 having been dropped as an effort after a lot of work. Sorry to not invest more time for other people's desired board without doing paid consultation services anymore; revising approach, let me know what I can do better for others to be able to port things better and help co-maintain Heads on free tier. |
|
Thanks for the review @tlaurion, exactly the kind of feedback I was hoping for. Much appreciated. Will try to fix most if not all of this today. I reviewed the libreboot docs and their tb.bin implementation. They are using different tb.bins for each board, and they also say "Please make sure to flash the correct one for your board". Goes without saying that The tb.bins have different hashes too. I see no reason to test the t480 tb.bin on my only remaining t480s board unless you can guarantee it won't brick the board... |
thickfont
force-pushed
the
poc_t480s
branch
3 times, most recently
from
964a936 to
3e8a180
Compare
Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
thickfont
force-pushed
the
poc_t480s
branch
2 times, most recently
from
0e7546e to
afeb6ea
Compare
This is really problematic. Before merging this PR, at least one of the BOARD_TESTERS.md updated file for t480s needs to flash that t480s_tb.bin, ideally the one porting the t480s. No, I cannot guarantee that it won't brick your USB port's fast charging capabilities, as libreboot produced documentation nad guide to reproduce those blobs, and t480 board challenged that documentation prior of creating a flashing page with the facts. I'm sorry @thickfont but if you are weary on flashing that blob, but that untested blob comes on your PR, which PR content is supposed to be tested working at the best of your knowledge and to the best of my review: we have a problem, since you basically say here that you are not willing to test/report/collaborate with libreboot on things not fcuntional, and as I stated numerous times before, after having spent more than 30h on the t480 and challenging Leah (with all the drama that came with it) and with the t480/t480s still not merged under coreboot, the current PR will not be merged. We are mixing things here. I am willing to give advice/mentoring/share knowledge to those who want to have Heads on the platforms they port to Heads. I am not willing dealing with support requests technical board owners are not willing to test nor fix themselves nor challenge upstream (here libreboot until coreboot) since I am not paid for this work either. TLDR: if you are not willing to test libreboot instructions yourself for the t480s tb bins CircleCI produced, nor any other technical enough board owners (candidated @akunterkontrolle @mblanqui @kjkent) stand up to the task of being able to maintain/test this board/participate upstream under libreboot/coreboot here, you are basically expecting me to deal with consequences of other people flashing things that should be tested but weren't and might brick their boards. It would not be ethical to merge this. If this is what you are aiming to do, I would gladly ask you to do another commit which will rename the t480s as UNTESTED (there are helpers under global Makefile to facilitate this), as until one more technical board owner stands up as being the one that will maintain this board. My job as a maintainer of Heads is to make sure that changes needed across all supported boards are tested per their board testers in time for possible linked regression for future PR. I'm sorry if there was still a misunderstanding, but the goal of the Heads project is to have supported boards and a community to help each other support those board. Here, libreboot is upstream until merged under coreboot at https://review.coreboot.org/c/coreboot/+/83274, so under libreboot community channels. There is no way anything merged under Heads becomes Heads responsibility because other people in the accountability chain fails their responsibilities. Yours here is to flash all build artifacts and confirm no other regressions happen in terms of coreboot+libreboot so that people that would arrive to me would be only for things Head srelated. There is no way I extend my role outside of that. I have no time for that, nor own a t480s. I hope we are clear and there is nothing personal here. I understand you are excited by the t480s being WiP under coreboot at https://review.coreboot.org/c/coreboot/+/83274 and supported by libreboot. But reality here is that it is not supported by coreboot today. So no. I cannot guarantee you that flashing that tb.bin will not make that controller not work again. But if we stay logical, and you get a backup before flashing, you should not be scared of flashing nor reverting things, otherwise there is no technical enough board owners behind this port for the t480s. Again, nothing personal here. But if its the case, we need someone else to stand up that woun't be scared of flashing, causing bricks, and reverting to backups. Otherwise this PR won't get merged. |
Awesome progress with the other commits. Hope my previous comment facts reached you and what needs to be done prior of merging this pr which now builds from CircleCI and should produce same roms loally and from CircleCI. Please confirm and let me know if you can be that responsive technical board owher willing to risk a brick and unbrick/be on the libreboot channel until https://review.coreboot.org/c/coreboot/+/83274 gets merged, otherwise this PR will bitrot until someone else show up and is willing to create SPI content backups/flash/revert to backup any future PR related to the t480s, as for any supported boards under Heads. |
|
Updated OP TODOs |
Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
Signed-off-by: thickfont <207300056+thickfont@users.noreply.github.com>
|
I updated the blob script to use the t480s delta for the deguard of the ME. The resulting me.bin now is identical to the one created by lbmk. During my rebase, I left out the git merge to the latest keymap updates to see if the roms are reproducible. I can confirm they are reproducible (local vs circleci) for me without the merge. So it seems the keymap update might be the culprit? Lastly, I finally checked the thunderbolt fast charging and can confirm fast charging works. I updated the todo list to reflect this. |
I opened #1969 to track this issue. For the moment, without investigating further, I do not understand why some local builds differ from Circleci and wasn't able to reproduce. Will check next week. |
|
PR created for T480s flashing guide: linuxboot/heads-wiki#190 |
|
The board config should details what are all those SPD blob files added in final coreboot stitching step as compared to t480? Those files are added by t480/t480s patch from coreboot wip still not merged. But if Heads is to support that board and use additional blobs, the bare minimal is those to be documented as for all other boards under Heads. Thanks for your contributions @thickfont ! EDIT: edited OP to clearly state coreboot base of t480/t480s is still WiP and unmerged upstream with last work on the changeset dating back to December 31 2024 |
I was also curious about those blobs but didn't question it as I figured it was normal and just coreboot related... But I guess not! Very little on the topic in libreboot and coreboot documentation that I could find. I did find this though:
The T480s does differ from the T480 in that it does have soldered RAM. So, they probably pulled these blobs directly from a board? Should we verify these blobs with some of my oem bios images? I wouldn't have a clue where to begin doing so if you'd like for me to verify these blobs. @kjkent If you are aching to flash your T480s with heads you can do so with the current state of this PR. I can confirm this exact t480s-maximized .rom does work as I flashed it successfully the other day: The HOTP version should also work, it was the first thing I tested but on a different commit/hash. I'm sure you don't need a guide, but if you do want to flash, we are looking for some feedback on the t480s guide available here before we merge it: So, if you want to follow along with the guide just to catch any errors, missing steps or any other feedback that would be greatly appreciated: t480s-hotp-maximized: |
What are those blobs, how were they obtained? what do they do? Why are they required? Could you comment upstream @thickfont ? I try to be confortable with t480/t480s but truth is that so many things are unclear and the port is basically unmaintained..... Makes me extremely unconfortable: I would have expected @kukrimate to have answered and updated the patchset as of now (WiP, without update since 31/12/2024). But libreboot picked Heads patch instead of having fixed and collaborated upstream under coreboot.... This is too much fork for downstream, seriously. I can only repeat: if t480/t480s is not merged upstream, I won't redo this work on next coreboot version bump. This is ore than suboptimal; t480/t480s interested people need to collaborate upstream. |
I also can't remember, what first link referred to. Probably the deguard readme. Anyway, as you already figured out I agree that the same uncleaned ME blob can be used for both devices. |
Posted #1973 Note that I still get gthe same hash locally and on CircleCI, while this PR cleans data.cpio and board.cpio that were missed in prior review. More eyes needed :|
|
Comment made upstream. I share your concerns. https://review.coreboot.org/c/coreboot/+/83274/comments/2c3c360f_970d43ef |
|
@thickfont #1974 was merged in master with data.cpio fix (cp -a --remove-destination was not harddlink friendly for reproducible builds) |
Apologies for only just replying @thickfont. I don't own a T480s, just a T480. |
|
Apologies for my slow reply here -- Just catching up. @gaspar-ilom thanks for your input! thickfont happy to flash using the guide and can provide feedback on it as you suggest. Will report back :) Edit: @thickfont btw, is your t480s of type 20L8(-SCX800) with an i5-8350U? If so, and you took a backup dump of your stock BIOS before flashing heads, any chance I could have a copy? I didn't realise my backup was corrupt until I needed it :') |
|
The coreboot PR is apparently raising from the dead, on patchset 35 currently. Mb worth taking a look at. |
|
Port upstreamed |
Upstream patched 25.06 which was merged. I attempted to apply newer patches to 24.12 unsuccessfully at #1989 PR welcome! |
…er since CVE-2017-5715 (all Intel <=gen 8th cpu vulnerable without patches) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
|
@thickfont this PR was modified to be par with master and t480s boards renamed with EOL in name to reflect CVE-2017-5715 vulnerable state (see e6ba702) |
|
When Heads tries to use the tpm, it seems to fail. Not sure how to debug this further but I have the hardware if you need a tester/someone to debug it. I've done a OEM reset fyi. (fyi, I have a external flasher and am technical enough (I think?) Happy to compile and all of that) EDIT: I have added some logs I was told to get on matrix. (dmesg + cbmem) 
|
@HarleyGodfrey confirmed TPM working on matrix channel, as showed working per logs provided here. After flashing, per docs, TPM needed to be initialized at least once for ownership (TPM reset or factory reset) and then secret sealed in TPM per proposed option (or through Options-> TPM menu). |
Waiting for testers report :) |
|
@HarleyGodfrey ping. On matrix you seem to say everything works? Please confirm here. |
EDIT by @tlaurion :
This port is based on is based on coreboot 24.12 (YY.MM : 2024 december) release + patches, just like the t480.
https://review.coreboot.org/c/coreboot/+/83274 was merged atop 25.03 which no board under Heads is based on top of.
@thickfont original OP:
@tlaurion's NOTICE: t480/t480s boards are still not merged and is WiP quality as per https://review.coreboot.org/c/coreboot/+/83274, with no update since December 31 2024
Testing Checklist:
RPi PicoQubesOS 4.2install and rebootNitrokey 3ahardwarekeyQubesOS 4.2Happy to provide screenshots/proof at a later date.
Thanks to @tlaurion @notgivenby for their help in Matrix chat. I barely did anything for this port, the pieces were simply waiting to be put together thanks to the major efforts by the parties responsible for the T480 port.