platform/x230: init

src/default.nix

@@ -98,6 +98,7 @@ in {
   kevin = ownerboot (import ./platform/kevin { inherit lib common_arm64; });
   am1i  = ownerboot (import ./platform/am1i { inherit lib common_amd64; });
   kgpe  = ownerboot (import ./platform/kgpe { inherit lib common_amd64; });
+  x230  = ownerboot (import ./platform/x230 { inherit lib common_amd64; });
 
   em100 = nixpkgsOnBuildForBuild.callPackage ./util/em100 { };
 }

src/platform/x230/custom.fmap

@@ -0,0 +1,18 @@
+#
+# Note: on x86 platforms the SPI flash is mapped into or copied into
+# the topmost X bytes of memory, and the very topmost word of memory
+# is the "reset vector" which points to the BIOS entry point.  Because
+# of this we must protect the TOPMOST half of memory; if an attacker
+# controls the reset vector and any other chunk of the flash, the game
+# is over.
+#
+FLASH@0 0x1000000 {
+	BIOS@0 0x1000000 {
+                # read-write zone
+		NORMAL(CBFS)   @    0x400 0x7FFC00
+
+                # read-only zone (eventually)
+		FMAP           @ 0x800000    0x400
+		FALLBACK(CBFS) @ 0x800400 0x7FFC00
+	}
+}

src/platform/x230/default.nix

@@ -0,0 +1,102 @@
+{ lib
+, common_amd64
+}:
+{
+  overlays = common_amd64.overlays ++ [(final: prev: 
+  let
+    flash-chip-bytes-per-image = final.flash-chip-size-in-bytes / final.images-per-flash-chip;
+    default-flash-chip-size-in-bytes = 12 * 1024 * 1024;
+    default-bios-offset-in-bytes = 8 * 1024 * 1024;
+    fmap-size-in-bytes = 1024;
+    cbfs-size-in-bytes = flash-chip-bytes-per-image - fmap-size-in-bytes;
+  initramfs_lzma = initramfs: final.nixpkgsOnBuildForBuild.runCommand "initramfs.lzma" { } ''
+    lzma < ${initramfs} > $out;
+  '';
+  in {
+
+    platform_name = "x230";
+
+    kernel =
+      final.lib.makeOverridable (prev.kernel.override {
+        # config = ./linux.config;
+        # buildTargets = [ "bzImage" ];
+      }).overrideAttrs (a: {
+        postInstall = (a.postInstall or "") + ''
+          cp arch/x86/boot/compressed/vmlinux $out/vmlinuz
+        '';
+      });
+    initramfs = initramfs_lzma prev.initramfs;
+    device = ./device.nix;
+    console-device = "ttyS1";
+    payload = "${final.kernel}/bzImage";
+    fmap = final.nixpkgsOnBuildForBuild.writeText "custom.fmap" (''
+      # 
+      # Note: on x86 platforms the SPI flash is mapped into or copied into
+      # the topmost X bytes of memory, and the very topmost word of memory
+      # is the "reset vector" which points to the BIOS entry point.  Because
+      # of this we must protect the TOPMOST half of memory; if an attacker
+      # controls the reset vector and any other chunk of the flash, the game
+      # is over.
+      # The X230 has a quite special situation.
+      # It contains *2* flash chips, one of 8MB and one of 4MB.
+      # The 8MB contains mostly opaque stuff, e.g. embedded controller, Intel Management Engine and a chunk of the BIOS.
+      # It is not supposed to be modified, except by me_cleaner for example.
+      # The 4MB on the contrary contains most of the BIOS.
+      # It is enough to flash the 4MB one to achieve the desired effect for now.
+      # TODO: eat the extra 1MB on the other chip.
+      FLASH@0 0x${lib.toHexString default-flash-chip-size-in-bytes} {
+        BIOS@0x${lib.toHexString default-bios-offset-in-bytes} 0x${lib.toHexString final.flash-chip-size-in-bytes} {
+          ${lib.optionalString (final.images-per-flash-chip > 1) ''
+            # read-write zone
+            NORMAL(CBFS)   @    0x${lib.toHexString fmap-size-in-bytes} 0x${lib.toHexString cbfs-size-in-bytes}
+          ''}
+          # read-only zone (eventually)
+          FMAP           @ 0x${lib.toHexString flash-chip-bytes-per-image}    0x${lib.toHexString fmap-size-in-bytes}
+          FALLBACK(CBFS) @ 0x${lib.toHexString (flash-chip-bytes-per-image + fmap-size-in-bytes)} 0x${lib.toHexString cbfs-size-in-bytes}
+        }
+      }
+    '');
+
+
+    coreboot = (prev.coreboot.override {
+      iasl = final.iasl_20180531;
+      coreboot-toolchain = with final.coreboot-toolchain; [ x64 i386 ];
+      config = with lib.kernel; {
+        # CBFS_PREFIX = lib.mkForce (freeform "prefix");
+
+        # COLLECT_TIMESTAMPS = yes;
+        # VBOOT = yes;
+        # MEASURED_BOOT = yes;
+        # VBOOT_SLOTS_RW_AB = yes;
+
+        VENDOR_LENOVO = lib.mkForce yes;
+        BOARD_LENOVO_X230 = lib.mkForce yes;
+
+        CONSOLE_CBMEM = lib.mkForce no;
+
+        # ON_DEVICE_ROM_LOAD = lib.mkForce no;
+        POST_DEVICE = lib.mkForce no;
+        POST_IO = lib.mkForce no;
+
+        DEFAULT_CONSOLE_LOGLEVEL = lib.mkForce (freeform "7");
+        ONBOARD_VGA_IS_PRIMARY = lib.mkForce yes;
+
+        USE_NATIVE_RAMINIT = lib.mkForce yes;
+        MAINBOARD_USE_LIBGFXINIT = lib.mkForce yes;
+
+        # MAINBOARD_SMBIOS_MANUFACTURER = lib.mkForce (freeform "LENOVO");
+        # MAINBOARD_SMBIOS_PRODUCT_NAME = lib.mkForce (freeform "ThinkPad X230");
+      };
+      uart-for-console =
+        if      final.console-device == "ttyS0" then 0 # IDC ribbon-cable header on the motherboarod
+        else if final.console-device == "ttyS1" then 1 # DB9 connector on rear I/O panel; omitted from some board variants
+        else if final.console-device == null then null
+        else throw "x230 currently supports only `null` and `ttyS{0,1}` for `console-device`";
+    }).overrideAttrs (a: {
+      postInstall = (a.postInstall or "") + ''
+        cp src/mainboard/lenovo/x230/cmos.layout $out/
+      '';
+    });
+  })];
+}
+

src/platform/x230/device.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./minify.nix
+    ./kernel-config.nix
+  ];
+
+  hardware.cpu = "generic-x86_64";
+  # wip.kernel.defconfig = "allnoconfig";
+}

src/platform/x230/kernel-config.nix

@@ -0,0 +1,82 @@
+{ lib, ... }:
+
+{
+  wip.kernel = {
+    structuredConfig = lib.mkMerge [
+      (with lib.kernel; {
+        # SPI_INTEL = yes; /* deps: */ SPI = yes;
+        # PINCTRL_INTEL = yes; /* deps: */ PINCTRL = yes;
+      })
+      (with lib.kernel; {
+        /* deps: */
+        # REGMAP = yes;
+        # I2C_DESIGNWARE_PLATFORM = yes; /* deps: */ I2C = yes;
+      })
+      (with lib.kernel; {
+       # FB_EFI = yes;
+       # BACKLIGHT_CLASS_DEVICE = yes;
+       # FRAMEBUFFER_CONSOLE_ROTATION = yes;
+       # FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes;
+      })
+      # TODO: Somehow make configurable
+      # (with lib.kernel; {
+      #   LTRF216A = yes; /* deps: */ IIO = yes; I2C = yes;
+      # })
+      # TODO: allow introspecting current config to `mkIf SND != no`
+      # (with lib.kernel; {
+      #   SND_SOC_CS35L41 = yes;
+      #   SND_SOC_CS35L41_SPI = yes;
+
+      #   SND_SOC_AMD_ACP5x = yes;
+      #   SND_SOC_AMD_VANGOGH_MACH = yes;
+      #   SND_SOC_WM_ADSP = yes;
+      #   # CONFIG_SND_SOC_CS35L41_I2C is not set
+      #   SND_SOC_NAU8821 = yes;
+      #   # Doesn't build on latest tag, not used in neptune hardware (?)
+      #   SND_SOC_CS35L36 = no;
+      # })
+
+      (with lib.kernel; {
+        # SD card reader
+        MMC = lib.mkForce no;
+        KERNEL_XZ = lib.mkForce yes;
+
+        # Internal storage
+        # BLK_DEV_NVME = yes; /* deps: */ PCI = yes;
+
+        # USB interface
+#        USB = yes;
+#        USB_DWC3 = yes;
+#        #USB_DWC3_GADGET = yes;
+#        USB_DWC3_HOST = yes;
+#        # USB_DWC3_DUAL_ROLE = yes;
+#        # NOP_USB_XCEIV = yes;
+#        USB_PHY = yes;
+#
+#        # Keyboard input
+#        USB_HIDDEV = yes;
+#        HID_PID = yes;
+#        USB_XHCI_HCD = yes;
+#
+#        TYPEC = yes;
+#        TYPEC_TCPM = yes;
+#
+#        #TYPEC_FUSB302 = yes;
+#        #I2C = yes;
+#
+#        PCIEPORTBUS = yes;
+#        HOTPLUG_PCI_PCIE = yes;
+#        PCI_MSI = yes;
+#        HOTPLUG_PCI = yes;
+#        HOTPLUG_PCI_ACPI = yes;
+#        ACPI_PCI_SLOT = yes;
+#
+#        # Unlikely:
+#        PCIE_DW = yes;
+#        PCIE_DW_HOST = yes;
+#        PCIE_DW_PLAT = yes;
+#        PCIE_DW_PLAT_HOST = yes;
+      })
+    ];
+  };
+}

src/platform/x230/minify.nix

@@ -0,0 +1,179 @@
+{ lib, ... }:
+
+{
+  wip.kernel = {
+    structuredConfig = lib.mkMerge [
+      # Slim down config somewhat
+      # TODO: move into more general options
+      (with lib.kernel; {
+        NET = no;
+        ETHERNET = no;
+        NETFILTER = no;
+        BPFILTER = no;
+        USB_NET_DRIVERS = no;
+        WIRELESS = no;
+        WIREGUARD = no;
+        BT = no;
+        WLAN = no;
+        NETDEVICES = no;
+        MMC = no;
+        INET = no; # No TCP/IP networking
+        ETHTOOL_NETLINK = no;
+        SERIO = no;
+        LEGACY_PTYS = no;
+        HW_RANDOM = no;
+        SND = no;
+        IKHEADERS = no;
+
+        CRYPTO_DEFLATE = no;
+        CRYPTO_842 = no;
+        CRYPTO_LZ4 = no;
+        CRYPTO_LZ4HC = no;
+        CRYPTO_ZSTD = no;
+
+        # It's an AMD!
+        PROCESSOR_SELECT = yes; /* deps: */ EXPERT = yes;
+        CPU_SUP_AMD = no;
+        CPU_SUP_CENTAUR = no;
+        CPU_SUP_HYGON = no;
+        CPU_SUP_INTEL = yes;
+        CPU_SUP_ZHAOXIN = no;
+      })
+
+      (with lib.kernel; {
+        # Relying on efifb is better for this specific use case
+        DRM = no;
+      })
+
+      (with lib.kernel; {
+        DEBUG_FS = no;
+        BLK_DEBUG_FS = no;
+
+        AFFS_FS = no;
+        AUTOFS4_FS = no;
+        AUTOFS_FS = no;
+        BEFS_FS = no;
+        BTRFS_FS = no;
+        ECRYPT_FS = no;
+        EFIVAR_FS = no;
+        EROFS_FS = no;
+        EXFAT_FS = no;
+        EXT2_FS = no;
+        EXT4_FS = no;
+        F2FS_FS = no;
+        FAT_FS = no;
+        FSCACHE = no;
+        FUSE_FS = no;
+        GFS2_FS = no;
+        HFS_FS = no;
+        HFSPLUS_FS = no;
+        ISO9660_FS = no;
+        JFFS2_FS = no;
+        JFS_FS = no;
+        MINIX_FS = no;
+        MSDOS_FS = no;
+        NILFS2_FS = no;
+        OMFS_FS = no;
+        ORANGEFS_FS = no;
+        OVERLAY_FS = no;
+        REISERFS_FS = no;
+        ROMFS_FS = no;
+        UBIFS_FS = no;
+        UDF_FS = no;
+        UFS_FS = no;
+        VBOXSF_FS = no;
+        VFAT_FS = no;
+        VIRTIO_FS = no;
+        XFS_FS = no;
+        ZONEFS_FS = no;
+        ZONE_FS = no;
+        CONFIGFS_FS = no;
+
+        BINFMT_SCRIPT = no;
+        BINFMT_ELF = no;
+        KERNFS = no;
+        SYSFS = no;
+        PROCFS = no;
+        PROC_KCORE = no;
+        PROC_SYSCTL = no;
+        PROC_PAGE_MONITOR = no;
+        PROC_CHILDREN = no;
+        # PERF_EVENTS = no;
+        TRACING = no;
+        IO_URING = no;
+        UPROBE_EVENTS = no;
+      })
+
+      (with lib.kernel; {
+        SYSVIPC = no;
+        POSIX_MQUEUE = no;
+        NO_HZ = no;
+        HIGH_RES_TIMERS = no;
+        PREEMPT_VOLUNTARY = no;
+        CC_OPTIMIZE_FOR_SIZE = yes;
+        JUMP_LABEL = no;
+        NET = no;
+        PACKET = no;
+        PACKET_DIAG = no;
+        UNIX = no;
+        UNIX_DIAG = no;
+        #INPUT_EVDEV = yes;
+        #INPUT_TOUCHSCREEN = yes;
+        #LOGO = yes;
+        NEW_LEDS = no;
+        LEDS_CLASS = no;
+        RTC_CLASS = no;
+        CONSOLE_LOGLEVEL_DEFAULT = freeform "3";
+        FRAME_WARN = freeform "1024";
+        MAGIC_SYSRQ = no;
+        # DEBUG_FS = yes;
+        STACKTRACE = no;
+
+        STACKPROTECTOR = no;
+        GCC_PLUGINS = no;
+        WIRELESS = no;
+        INPUT_MOUSEDEV = no;
+        RTC_INTF_PROC = no;
+      })
+
+      # Disabling generally unneeded things
+      (with lib.kernel; {
+        MEDIA_SUBDRV_AUTOSELECT = no;
+        NETWORK_FILESYSTEMS = no;
+        RAID6_PQ_BENCHMARK = no;
+        RUNTIME_TESTING_MENU = no;
+        STRICT_DEVMEM = no;
+        REMOTEPROC = no;
+        RPMSG = no;
+        VHOST_MENU = no;
+        VIRTIO = no;
+        I2C_VIRTIO = no;
+        VIRTIO_CONSOLE = no;
+        VIRTIO_MENU = no;
+      })
+
+      (with lib.kernel; {
+        #MODULES_TREE_LOOKUP = no;
+        #PERF_EVENTS = no;
+      })
+
+      (with lib.kernel; {
+        HID_A4TECH = no;
+        HID_APPLE = no;
+        HID_BELKIN = no;
+        HID_CHERRY = no;
+        HID_CHICONY = no;
+        HID_CYPRESS = no;
+        HID_EZKEY = no;
+        HID_ITE = no;
+        HID_KENSINGTON = no;
+        HID_LOGITECH = no;
+        HID_REDRAGON = no;
+        HID_MICROSOFT = no;
+        HID_MONTEREY = no;
+        INPUT_MOUSE = no;
+        KEYBOARD_ATKBD = no;
+      })
+    ];
+  };
+}