m900 tower pc port#2111
Open
notgivenby wants to merge 12 commits into
Open
Conversation
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
…900_tower board Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
Signed-off-by: notgivenby <[email protected]>
tlaurion
requested changes
May 11, 2026
Collaborator
There was a problem hiding this comment.
@notgivenby can you give exact commands used to generate forge gbe mac address? I am not sure why internal network card would not work (while t480 works) and link with ME you did
| @@ -0,0 +1,87 @@ | |||
| # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use | |||
| # Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec) | |||
| @@ -0,0 +1,85 @@ | |||
| # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use | |||
| # Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec) | |||
Collaborator
There was a problem hiding this comment.
config_defconfig should be generated so coreboot forks defconfig can be reviewed to make sure we only deviate from defaults for what we need to, ie
./docker_repro.sh make BOARD=XYZ coreboot.save_in_defconfig_format_backup
where XYZ is two boards here
Collaborator
There was a problem hiding this comment.
copied from? t480? just curious. Eventually we need to reduce those, they are basically copy paste of each other. Ideas?
There was a problem hiding this comment.
Pull request overview
Adds a new Heads board target for the Lenovo ThinkCentre M900 tower (including HOTP and non-HOTP “maximized” variants), along with the required coreboot/Linux configs, ME deguard blob tooling, and CI wiring so the new targets build in the existing coreboot 25.09 workflow.
Changes:
- Introduces new M900 tower board targets (
EOL_m900_tower-maximized,EOL_m900_tower-hotp-maximized) and hooks them into CircleCI. - Adds coreboot + Linux kernel configuration files for the M900 tower port.
- Adds M900 blob assets + scripts/Make targets to generate a deguarded ME blob and document blob provenance/hashes.
Reviewed changes
Copilot reviewed 9 out of 12 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| targets/m900_me_blobs.mk | New make target to generate m900_me.bin for the M900 build. |
| config/linux-m900.config | New Linux kernel config used for the M900 Heads payload. |
| config/coreboot-m900-maximized.config | New coreboot config for the M900 “maximized” variant. |
| boards/EOL_m900_tower-maximized/EOL_m900_tower-maximized.config | New board definition for the M900 tower maximized build. |
| boards/EOL_m900_tower-hotp-maximized/EOL_m900_tower-hotp-maximized.config | New board definition for the M900 tower HOTP maximized build. |
| blobs/m900/README.md | Documentation for M900 blob inputs/provenance and caveats. |
| blobs/m900/m900_download_clean_deguard_me.sh | Script to download, clean, and deguard the ME blob for M900. |
| blobs/m900/hashes.txt | SHA256 list for M900 blob artifacts. |
| blobs/m900/.gitignore | Ignores locally-generated ME outputs. |
| .circleci/config.yml | Adds CircleCI build jobs for the two new M900 tower targets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+3
to
+6
| # m900-*-maximized boards require of you initially call one of the | ||
| # following to have gbe.bin ifd.bin and me.bin | ||
| # - blobs/m900/download_clean_me.sh | ||
| # To download Lenovo original ME binary, neuter+deactivate ME |
Comment on lines
+1
to
+13
| # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use | ||
| # Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec) | ||
| # CAVEATS: | ||
| # This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. | ||
| # This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. | ||
| # Also it can be used to extract FDE keys from a TPM. | ||
| # The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 | ||
| # Make sure you understand the implications of the attack for your threat model before using this board. | ||
| # Includes | ||
| # - Deactivated+partially neutered+deguarded ME and expanded consequent IFD BIOS regions | ||
| # - More details can be found in the script under blobs/m900_tiny/m900_tiny_download_clean_deguard_me.sh | ||
| # - Forged GBE MAC address to 00:DE:AD:C0:FF:EE | ||
| # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) |
Comment on lines
+1
to
+14
| # WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use | ||
| # Configuration for a m900_tiny running Qubes 4.3 and other Linux Based OSes (through kexec) | ||
| # CAVEATS: | ||
| # This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. | ||
| # This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. | ||
| # Also it can be used to extract FDE keys from a TPM. | ||
| # The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 | ||
| # Make sure you understand the implications of the attack for your threat model before using this board. | ||
| # Includes | ||
| # - Deactivated+partially neutered+deguarded ME and expanded consequent IFD BIOS regions | ||
| # - More details can be found in the script under blobs/m900_tiny/m900_tiny_download_clean_deguard_me.sh | ||
| # - Forged GBE MAC address to 00:DE:AD:C0:FF:EE | ||
| # - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code) | ||
|
|
Comment on lines
+3
to
+12
| The following blobs are needed: | ||
|
|
||
| * `ifd.bin` | ||
| * `gbe.bin` | ||
| * `me.bin` | ||
|
|
||
| ## me.bin: automatically extract, deactivate, partially neuter and deguard | ||
|
|
||
| download_clean_deguard_me.sh : Download vulnerable ME from ASRock, verify checksum, extract ME, deactivate ME and paritally neuter it, then apply the deguard patch and place it into me.bin. | ||
| For the technical details please read the documentation in the script itself, as removing modules is limited on the platform. |
|
|
||
| ## me.bin: automatically extract, deactivate, partially neuter and deguard | ||
|
|
||
| download_clean_deguard_me.sh : Download vulnerable ME from ASRock, verify checksum, extract ME, deactivate ME and paritally neuter it, then apply the deguard patch and place it into me.bin. |
Comment on lines
+30
to
+34
| Both blobs were taken from my donor board. | ||
|
|
||
| The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE`. Unfourtunatly, after disabling the ME the onboard ethernet stop working. This was tested on coreboot and is true for heads too. So, PCI ethernet or usb/ethernet adapter is needed. | ||
| IFD blob was unlocked using iftool. Moreover, to be sure, the HAP bit was set by altmedisable. | ||
| The IFD layot was changed: the bios region was expanded to take space after reducing the me blob. |
|
|
||
| The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE`. Unfourtunatly, after disabling the ME the onboard ethernet stop working. This was tested on coreboot and is true for heads too. So, PCI ethernet or usb/ethernet adapter is needed. | ||
| IFD blob was unlocked using iftool. Moreover, to be sure, the HAP bit was set by altmedisable. | ||
| The IFD layot was changed: the bios region was expanded to take space after reducing the me blob. |
Comment on lines
+51
to
+58
| # Download and unpack the Dell installer into a temporary directory and | ||
| # extract the deguardable Intel ME blob. | ||
| pushd "$(mktemp -d)" || exit | ||
|
|
||
| # Download the installer that contains the ME blob | ||
| me_installer_filename="H110M-DGS(7.30)ROM.zip" | ||
| user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" | ||
| curl -A "$user_agent" -s -O "https://download.asrock.com/BIOS/1151/${me_installer_filename}" |
| export CONFIG_BOOT_REQ_ROLLBACK=n | ||
| export CONFIG_BOOT_KERNEL_ADD="" | ||
| export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" | ||
| export CONFIG_BOARD_NAME="Thinkcentre m900-maximized" |
| export CONFIG_BOOT_REQ_ROLLBACK=n | ||
| export CONFIG_BOOT_KERNEL_ADD="" | ||
| export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" | ||
| export CONFIG_BOARD_NAME="Thinkcentre m900-hotp-maximized" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The board works. Caveat: after disabling and reducing Intel ME build in Ethernet does not work. So, PCI Ethernet card is needed for wired LAN/Internet. At the moment, the USB keyboard is required. The board has a ps2 header, which I ordered and will test in few days.
https://github.com/notgivenby/heads/commit/81cc8b300a8508a04f82fbd6e7d6df16a878e1c3.using external programmer modeltigard.Qubes OS 4.3install and rebootnitrokey 3 miniQubes OSpatches/coreboot-X.Y.Z.and coreboot config contain proper preparation of the platform)