initial commit

.gitignore

@@ -0,0 +1 @@
+result

coreboot.nix

@@ -0,0 +1,158 @@
+{ stdenv, fetchurl, fetchgit
+, linkFarm, overrideCC
+, writeText, writeShellScriptBin
+, gnat, bison, flex, zlib, python3
+, libfaketime, gnumake
+# options
+, rev           # coreboot git revision
+, sources       # coreboot sources attrset
+, arch ? "i386" # target architecture
+, conf ? { }    # coreboot configuration
+}:
+
+let
+  lib = stdenv.lib;
+  adaStdenv = overrideCC stdenv gnat;
+  version = lib.substring 0 6 rev;
+
+in rec {
+
+  ## Sources
+
+  # coreboot source
+  src = fetchgit {
+    url = "https://review.coreboot.org/coreboot.git";
+    fetchSubmodules = true;
+    inherit (sources) rev sha256;
+  };
+
+  # seabios source
+  seabios = builtins.fetchGit {
+    url = "https://review.coreboot.org/seabios.git";
+    rev = conf.seabios.revision_id;
+  };
+
+  # tarballs needed to build the toolchain
+  tarballs = linkFarm "toolchain-tarballs"
+    (map (file: { name = file.name; path = toString file; })
+         sources.toolchain);
+
+
+  ## Helpers
+
+  # converts Nix attrs to Kconfig format
+  toConf = top: n: v: with builtins;
+    let
+      prefix = lib.optionalString top "CONFIG_";
+      nconv = n: replaceStrings ["-"] ["_"] (lib.toUpper n);
+      vconv = v: if isBool v then (if v then "y" else "n")
+            else if (isString v) || (isPath v) || (lib.isDerivation v) then "\"${v}\""
+            else toString v;
+    in
+      if (lib.isAttrs v && ! lib.isDerivation v)
+      then (lib.concatMapStringsSep "\n"
+             (line: "${prefix}${nconv n}_${line}")
+             (lib.mapAttrsToList (toConf false) v))
+      else "${prefix}${nconv n}=${vconv v}";
+
+  # the coreboot Kconfig file
+  defConfig = with lib;
+    writeText "defconfig"
+      (concatStringsSep "\n"
+        (mapAttrsToList (toConf true) conf));
+
+  # returns the current revision
+  fakegit = writeShellScriptBin "git" "echo ${version}";
+
+  # does nothing, just to trick buildgcc
+  fakecurl = writeShellScriptBin "curl" "echo curl 1.2.3";
+
+  # runs make with faketime for determinism
+  faketime = writeShellScriptBin "make" ''
+    exec ${libfaketime}/bin/faketime -f '1970-01-01 00:00:01' \
+    ${gnumake}/bin/make "$@"
+  '';
+
+
+  ## Packages
+
+  # the coreboot compilers toolchain
+  toolchain = adaStdenv.mkDerivation {
+    pname = "coreboot-toolchain";
+    inherit version src;
+    nativeBuildInputs = [
+      fakecurl fakegit
+      bison flex zlib
+    ];
+    
+    # link source tarballs
+    preBuild = "ln -s ${tarballs} util/crossgcc/tarballs";
+
+    # https://github.com/NixOS/nixpkgs/pull/107435
+    hardeningDisable = [ "format" ];
+
+    makeFlags =
+      [ "CPUS=$(NIX_BUILD_CORES)"
+        "DEST=$(out)"
+        "crossgcc-${arch}"
+      ];
+    dontInstall = true;
+
+    meta = with stdenv.lib; {
+      description = "Coreboot compilers toolchain";
+      homepage  = "https://www.coreboot.org";
+      license   = licenses.gpl2Only;
+      platforms = platforms.all;
+    };
+
+  };
+
+  # the final coreboot rom
+  coreboot = stdenv.mkDerivation {
+    pname = "coreboot";
+    inherit src version;
+    nativeBuildInputs = [ faketime fakegit ]
+      ++ lib.optional (conf ? "use-me-cleaner") python3;
+
+    postPatch = "patchShebangs .";
+
+    preBuild = ''
+      # write default configuration
+      cp ${defConfig} .config
+      make olddefconfig
+
+      # copy payload
+      ${lib.optionalString (conf ? "seabios") ''
+        cp -r ${seabios} payloads/external/SeaBIOS/seabios
+        chmod -R +w payloads/external/SeaBIOS/seabios
+      ''}
+    '';
+
+    makeFlags =
+      [ "ARCH=${arch}" 
+         # https://review.coreboot.org/c/coreboot/+/48937 
+        "XGCCPATH=${toolchain}/bin/"
+      ];
+
+    installPhase = ''
+      install -Dm644 build/coreboot.rom $out/coreboot.rom
+      install -Dm644 .config $out/config
+      make savedefconfig DEFCONFIG=$out/defconfig
+    '';
+
+    meta = with stdenv.lib; {
+      description = "Fast, secure and flexible OpenSource firmware";
+      longDescription = ''
+        coreboot is an extended firmware platform that delivers a lightning
+        fast and secure boot experience on modern computers and embedded
+        systems. As an Open Source project it provides auditability and maximum
+        control over technology.
+      '';
+      homepage  = "https://www.coreboot.org";
+      license   = licenses.gpl2Only;
+      platforms = platforms.all;
+    };
+
+  };
+
+}

gbe.nix

@@ -0,0 +1,33 @@
+{ stdenv, bison, flex
+# options
+, macAddress ? "00:de:ad:c0:ff:ee"
+, model ? "82579LM"
+}:
+
+stdenv.mkDerivation {
+  name = "gbe.bin";
+
+  src = (builtins.fetchGit {
+    url = "https://review.coreboot.org/coreboot.git";
+    rev = "219caf83580a86acf073f73662356a078bd96244";
+  }).outPath + "/util/bincfg"; 
+
+  buildInputs = [ bison flex ];
+  makeFlags = [ "bincfg"  "gen-gbe-${model}" ];
+
+  configurePhase = stdenv.lib.concatImapStrings
+    (i: n: ''
+      sed -i gbe-${model}.set -e \
+      's@\("mac_address_${toString (i - 1)}" = 0x\)[0-9A-F]\+@\1${n}@'
+    '')
+    (stdenv.lib.splitString ":" macAddress);
+
+  installPhase = "install -Dm644 flashregion_3_gbe.bin $out";
+  
+  meta = with stdenv.lib; {
+    description = "The Intel Gigabit Ethernet configuration";
+    homepage = "https://www.coreboot.org";
+    license = licenses.gpl2Only;
+    platforms = platforms.all;
+  };
+}

scripts/gen-sources.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i sh -p nix-prefetch-git jq
+
+# shellcheck shell=sh
+
+# print usage
+if test -z "$1" || test "$1" = "-h"; then
+  >&2 printf 'Usage: %s REV\n' "$0"
+  >&2 printf 'Fetch and generate the Nix expression for the coreboot sources.\n'
+  >&2 printf 'The result is written to stdout.\n\n'
+  >&2 printf ' REV: \t revision of the coreboot git repository\n'
+  exit 1
+fi
+
+# fetch coreboot source code
+url=https://review.coreboot.org/coreboot.git
+info=$(nix-prefetch-git "$url" "$1" --fetch-submodules)
+coreboot=$(echo "$info" | jq .path -r)
+hash=$(echo "$info" | jq .sha256 -r)
+
+# extract version numbers and URLs
+buildgcc="$coreboot/util/crossgcc/buildgcc"
+# shellcheck disable=SC2046
+export $(grep '^[A-Z]\+_VERSION=' "$buildgcc" | tail -n+2)
+urls=$(awk -F'=|"' '/^[A-Z]+_ARCHIVE=/{print $3}' "$buildgcc")
+
+# generate Nix expression
+cat <<EOF
+{ fetchurl }:
+{ rev = "$1";
+  sha256 = "$hash";
+  toolchain = [
+EOF
+
+for url in $urls; do 
+  # expand version inside the url
+  url="$(eval echo "$url")"
+  # prefetch to compute the hash
+  hash=$(nix-prefetch-url --type sha256 "$url")
+
+  cat <<EOF
+    (fetchurl {
+      url = "$url";
+      sha256 = "$hash";
+    })
+EOF
+done
+printf "  ];\n}"

systems/charlie/default.nix

@@ -0,0 +1,53 @@
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.callPackage ../../coreboot.nix {
+  # last known good
+  rev = "d8bc5c127ad13ed0475bbf7465f6ba56a5fa34ee";
+  sources = pkgs.callPackage ./sources.nix { };
+
+  conf = {
+    # main
+    vendor.lenovo = true;
+    board.lenovo-x230 = true;
+
+    # drivers
+    tpm-deactivate = true;
+    drivers-ps2-keyboard = true;
+    pciexp = {
+      hotplug      = true;
+      clk-pm       = true;
+      l1-sub-state = true;
+    };
+
+    # display
+    bootsplash = true;
+    generic-linear-framebuffer = true;
+    linear-framebuffer = {
+      max-width  = 1024;
+      max-height = 768;
+    };
+
+    # custom bootsplash
+    bootsplash-image = true;
+    bootsplash-file  = ./bootsplash.jpg;
+
+    # payload
+    seabios = {
+      revision    = true;
+      revision_id = "ef88eeaf052c8a7d28c5f85e790c5e45bcffa45e";
+    };
+
+    # blobs
+    have-ifd-bin = true;
+    have-me-bin  = true;
+    have-gbe-bin = true;
+    ifd-bin-path = ./blobs/ifd.bin;
+     me-bin-path = ./blobs/me.bin;
+    gbe-bin-path = pkgs.callPackage ../../gbe.nix { macAddress = "e5:36:eb:9b:6c:3e"; };
+
+    # neutralise me
+    check-me       = true;
+    use-me-cleaner = true;
+  };
+
+}

systems/charlie/sources.nix

@@ -0,0 +1,66 @@
+{ fetchurl }:
+{ rev = "d8bc5c127ad13ed0475bbf7465f6ba56a5fa34ee";
+  sha256 = "0hg8xrmvvqx4kh5zq64nx8a7x1vvnw4lsimj12nwgvszmnhvsvmq";
+  toolchain = [
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/gmp/gmp-6.1.2.tar.xz";
+      sha256 = "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7";
+    })
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/mpfr/mpfr-4.0.2.tar.xz";
+      sha256 = "12m3amcavhpqygc499s3fzqlb8f2j2rr7fkqsm10xbjfc04fffqx";
+    })
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/mpc/mpc-1.1.0.tar.gz";
+      sha256 = "0biwnhjm3rx3hc0rfpvyniky4lpzsvdcwhmcn7f0h4iw2hwcb1b9";
+    })
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/gcc/gcc-8.3.0/gcc-8.3.0.tar.xz";
+      sha256 = "0b3xv411xhlnjmin2979nxcbnidgvzqdf4nbhix99x60dkzavfk4";
+    })
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/binutils/binutils-2.33.1.tar.xz";
+      sha256 = "1grcf8jaw3i0bk6f9xfzxw3qfgmn6fgkr108isdkbh1y3hnzqrmb";
+    })
+    (fetchurl {
+      url = "https://ftpmirror.gnu.org/gdb/gdb-9.2.tar.xz";
+      sha256 = "0mf5fn8v937qwnal4ykn3ji1y2sxk0fa1yfqi679hxmpg6pdf31n";
+    })
+    (fetchurl {
+      url = "https://acpica.org/sites/acpica/files/acpica-unix2-20200528.tar.gz";
+      sha256 = "01ajxnz9dpnvdbib7yv20dw21a1yyfgwiw3whg0xi57cf4app2md";
+    })
+    (fetchurl {
+      url = "https://www.python.org/ftp/python/3.8.1/Python-3.8.1.tar.xz";
+      sha256 = "1s4lwn5vzsajlc88m6hkghsvnjw4d00l2dsgng0m2w6vyqbl32bm";
+    })
+    (fetchurl {
+      url = "https://downloads.sourceforge.net/sourceforge/expat/expat-2.2.9.tar.bz2";
+      sha256 = "0dx2m58gkj7cadk51lmp54ma7cqjhff4kjmwv8ks80j3vj2301pi";
+    })
+    (fetchurl {
+      url = "https://releases.llvm.org/9.0.0/llvm-9.0.0.src.tar.xz";
+      sha256 = "117ymdz1by2nkfq1c2p9m4050dp848kbjbiv6nsfj8hzy9f5d86n";
+    })
+    (fetchurl {
+      url = "https://releases.llvm.org/9.0.0/cfe-9.0.0.src.tar.xz";
+      sha256 = "0426ma80i41qsgzm1qdz81mjskck426diygxi2k5vji2gkpixa3v";
+    })
+    (fetchurl {
+      url = "https://releases.llvm.org/9.0.0/compiler-rt-9.0.0.src.tar.xz";
+      sha256 = "03ni43lbkp63lr3p6sc94dphqmvnz5av5mml0xmk930xvnbcvr2n";
+    })
+    (fetchurl {
+      url = "https://releases.llvm.org/9.0.0/clang-tools-extra-9.0.0.src.tar.xz";
+      sha256 = "045cldmcfd8s33wyjlviifgpnw52yqicd6v4ysvdg4i96p78c77a";
+    })
+    (fetchurl {
+      url = "https://cmake.org/files/v3.16/cmake-3.16.2.tar.gz";
+      sha256 = "1ag65ignli58kpmji6gjhj8xw4w1qdr910i99hsvx8hcqrp7h2cc";
+    })
+    (fetchurl {
+      url = "https://www.nasm.us/pub/nasm/releasebuilds/2.14.02/nasm-2.14.02.tar.bz2";
+      sha256 = "1g409sr1kj7v1089s9kv0i4azvddkcwcypnbakfryyi71b3jdz9l";
+    })
+  ];
+}

systems/vm/default.nix

@@ -0,0 +1,29 @@
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.callPackage ../../coreboot.nix {
+  # last known good
+  rev = "d8bc5c127ad13ed0475bbf7465f6ba56a5fa34ee";
+  sources = pkgs.callPackage ../charlie/sources.nix { };
+
+  conf = {
+    # display
+    bootsplash = true;
+    generic-linear-framebuffer = true;
+    linear-framebuffer = {
+      max-width  = 1366;
+      max-height = 768;
+    };
+
+    # custom bootsplash
+    bootsplash-image = true;
+    bootsplash-file  = ../charlie/bootsplash.jpg;
+
+    # payload
+    seabios = {
+      revision    = true;
+      revision_id = "ef88eeaf052c8a7d28c5f85e790c5e45bcffa45e";
+    };
+
+  };
+
+}