Draft

README.md

@@ -0,0 +1,537 @@
+*Disclaimer*:
+This is not an easy: mistakes can lead to data loss or bricking of the laptop. Only execute command that you are able to understand.
+
+
+# Qubes+Coreboot on Thinkpad X220
+## Prerequisites
+ * Thinkpad x220 (other models supported by coreboot may apply)
+ * Stock proprietary bios
+ * Pomona 5250 + RaspberryPI/BeagleBone black for hardware flashing
+
+## Advantages:
+ * Encrypted /boot
+ * Less proprietary components in bios
+ * Neutralized management engine
+ * Evil Maid Attacks requires hardware flashing/partial disassembly
+
+## Disadvantages:
+ * TPM can't work without the Intel ME
+ * Not all RAM sticks works
+ * Different (probably worse) fan control
+ * Microcode updates probably working but not yet tested
+
+Final qubes-hcl-report
+
+```
+Qubes release 4.0 (R4.0)
+
+Brand:		LENOVO
+Model:		429136G
+BIOS:		CBET4000 4.7-577-gd18f42ab6f
+
+Xen:		4.8.3
+Kernel:		4.14.18-1
+
+RAM:		12208 Mb
+
+CPU:
+  Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
+Chipset:
+  Intel Corporation 2nd Generation Core Processor Family DRAM Controller [8086:0104] (rev 09)
+VGA:
+  Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0106] (rev 09) (prog-if 00 [VGA controller])
+
+Net:
+  Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 05)
+  Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34)
+
+SCSI:
+  Crucial_CT240M50 Rev: MU03
+
+HVM:		Active
+I/O MMU:	Active
+HAP/SLAT:	Yes
+TPM:		Device present
+Remapping:	Yes
+
+```
+
+# Procedure
+## Install Qubes
+Do a simple Qubes 4 LUKS+LVM installation by just following the graphical installer.
+
+## Coreboot prerequisites
+Clone the base Qubes debian8/9 template and install the following packages:
+```
+sudo apt-get install git wget build-essential gnat flex bison libncurses5-dev zlib1g-dev libfreetype6-dev unifont python3
+
+sudo apt-get build-dep grub
+```
+If required enable the necessary source repository.
+
+Create an AppVM based on the template and start a terminal in it.
+
+```
+mkdir ~/Build
+cd ~/Build
+git clone https://notabug.org/Velsoth/x220-coreboot.git
+cd x220-coreboot/
+./cb-helper download_code
+./cb-helper build_utils
+```
+
+## Get the original bios binary
+If you are able to extract it from the executable distributed by Lenovo it should be good. Do not get it from some random forum or website.
+If you can't the best way is to read it directly from the flash using the Raspberry and the clip.
+
+```
+    ______
+1--| O    |--8
+2--|      |--7
+3--|      |--6
+4--|______|--5
+
+```
+Remeber to research your chip model and manufacturer (in this guide a Macronix MX25L6405) and double check the pin layout using the official datasheet.
+
+| 1  | 2  | 3   | 4   | 5  | 6   | 7     | 8   | Flash pin number |
+|----|----|-----|-----|----|-----|-------|-----|------------------|
+| CS | DO | /WP | GND | DI | CLK | /HOLD | VCC | Pin name         |
+| 24 | 21 | GND | 25  | 19 | 23  | GND   | 17  | Rpi GPIO number  |
+
+Please refer to the multiple flashing guides available
+ * https://www.flashrom.org/RaspberryPi
+ * https://libreboot.org/docs/install/rpi_setup.html
+ * https://karlcordes.com/coreboot-x220/
+ * https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/
+ * https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi
+
+From a root prompt on the Rpi
+```
+flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios1.bin
+flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios2.bin
+flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios3.bin
+sha1sum bios*.bin
+```
+Check that all the checksums do match. In case they don't there's probably something wrong in the clip position or in the wiring. Remember that no pin should left floating even if it's not useful for the operation. /WP and /HOLD should be always connected to something like GND.
+
+## Continue with coreboot build
+Now reassemble the x220, boot Qubes and copy bios1.bin from the RaspberryPi to the AppVM created before in `~/Build/x220-coreboot/binaries/bios.bin`.
+
+Open again a terminal in the AppVM:
+```
+cd ~/Build/x220-coreboot/
+./cb-helper split_bios
+./cb-helper neuter_me
+./cb-helper pre_build_coreboot
+```
+
+Now the `cb-helper` script is prepared to build coreboot with SeaBIOS as primary payload and Grub2 as a secondary payload. In this specific guide we do not use SeaBIOS and directly use Grub2 as a primary payload.
+
+This is an advantage for some reasons:
+ * Faster boot
+ * Less code running
+And a disadvantage for some others:
+ * No BIOS like configuration available
+ * Probable problems with other operating systems
+ * Missing utilities like nvramcui
+
+Now edit grub.cfg
+`~/Build/x220/coreboot/config/grub.cfg`
+Replace at the beginning of the file
+```
+set prefix=(memdisk)/boot/grub
+
+insmod nativedisk
+insmod ehci
+insmod ohci
+insmod uhci
+insmod usb
+insmod usbms
+insmod part_msdos
+insmod ext2
+insmod lvm
+insmod gcry_rijndael
+insmod gcry_sha256
+insmod luks
+insmod cryptodisk
+# insmod usbserial_pl2303
+# insmod usbserial_ftdi
+# insmod usbserial_usbdebug
+insmod gfxmenu
+insmod gfxterm_menu
+insmod gfxterm_background
+insmod chain
+insmod jpeg
+
+# Serial and keyboard configuration, very important.
+# serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+# terminal_input --append  serial
+# terminal_output --append serial
+terminal_input --append at_keyboard
+terminal_output --append cbmemc
+
+gfxpayload=keep
+terminal_output --append gfxterm
+
+set menu_color_normal=white/black
+set menu_color_highlight=white/cyan
+
+# Default to first option, automatically boot after 1 second
+set default="0>0"
+set timeout=1
+
+# This is useful when using 'cat' on long files on GRUB terminal
+set pager=1
+
+# Set a background image from CBFS
+background_image (cbfsdisk)/background.jpg
+
+# Set DejaVu Sans Mono as the default font
+loadfont (cbfsdisk)/dejavusansmono.pf2
+
+# Default keymap
+keymap usqwerty
+```
+
+And add the following menuentry:
+** THIS IS AN EXAMPLE YOU SHOULD GET IT FROM YOUR ORIGINAL grub.cfg WITH YOUR DISK UUID AND KERNEL VERSIONS **
+```
+menuentry 'Qubes, with Xen hypervisor FDE' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
+	cryptomount -a
+	set root='lvm/qubes_dom0-boot'
+	if [ x$feature_platform_search_hint = xy ]; then
+	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	else
+	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	fi
+	echo	'Loading Xen 4.8.3 ...'
+        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
+            xen_rm_opts=
+        else
+            xen_rm_opts="no-real-mode edd=off"
+        fi
+	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
+	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
+	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
+	echo	'Loading initial ramdisk ...'
+	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
+}
+```
+The only difference with the original is the addition of
+ * cryptomount -a
+ * set root='lvm/qubes_dom0-boot'
+
+
+The below example of .config should work without any modification given that the steps above have been done correctly, however some configurations depends on personal needs and should be changed. Refer to the coreboot wiki for more information https://www.coreboot.org/Coreboot_Options
+
+`~/Build/x220-coreboot/coreboot/.config`
+```
+CONFIG_COREBOOT_BUILD=y
+CONFIG_LOCALVERSION=""
+CONFIG_CBFS_PREFIX="fallback"
+CONFIG_COMPILER_GCC=y
+CONFIG_COMPRESS_RAMSTAGE=y
+CONFIG_INCLUDE_CONFIG_FILE=y
+CONFIG_USE_BLOBS=y
+CONFIG_RELOCATABLE_RAMSTAGE=y
+
+CONFIG_VENDOR_LENOVO=y
+CONFIG_BOARD_SPECIFIC_OPTIONS=y
+CONFIG_MAINBOARD_DIR="lenovo/x220"
+CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X220"
+CONFIG_MAINBOARD_VENDOR="LENOVO"
+CONFIG_MAX_CPUS=8
+CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
+CONFIG_CBFS_SIZE=0x200000
+CONFIG_VGA_BIOS_ID="8086,0126"
+CONFIG_DIMM_SPD_SIZE=256
+CONFIG_DCACHE_RAM_BASE=0xfefe0000
+CONFIG_DCACHE_RAM_SIZE=0x20000
+CONFIG_VGA_BIOS_FILE="pci8086,0126.rom"
+CONFIG_MAINBOARD_PCI_SUBSYSTEM_VENDOR_ID=0x17aa
+CONFIG_MAINBOARD_PCI_SUBSYSTEM_DEVICE_ID=0x21db
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_DRAM_RESET_GATE_GPIO=10
+CONFIG_DEVICETREE="devicetree.cb"
+CONFIG_MAX_REBOOT_CNT=3
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_USBDEBUG_HCD_INDEX=2
+CONFIG_MMCONF_BASE_ADDRESS=0xf0000000
+CONFIG_TPM_PIRQ=0x0
+CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
+CONFIG_FMDFILE=""
+CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00
+CONFIG_IFD_BIN_PATH="../binaries/descriptor.bin"
+CONFIG_ME_BIN_PATH="../binaries/me_neutered.bin"
+CONFIG_BOARD_LENOVO_X220=y
+CONFIG_CPU_ADDR_BITS=36
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL=8
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_SMBIOS_ENCLOSURE_TYPE=0x09
+CONFIG_BOARD_ROMSIZE_KB_8192=y
+CONFIG_COREBOOT_ROMSIZE_KB_8192=y
+CONFIG_COREBOOT_ROMSIZE_KB=8192
+CONFIG_ROM_SIZE=0x800000
+CONFIG_SYSTEM_TYPE_LAPTOP=y
+
+CONFIG_CPU_SPECIFIC_OPTIONS=y
+CONFIG_RAMTOP=0x200000
+CONFIG_HEAP_SIZE=0x4000
+CONFIG_RAMBASE=0x100000
+CONFIG_EHCI_BAR=0xfef00000
+CONFIG_SERIRQ_CONTINUOUS_MODE=y
+CONFIG_SMM_TSEG_SIZE=0x800000
+CONFIG_ACPI_CPU_STRING="\\_PR.CP%02d"
+CONFIG_BOOTBLOCK_CPU_INIT="cpu/intel/model_206ax/bootblock.c"
+CONFIG_C_ENV_BOOTBLOCK_SIZE=0x10000
+CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y
+CONFIG_ROMSTAGE_ADDR=0x2000000
+CONFIG_VERSTAGE_ADDR=0x2000000
+CONFIG_SPI_FLASH_INCLUDE_ALL_DRIVERS=y
+CONFIG_DCACHE_RAM_MRC_VAR_SIZE=0x0
+CONFIG_PCIEXP_ASPM=y
+CONFIG_PCIEXP_COMMON_CLOCK=y
+CONFIG_BOOTBLOCK_NORTHBRIDGE_INIT="northbridge/intel/sandybridge/bootblock.c"
+CONFIG_BOOTBLOCK_SOUTHBRIDGE_INIT="southbridge/intel/bd82x6x/bootblock.c"
+CONFIG_CACHE_MRC_SIZE_KB=512
+CONFIG_STACK_SIZE=0x1000
+CONFIG_UART_PCI_ADDR=0x0
+
+CONFIG_SOCKET_SPECIFIC_OPTIONS=y
+CONFIG_XIP_ROM_SIZE=0x20000
+CONFIG_NUM_IPI_STARTS=2
+CONFIG_CPU_INTEL_MODEL_206AX=y
+CONFIG_SSE2=y
+CONFIG_CPU_INTEL_SOCKET_RPGA989=y
+CONFIG_CPU_INTEL_COMMON=y
+CONFIG_ENABLE_VMX=y
+CONFIG_UDELAY_TSC=y
+CONFIG_TSC_CONSTANT_RATE=y
+CONFIG_TSC_MONOTONIC_TIMER=y
+CONFIG_TSC_SYNC_MFENCE=y
+CONFIG_LOGICAL_CPUS=y
+CONFIG_SMM_TSEG=y
+CONFIG_SMM_MODULE_HEAP_SIZE=0x4000
+CONFIG_CACHE_AS_RAM=y
+CONFIG_SMP=y
+CONFIG_AP_SIPI_VECTOR=0xfffff000
+CONFIG_MMX=y
+CONFIG_SSE=y
+CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y
+CONFIG_CPU_MICROCODE_CBFS_NONE=y
+
+CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
+CONFIG_USE_NATIVE_RAMINIT=y
+CONFIG_SANDYBRIDGE_IVYBRIDGE_LVDS=y
+CONFIG_IF_NATIVE_VGA_INIT=y
+CONFIG_HPET_ADDRESS=0xfed00000
+CONFIG_HPET_MIN_TICKS=0x80
+CONFIG_MAX_PIRQ_LINKS=4
+
+CONFIG_SOUTHBRIDGE_INTEL_C216=y
+CONFIG_SOUTH_BRIDGE_OPTIONS=y
+CONFIG_LOCK_SPI_FLASH_NONE=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
+CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+
+CONFIG_EC_ACPI=y
+CONFIG_EC_LENOVO_H8=y
+CONFIG_H8_BEEP_ON_DEATH=y
+CONFIG_H8_FLASH_LEDS_ON_DEATH=y
+CONFIG_EC_LENOVO_PMH7=y
+CONFIG_HAVE_INTEL_FIRMWARE=y
+
+CONFIG_CHECK_ME=y
+CONFIG_GBE_BIN_PATH="../binaries/gbe.bin"
+CONFIG_UDK_2013_VERSION=2013
+CONFIG_UDK_2015_VERSION=2015
+CONFIG_UDK_2017_VERSION=2017
+CONFIG_UDK_VERSION=2013
+CONFIG_ARCH_ARMV8_EXTENSION=0
+CONFIG_ARCH_X86=y
+CONFIG_ARCH_BOOTBLOCK_X86_32=y
+CONFIG_ARCH_VERSTAGE_X86_32=y
+CONFIG_ARCH_ROMSTAGE_X86_32=y
+CONFIG_ARCH_RAMSTAGE_X86_32=y
+CONFIG_PC80_SYSTEM=y
+CONFIG_HAVE_CMOS_DEFAULT=y
+CONFIG_CMOS_DEFAULT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.default"
+CONFIG_IOAPIC_INTERRUPTS_ON_FSB=y
+CONFIG_ID_SECTION_OFFSET=0x80
+CONFIG_BOOTBLOCK_SIMPLE=y
+CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"
+
+CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y
+CONFIG_HAVE_LINEAR_FRAMEBUFFER=y
+CONFIG_MAINBOARD_HAS_NATIVE_VGA_INIT=y
+CONFIG_MAINBOARD_HAS_LIBGFXINIT=y
+CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y
+
+CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+CONFIG_LINEAR_FRAMEBUFFER=y
+CONFIG_PCI=y
+CONFIG_MMCONF_SUPPORT=y
+CONFIG_PCIX_PLUGIN_SUPPORT=y
+CONFIG_CARDBUS_PLUGIN_SUPPORT=y
+CONFIG_PCIEXP_PLUGIN_SUPPORT=y
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+
+CONFIG_CACHE_MRC_SETTINGS=y
+CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
+CONFIG_SPI_FLASH=y
+CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
+CONFIG_SPI_FLASH_ADESTO=y
+CONFIG_SPI_FLASH_AMIC=y
+CONFIG_SPI_FLASH_ATMEL=y
+CONFIG_SPI_FLASH_EON=y
+CONFIG_SPI_FLASH_GIGADEVICE=y
+CONFIG_SPI_FLASH_MACRONIX=y
+CONFIG_SPI_FLASH_SPANSION=y
+CONFIG_SPI_FLASH_SST=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_SPI_FLASH_WINBOND=y
+CONFIG_NO_UART_ON_SUPERIO=y
+CONFIG_HAVE_USBDEBUG=y
+CONFIG_HAVE_USBDEBUG_OPTIONS=y
+CONFIG_SMBIOS_PROVIDED_BY_MOBO=y
+CONFIG_INTEL_EDID=y
+CONFIG_INTEL_INT15=y
+CONFIG_INTEL_GMA_ACPI=y
+CONFIG_GFX_GMA=y
+CONFIG_GFX_GMA_CPU="Sandybridge"
+CONFIG_GFX_GMA_CPU_VARIANT="Normal"
+CONFIG_GFX_GMA_INTERNAL_IS_LVDS=y
+CONFIG_GFX_GMA_INTERNAL_PORT="LVDS"
+CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC"
+CONFIG_DRIVERS_INTEL_WIFI=y
+CONFIG_DRIVERS_MC146818=y
+CONFIG_LPC_TPM=y
+CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000
+CONFIG_VGA=y
+CONFIG_DRIVERS_RICOH_RCE822=y
+
+CONFIG_MAINBOARD_HAS_LPC_TPM=y
+CONFIG_ACPI_SATA_GENERATOR=y
+CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y
+CONFIG_BOOT_DEVICE_SPI_FLASH=y
+CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
+CONFIG_RTC=y
+
+CONFIG_SQUELCH_EARLY_SMP=y
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
+CONFIG_CONSOLE_POST=y
+CONFIG_HWBASE_DEBUG_CB=y
+CONFIG_HAVE_ACPI_RESUME=y
+CONFIG_RESUME_PATH_SAME_AS_BOOT=y
+CONFIG_HAVE_HARD_RESET=y
+CONFIG_HAVE_MONOTONIC_TIMER=y
+CONFIG_HAVE_OPTION_TABLE=y
+CONFIG_HAVE_SMI_HANDLER=y
+CONFIG_IOAPIC=y
+CONFIG_USE_WATCHDOG_ON_BOOT=y
+CONFIG_HAVE_ACPI_TABLES=y
+CONFIG_COMMON_FADT=y
+
+CONFIG_GENERATE_SMBIOS_TABLES=y
+
+CONFIG_PAYLOAD_GRUB2=y
+CONFIG_PAYLOAD_FILE="payloads/external/GRUB2/grub2/build/default_payload.elf"
+CONFIG_GRUB2_STABLE=y
+CONFIG_GRUB2_EXTRA_MODULES="gcry_rijndael gcry_sha256 gcry_seed lvm luks cryptodisk all_video jpeg png cat videoinfo videotest crypto gfxmenu gfxterm_menu gfxterm_background password password_pbkdf2 pbkdf2 usbserial_pl2303 usbserial_ftdi usbserial_usbdebug"
+CONFIG_GRUB2_INCLUDE_RUNTIME_CONFIG_FILE=y
+CONFIG_GRUB2_RUNTIME_CONFIG_FILE="../config/grub.cfg"
+CONFIG_PAYLOAD_OPTIONS=""
+CONFIG_COMPRESSED_PAYLOAD_LZMA=y
+CONFIG_COMPRESS_SECONDARY_PAYLOAD=y
+
+
+CONFIG_HAVE_DEBUG_RAM_SETUP=y
+CONFIG_HAVE_DEBUG_SMBUS=y
+CONFIG_WARNINGS_ARE_ERRORS=y
+CONFIG_EARLY_CBMEM_INIT=y
+CONFIG_RELOCATABLE_MODULES=y
+CONFIG_BOOTBLOCK_CUSTOM=y
+```
+
+Now build coreboot
+```
+./cb-helper build_coreboot
+```
+
+And add the font and tha background image:
+```
+coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/dejavusansmono.pf2 -n dejavusansmono.pf2 -t raw
+coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/bg.jpg -n background.jpg -t raw
+
+```
+
+The file `~/Build/x220-coreboot/out/coreboot.rom` should now be ready for flashing.
+
+## Coreboot flash
+From the RaspberryPi
+```
+flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -w coreboot.rom
+```
+
+(flashrom may sometimes give an error about failing to erase. This is fine as long as the end it prints 'VERIFIED')
+
+ Or from dom0 if you already have flashed coreboot before:
+```
+sudo flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom
+ ```
+
+## Encrypt /boot
+From now on keep in mind that any error may cause data loss. Even not doing any error may cause data loss. Please make a full backup bedofre going on.
+Boot a live archlinux or any other live distro which has cryptsetup, lvm and dd installed. In this part it is assumed the device with Qubes is `/dev/sda`.
+
+```
+fdisk -l /dev/sda
+Device     Boot Start       End			Sectors		Size 	Id Type
+/dev/sda1        2048 		2099199 	2097151 	1.0 G  	83 Linux
+/dev/sda2        2099200 	468862127	466762927 	222.6G 	83 Linux
+
+```
+Take note of the offset values.
+
+Copy on an external device a backup of the boot partition:
+```
+dd if=/dev/sda1 of=/mnt/backup/boot.dd bs=1M status=progress
+```
+
+Using fdisk, cfdisk or parted delete both `sda1` and `sda2` and create a new partition using the whole disk called `sda`.
+
+Now move the old LUKS partition at the beginning of the disk.
+First check that the offsets are correct (source: https://superuser.com/questions/541067/how-to-move-a-partition-in-gnu-linux):
+
+```
+dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 count=100 skip=$((2099199-2048)) seek=0 2> /dev/null | file -s -
+/dev/stdin: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8453f049-6322-4e5d-b05a-a6c4688fd3a5
+```
+
+If the `file` command detect a LUKS encrypted file it should be safe to continue.
+
+```
+dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1  skip=$((2099199-2048)) seek=0 of=/dev/sda1 status=progress
+```
+
+Wait for the process to complete. Do not stop it for any reason.
+
+```
+cryptsetup luksOpen /dev/sda1 qubespv
+pvresize /dev/mapper/qubespv
+lvcreate -n boot -l100%FREE qubes_dom0
+dd if=/mnt/backup/bios.dd of /dev/mapper/qubes_dom0-boot
+```
+
+## Reboot
+Reboot. You should now be prompted two times for your LUKS passphrase: this is because the Grub installed within the Flash has no way to pass the actual passphrase to the kernel. A workaround to this issue is explained here https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)#Bonus:_Using_a_key_file_to_unlock_.2Fboot.2F
+

config/coreboot.config

@@ -0,0 +1,695 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# coreboot configuration
+#
+
+#
+# General setup
+#
+CONFIG_COREBOOT_BUILD=y
+CONFIG_LOCALVERSION=""
+CONFIG_CBFS_PREFIX="fallback"
+CONFIG_COMPILER_GCC=y
+# CONFIG_COMPILER_LLVM_CLANG is not set
+# CONFIG_ANY_TOOLCHAIN is not set
+# CONFIG_CCACHE is not set
+# CONFIG_FMD_GENPARSER is not set
+# CONFIG_UTIL_GENPARSER is not set
+# CONFIG_USE_OPTION_TABLE is not set
+CONFIG_COMPRESS_RAMSTAGE=y
+CONFIG_INCLUDE_CONFIG_FILE=y
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+# CONFIG_COVERAGE is not set
+# CONFIG_UBSAN is not set
+CONFIG_RELOCATABLE_RAMSTAGE=y
+# CONFIG_UPDATE_IMAGE is not set
+# CONFIG_BOOTSPLASH_IMAGE is not set
+
+#
+# Mainboard
+#
+
+#
+# Important: Run 'make distclean' before switching boards
+#
+# CONFIG_VENDOR_AAEON is not set
+# CONFIG_VENDOR_ADI is not set
+# CONFIG_VENDOR_ADLINK is not set
+# CONFIG_VENDOR_ADVANSUS is not set
+# CONFIG_VENDOR_AMD is not set
+# CONFIG_VENDOR_AOPEN is not set
+# CONFIG_VENDOR_APPLE is not set
+# CONFIG_VENDOR_ARTECGROUP is not set
+# CONFIG_VENDOR_ASROCK is not set
+# CONFIG_VENDOR_ASUS is not set
+# CONFIG_VENDOR_AVALUE is not set
+# CONFIG_VENDOR_BACHMANN is not set
+# CONFIG_VENDOR_BAP is not set
+# CONFIG_VENDOR_BCOM is not set
+# CONFIG_VENDOR_BIOSTAR is not set
+# CONFIG_VENDOR_BROADCOM is not set
+# CONFIG_VENDOR_COMPULAB is not set
+# CONFIG_VENDOR_CUBIETECH is not set
+# CONFIG_VENDOR_DIGITALLOGIC is not set
+# CONFIG_VENDOR_ELMEX is not set
+# CONFIG_VENDOR_EMULATION is not set
+# CONFIG_VENDOR_ESD is not set
+# CONFIG_VENDOR_FOXCONN is not set
+# CONFIG_VENDOR_GETAC is not set
+# CONFIG_VENDOR_GIGABYTE is not set
+# CONFIG_VENDOR_GIZMOSPHERE is not set
+# CONFIG_VENDOR_GOOGLE is not set
+# CONFIG_VENDOR_HP is not set
+# CONFIG_VENDOR_IBASE is not set
+# CONFIG_VENDOR_IEI is not set
+# CONFIG_VENDOR_INTEL is not set
+# CONFIG_VENDOR_IWILL is not set
+# CONFIG_VENDOR_JETWAY is not set
+# CONFIG_VENDOR_KONTRON is not set
+CONFIG_VENDOR_LENOVO=y
+# CONFIG_VENDOR_LINUTOP is not set
+# CONFIG_VENDOR_LIPPERT is not set
+# CONFIG_VENDOR_LOWRISC is not set
+# CONFIG_VENDOR_MSI is not set
+# CONFIG_VENDOR_NVIDIA is not set
+# CONFIG_VENDOR_PACKARDBELL is not set
+# CONFIG_VENDOR_PCENGINES is not set
+# CONFIG_VENDOR_PURISM is not set
+# CONFIG_VENDOR_RODA is not set
+# CONFIG_VENDOR_SAMSUNG is not set
+# CONFIG_VENDOR_SAPPHIRE is not set
+# CONFIG_VENDOR_SCALEWAY is not set
+# CONFIG_VENDOR_SIEMENS is not set
+# CONFIG_VENDOR_SUNW is not set
+# CONFIG_VENDOR_SUPERMICRO is not set
+# CONFIG_VENDOR_TECHNEXION is not set
+# CONFIG_VENDOR_TI is not set
+# CONFIG_VENDOR_TRAVERSE is not set
+# CONFIG_VENDOR_TYAN is not set
+# CONFIG_VENDOR_VIA is not set
+# CONFIG_VENDOR_WINENT is not set
+# CONFIG_VENDOR_WINNET is not set
+CONFIG_BOARD_SPECIFIC_OPTIONS=y
+CONFIG_MAINBOARD_DIR="lenovo/x220"
+CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X220"
+CONFIG_MAINBOARD_VENDOR="LENOVO"
+CONFIG_MAX_CPUS=8
+CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
+CONFIG_CBFS_SIZE=0x200000
+CONFIG_VGA_BIOS_ID="8086,0126"
+# CONFIG_ONBOARD_VGA_IS_PRIMARY is not set
+CONFIG_DIMM_SPD_SIZE=256
+# CONFIG_VGA_BIOS is not set
+CONFIG_DCACHE_RAM_BASE=0xfefe0000
+CONFIG_DCACHE_RAM_SIZE=0x20000
+CONFIG_VGA_BIOS_FILE="pci8086,0126.rom"
+CONFIG_MAINBOARD_PCI_SUBSYSTEM_VENDOR_ID=0x17aa
+CONFIG_MAINBOARD_PCI_SUBSYSTEM_DEVICE_ID=0x21db
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_DRAM_RESET_GATE_GPIO=10
+# CONFIG_POST_IO is not set
+CONFIG_DEVICETREE="devicetree.cb"
+CONFIG_MAX_REBOOT_CNT=3
+CONFIG_HAVE_GBE_BIN=y
+CONFIG_USBDEBUG_HCD_INDEX=2
+CONFIG_MMCONF_BASE_ADDRESS=0xf0000000
+# CONFIG_POST_DEVICE is not set
+# CONFIG_VBOOT is not set
+CONFIG_TPM_PIRQ=0x0
+CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
+CONFIG_FMDFILE=""
+CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00
+# CONFIG_DRIVERS_UART_8250IO is not set
+CONFIG_IFD_BIN_PATH="../binaries/descriptor.bin"
+CONFIG_ME_BIN_PATH="../binaries/me_neutered.bin"
+# CONFIG_BOARD_LENOVO_G505S is not set
+# CONFIG_BOARD_LENOVO_L520 is not set
+# CONFIG_BOARD_LENOVO_R400 is not set
+# CONFIG_BOARD_LENOVO_S230U is not set
+# CONFIG_BOARD_LENOVO_T400 is not set
+# CONFIG_BOARD_LENOVO_T420 is not set
+# CONFIG_BOARD_LENOVO_T420S is not set
+# CONFIG_BOARD_LENOVO_THINKPAD_T430 is not set
+# CONFIG_BOARD_LENOVO_T430S is not set
+# CONFIG_BOARD_LENOVO_T500 is not set
+# CONFIG_BOARD_LENOVO_T520 is not set
+# CONFIG_BOARD_LENOVO_T530 is not set
+# CONFIG_BOARD_LENOVO_T60 is not set
+# CONFIG_BOARD_LENOVO_X131E is not set
+# CONFIG_BOARD_LENOVO_X1_CARBON_GEN1 is not set
+# CONFIG_BOARD_LENOVO_X200 is not set
+# CONFIG_BOARD_LENOVO_X201 is not set
+CONFIG_BOARD_LENOVO_X220=y
+# CONFIG_BOARD_LENOVO_X220I is not set
+# CONFIG_BOARD_LENOVO_X230 is not set
+# CONFIG_BOARD_LENOVO_X60 is not set
+# CONFIG_BOARD_LENOVO_Z61T is not set
+CONFIG_CPU_ADDR_BITS=36
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL=8
+# CONFIG_USBDEBUG is not set
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+# CONFIG_PCIEXP_L1_SUB_STATE is not set
+# CONFIG_NO_POST is not set
+CONFIG_SMBIOS_ENCLOSURE_TYPE=0x09
+CONFIG_BOARD_ROMSIZE_KB_8192=y
+# CONFIG_COREBOOT_ROMSIZE_KB_64 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_128 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_256 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_512 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_1024 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_2048 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_4096 is not set
+CONFIG_COREBOOT_ROMSIZE_KB_8192=y
+# CONFIG_COREBOOT_ROMSIZE_KB_10240 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_12288 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_16384 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_32768 is not set
+# CONFIG_COREBOOT_ROMSIZE_KB_65536 is not set
+CONFIG_COREBOOT_ROMSIZE_KB=8192
+CONFIG_ROM_SIZE=0x800000
+CONFIG_SYSTEM_TYPE_LAPTOP=y
+# CONFIG_CBFS_AUTOGEN_ATTRIBUTES is not set
+
+#
+# Chipset
+#
+
+#
+# SoC
+#
+CONFIG_CPU_SPECIFIC_OPTIONS=y
+CONFIG_RAMTOP=0x200000
+CONFIG_HEAP_SIZE=0x4000
+CONFIG_RAMBASE=0x100000
+CONFIG_EHCI_BAR=0xfef00000
+CONFIG_SERIRQ_CONTINUOUS_MODE=y
+CONFIG_SMM_TSEG_SIZE=0x800000
+CONFIG_ACPI_CPU_STRING="\\_PR.CP%02d"
+# CONFIG_SOC_BROADCOM_CYGNUS is not set
+CONFIG_BOOTBLOCK_CPU_INIT="cpu/intel/model_206ax/bootblock.c"
+# CONFIG_SOC_INTEL_GLK is not set
+CONFIG_C_ENV_BOOTBLOCK_SIZE=0x10000
+CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y
+CONFIG_ROMSTAGE_ADDR=0x2000000
+CONFIG_VERSTAGE_ADDR=0x2000000
+CONFIG_SPI_FLASH_INCLUDE_ALL_DRIVERS=y
+CONFIG_DCACHE_RAM_MRC_VAR_SIZE=0x0
+# CONFIG_BUILD_WITH_FAKE_IFD is not set
+CONFIG_PCIEXP_ASPM=y
+CONFIG_PCIEXP_COMMON_CLOCK=y
+# CONFIG_PCIEXP_CLK_PM is not set
+CONFIG_BOOTBLOCK_NORTHBRIDGE_INIT="northbridge/intel/sandybridge/bootblock.c"
+CONFIG_BOOTBLOCK_SOUTHBRIDGE_INIT="southbridge/intel/bd82x6x/bootblock.c"
+CONFIG_CACHE_MRC_SIZE_KB=512
+CONFIG_STACK_SIZE=0x1000
+# CONFIG_CONSOLE_CBMEM is not set
+CONFIG_UART_PCI_ADDR=0x0
+# CONFIG_SOC_INTEL_KABYLAKE is not set
+# CONFIG_SOC_LOWRISC_LOWRISC is not set
+# CONFIG_SOC_MARVELL_MVMAP2315 is not set
+# CONFIG_SOC_MEDIATEK_MT8173 is not set
+# CONFIG_SOC_NVIDIA_TEGRA124 is not set
+# CONFIG_SOC_NVIDIA_TEGRA210 is not set
+# CONFIG_SOC_QC_IPQ40XX is not set
+# CONFIG_SOC_QC_IPQ806X is not set
+# CONFIG_SOC_ROCKCHIP_RK3288 is not set
+# CONFIG_SOC_ROCKCHIP_RK3399 is not set
+# CONFIG_CPU_SAMSUNG_EXYNOS5250 is not set
+# CONFIG_CPU_SAMSUNG_EXYNOS5420 is not set
+# CONFIG_SOC_UCB_RISCV is not set
+
+#
+# CPU
+#
+# CONFIG_CPU_ALLWINNER_A10 is not set
+CONFIG_SOCKET_SPECIFIC_OPTIONS=y
+CONFIG_XIP_ROM_SIZE=0x20000
+CONFIG_NUM_IPI_STARTS=2
+# CONFIG_CPU_AMD_AGESA is not set
+# CONFIG_CPU_AMD_PI is not set
+# CONFIG_CPU_ARMLTD_CORTEX_A9 is not set
+CONFIG_CPU_INTEL_MODEL_206AX=y
+CONFIG_SSE2=y
+CONFIG_CPU_INTEL_SOCKET_RPGA989=y
+# CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE is not set
+# CONFIG_CPU_INTEL_TURBO_NOT_PACKAGE_SCOPED is not set
+CONFIG_CPU_INTEL_COMMON=y
+CONFIG_ENABLE_VMX=y
+# CONFIG_SET_VMX_LOCK_BIT is not set
+# CONFIG_CPU_TI_AM335X is not set
+# CONFIG_PARALLEL_CPU_INIT is not set
+# CONFIG_PARALLEL_MP is not set
+# CONFIG_UDELAY_IO is not set
+# CONFIG_UDELAY_LAPIC is not set
+CONFIG_UDELAY_TSC=y
+CONFIG_TSC_CONSTANT_RATE=y
+CONFIG_TSC_MONOTONIC_TIMER=y
+# CONFIG_UDELAY_TIMER2 is not set
+# CONFIG_TSC_SYNC_LFENCE is not set
+CONFIG_TSC_SYNC_MFENCE=y
+# CONFIG_NO_FIXED_XIP_ROM_SIZE is not set
+CONFIG_LOGICAL_CPUS=y
+CONFIG_SMM_TSEG=y
+CONFIG_SMM_MODULE_HEAP_SIZE=0x4000
+# CONFIG_SMM_LAPIC_REMAP_MITIGATION is not set
+# CONFIG_SERIALIZED_SMM_INITIALIZATION is not set
+# CONFIG_X86_AMD_FIXED_MTRRS is not set
+# CONFIG_PLATFORM_USES_FSP1_0 is not set
+# CONFIG_MIRROR_PAYLOAD_TO_RAM_BEFORE_LOADING is not set
+# CONFIG_SOC_SETS_MSRS is not set
+CONFIG_CACHE_AS_RAM=y
+# CONFIG_NO_CAR_GLOBAL_MIGRATION is not set
+CONFIG_SMP=y
+CONFIG_AP_SIPI_VECTOR=0xfffff000
+CONFIG_MMX=y
+CONFIG_SSE=y
+CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y
+# CONFIG_USES_MICROCODE_HEADER_FILES is not set
+# CONFIG_CPU_MICROCODE_CBFS_GENERATE is not set
+# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set
+CONFIG_CPU_MICROCODE_CBFS_NONE=y
+
+#
+# Northbridge
+#
+# CONFIG_NORTHBRIDGE_AMD_AGESA is not set
+# CONFIG_NO_MMCONF_SUPPORT is not set
+# CONFIG_AMD_NB_CIMX is not set
+# CONFIG_NORTHBRIDGE_AMD_CIMX_RD890 is not set
+# CONFIG_NORTHBRIDGE_AMD_PI is not set
+# CONFIG_NORTHBRIDGE_INTEL_COMMON_MRC_CACHE is not set
+CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
+CONFIG_USE_NATIVE_RAMINIT=y
+# CONFIG_NATIVE_RAMINIT_IGNORE_MAX_MEM_FUSES is not set
+# CONFIG_NATIVE_RAMINIT_IGNORE_XMP_MAX_DIMMS is not set
+CONFIG_SANDYBRIDGE_IVYBRIDGE_LVDS=y
+CONFIG_IF_NATIVE_VGA_INIT=y
+CONFIG_HPET_ADDRESS=0xfed00000
+CONFIG_HPET_MIN_TICKS=0x80
+CONFIG_MAX_PIRQ_LINKS=4
+
+#
+# Southbridge
+#
+# CONFIG_AMD_SB_CIMX is not set
+# CONFIG_SOUTHBRIDGE_AMD_CIMX_SB800 is not set
+# CONFIG_SOUTHBRIDGE_AMD_CIMX_SB900 is not set
+CONFIG_SOUTHBRIDGE_INTEL_C216=y
+CONFIG_SOUTH_BRIDGE_OPTIONS=y
+CONFIG_LOCK_SPI_FLASH_NONE=y
+# CONFIG_LOCK_SPI_FLASH_RO is not set
+# CONFIG_LOCK_SPI_FLASH_NO_ACCESS is not set
+CONFIG_SOUTHBRIDGE_INTEL_COMMON=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
+CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_LOCK_MANAGEMENT_ENGINE is not set
+
+#
+# Super I/O
+#
+# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set
+
+#
+# Embedded Controllers
+#
+CONFIG_EC_ACPI=y
+CONFIG_EC_LENOVO_H8=y
+CONFIG_H8_BEEP_ON_DEATH=y
+CONFIG_H8_FLASH_LEDS_ON_DEATH=y
+# CONFIG_H8_SUPPORT_BT_ON_WIFI is not set
+CONFIG_EC_LENOVO_PMH7=y
+CONFIG_HAVE_INTEL_FIRMWARE=y
+
+#
+# Intel Firmware
+#
+# CONFIG_EM100 is not set
+CONFIG_CHECK_ME=y
+# CONFIG_USE_ME_CLEANER is not set
+CONFIG_GBE_BIN_PATH="../binaries/gbe.bin"
+# CONFIG_HAVE_EC_BIN is not set
+# CONFIG_MAINBOARD_HAS_CHROMEOS is not set
+# CONFIG_GOOGLE_SMBIOS_MAINBOARD_VERSION is not set
+# CONFIG_UEFI_2_4_BINDING is not set
+# CONFIG_UDK_2015_BINDING is not set
+# CONFIG_UDK_2017_BINDING is not set
+CONFIG_UDK_2013_VERSION=2013
+CONFIG_UDK_2015_VERSION=2015
+CONFIG_UDK_2017_VERSION=2017
+CONFIG_UDK_VERSION=2013
+# CONFIG_USE_SIEMENS_HWILIB is not set
+# CONFIG_ARCH_ARM is not set
+# CONFIG_ARCH_BOOTBLOCK_ARM is not set
+# CONFIG_ARCH_VERSTAGE_ARM is not set
+# CONFIG_ARCH_ROMSTAGE_ARM is not set
+# CONFIG_ARCH_RAMSTAGE_ARM is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV4 is not set
+# CONFIG_ARCH_VERSTAGE_ARMV4 is not set
+# CONFIG_ARCH_ROMSTAGE_ARMV4 is not set
+# CONFIG_ARCH_RAMSTAGE_ARMV4 is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV7 is not set
+# CONFIG_ARCH_VERSTAGE_ARMV7 is not set
+# CONFIG_ARCH_ROMSTAGE_ARMV7 is not set
+# CONFIG_ARCH_RAMSTAGE_ARMV7 is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV7_M is not set
+# CONFIG_ARCH_VERSTAGE_ARMV7_M is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV7_R is not set
+# CONFIG_ARCH_VERSTAGE_ARMV7_R is not set
+# CONFIG_ARCH_ROMSTAGE_ARMV7_R is not set
+# CONFIG_ARCH_RAMSTAGE_ARMV7_R is not set
+# CONFIG_ARM_LPAE is not set
+# CONFIG_ARCH_ARM64 is not set
+# CONFIG_ARCH_BOOTBLOCK_ARM64 is not set
+# CONFIG_ARCH_VERSTAGE_ARM64 is not set
+# CONFIG_ARCH_ROMSTAGE_ARM64 is not set
+# CONFIG_ARCH_RAMSTAGE_ARM64 is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV8_64 is not set
+# CONFIG_ARCH_VERSTAGE_ARMV8_64 is not set
+# CONFIG_ARCH_ROMSTAGE_ARMV8_64 is not set
+# CONFIG_ARCH_RAMSTAGE_ARMV8_64 is not set
+CONFIG_ARCH_ARMV8_EXTENSION=0
+# CONFIG_ARM64_A53_ERRATUM_843419 is not set
+# CONFIG_ARCH_MIPS is not set
+# CONFIG_ARCH_BOOTBLOCK_MIPS is not set
+# CONFIG_ARCH_VERSTAGE_MIPS is not set
+# CONFIG_ARCH_ROMSTAGE_MIPS is not set
+# CONFIG_ARCH_RAMSTAGE_MIPS is not set
+# CONFIG_ARCH_POWER8 is not set
+# CONFIG_ARCH_BOOTBLOCK_POWER8 is not set
+# CONFIG_ARCH_VERSTAGE_POWER8 is not set
+# CONFIG_ARCH_ROMSTAGE_POWER8 is not set
+# CONFIG_ARCH_RAMSTAGE_POWER8 is not set
+# CONFIG_ARCH_RISCV is not set
+# CONFIG_ARCH_RISCV_COMPRESSED is not set
+# CONFIG_ARCH_BOOTBLOCK_RISCV is not set
+# CONFIG_ARCH_VERSTAGE_RISCV is not set
+# CONFIG_ARCH_ROMSTAGE_RISCV is not set
+# CONFIG_ARCH_RAMSTAGE_RISCV is not set
+CONFIG_ARCH_X86=y
+CONFIG_ARCH_BOOTBLOCK_X86_32=y
+CONFIG_ARCH_VERSTAGE_X86_32=y
+CONFIG_ARCH_ROMSTAGE_X86_32=y
+CONFIG_ARCH_RAMSTAGE_X86_32=y
+# CONFIG_ARCH_BOOTBLOCK_X86_64 is not set
+# CONFIG_ARCH_VERSTAGE_X86_64 is not set
+# CONFIG_ARCH_ROMSTAGE_X86_64 is not set
+# CONFIG_ARCH_RAMSTAGE_X86_64 is not set
+# CONFIG_USE_MARCH_586 is not set
+# CONFIG_AP_IN_SIPI_WAIT is not set
+# CONFIG_SIPI_VECTOR_IN_ROM is not set
+# CONFIG_ROMCC is not set
+# CONFIG_CBMEM_TOP_BACKUP is not set
+# CONFIG_LATE_CBMEM_INIT is not set
+# CONFIG_EARLY_EBDA_INIT is not set
+CONFIG_PC80_SYSTEM=y
+# CONFIG_BOOTBLOCK_DEBUG_SPINLOOP is not set
+# CONFIG_BOOTBLOCK_SAVE_BIST_AND_TIMESTAMP is not set
+CONFIG_HAVE_CMOS_DEFAULT=y
+CONFIG_CMOS_DEFAULT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.default"
+CONFIG_IOAPIC_INTERRUPTS_ON_FSB=y
+# CONFIG_IOAPIC_INTERRUPTS_ON_APIC_SERIAL_BUS is not set
+CONFIG_ID_SECTION_OFFSET=0x80
+# CONFIG_POSTCAR_STAGE is not set
+# CONFIG_VERSTAGE_DEBUG_SPINLOOP is not set
+# CONFIG_ROMSTAGE_DEBUG_SPINLOOP is not set
+CONFIG_BOOTBLOCK_SIMPLE=y
+# CONFIG_BOOTBLOCK_NORMAL is not set
+CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"
+
+#
+# Devices
+#
+CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y
+CONFIG_HAVE_LINEAR_FRAMEBUFFER=y
+CONFIG_MAINBOARD_HAS_NATIVE_VGA_INIT=y
+# CONFIG_MAINBOARD_FORCE_NATIVE_VGA_INIT is not set
+CONFIG_MAINBOARD_HAS_LIBGFXINIT=y
+CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y
+# CONFIG_MAINBOARD_USE_LIBGFXINIT is not set
+# CONFIG_VGA_ROM_RUN is not set
+# CONFIG_NO_GFX_INIT is not set
+# CONFIG_MULTIPLE_VGA_ADAPTERS is not set
+
+#
+# Display
+#
+# CONFIG_VGA_TEXT_FRAMEBUFFER is not set
+CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
+CONFIG_LINEAR_FRAMEBUFFER=y
+# CONFIG_SMBUS_HAS_AUX_CHANNELS is not set
+CONFIG_PCI=y
+CONFIG_MMCONF_SUPPORT=y
+# CONFIG_HYPERTRANSPORT_PLUGIN_SUPPORT is not set
+CONFIG_PCIX_PLUGIN_SUPPORT=y
+CONFIG_CARDBUS_PLUGIN_SUPPORT=y
+# CONFIG_AZALIA_PLUGIN_SUPPORT is not set
+CONFIG_PCIEXP_PLUGIN_SUPPORT=y
+# CONFIG_EARLY_PCI_BRIDGE is not set
+CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
+CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
+# CONFIG_INTEL_GMA_ADD_VBT_DATA_FILE is not set
+# CONFIG_SOFTWARE_I2C is not set
+
+#
+# Generic Drivers
+#
+# CONFIG_DRIVERS_AS3722_RTC is not set
+# CONFIG_GIC is not set
+# CONFIG_IPMI_KCS is not set
+# CONFIG_DRIVERS_LENOVO_WACOM is not set
+CONFIG_CACHE_MRC_SETTINGS=y
+CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
+# CONFIG_MRC_SETTINGS_PROTECT is not set
+# CONFIG_HAS_RECOVERY_MRC_CACHE is not set
+# CONFIG_MRC_CLEAR_NORMAL_CACHE_ON_RECOVERY_RETRAIN is not set
+# CONFIG_MRC_SETTINGS_VARIABLE_DATA is not set
+# CONFIG_MRC_WRITE_NV_LATE is not set
+# CONFIG_RT8168_GET_MAC_FROM_VPD is not set
+# CONFIG_RT8168_SET_LED_MODE is not set
+CONFIG_SPI_FLASH=y
+CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
+# CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY is not set
+# CONFIG_SPI_FLASH_SMM is not set
+# CONFIG_SPI_FLASH_NO_FAST_READ is not set
+CONFIG_SPI_FLASH_ADESTO=y
+CONFIG_SPI_FLASH_AMIC=y
+CONFIG_SPI_FLASH_ATMEL=y
+CONFIG_SPI_FLASH_EON=y
+CONFIG_SPI_FLASH_GIGADEVICE=y
+CONFIG_SPI_FLASH_MACRONIX=y
+CONFIG_SPI_FLASH_SPANSION=y
+CONFIG_SPI_FLASH_SST=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_SPI_FLASH_WINBOND=y
+# CONFIG_SPI_FLASH_FAST_READ_DUAL_OUTPUT_3B is not set
+# CONFIG_SPI_FLASH_HAS_VOLATILE_GROUP is not set
+# CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set
+# CONFIG_DRIVERS_UART is not set
+CONFIG_NO_UART_ON_SUPERIO=y
+# CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set
+# CONFIG_UART_OVERRIDE_REFCLK is not set
+# CONFIG_DRIVERS_UART_8250MEM is not set
+# CONFIG_DRIVERS_UART_8250MEM_32 is not set
+# CONFIG_HAVE_UART_SPECIAL is not set
+# CONFIG_DRIVERS_UART_OXPCIE is not set
+# CONFIG_DRIVERS_UART_PL011 is not set
+# CONFIG_UART_USE_REFCLK_AS_INPUT_CLOCK is not set
+CONFIG_HAVE_USBDEBUG=y
+CONFIG_HAVE_USBDEBUG_OPTIONS=y
+# CONFIG_DRIVERS_AMD_PI is not set
+CONFIG_SMBIOS_PROVIDED_BY_MOBO=y
+# CONFIG_DRIVERS_I2C_MAX98373 is not set
+# CONFIG_DRIVERS_I2C_MAX98927 is not set
+# CONFIG_DRIVERS_I2C_PCA9538 is not set
+# CONFIG_DRIVERS_I2C_PCF8523 is not set
+# CONFIG_DRIVERS_I2C_RT5663 is not set
+# CONFIG_DRIVERS_I2C_RTD2132 is not set
+# CONFIG_DRIVERS_I2C_RX6110SA is not set
+# CONFIG_MAINBOARD_HAS_I2C_TPM_ATMEL is not set
+# CONFIG_MAINBOARD_HAS_I2C_TPM_CR50 is not set
+# CONFIG_PLATFORM_USES_FSP2_0 is not set
+# CONFIG_INTEL_DDI is not set
+CONFIG_INTEL_EDID=y
+CONFIG_INTEL_INT15=y
+CONFIG_INTEL_GMA_ACPI=y
+# CONFIG_INTEL_GMA_SSC_ALTERNATE_REF is not set
+# CONFIG_INTEL_GMA_SWSMISCI is not set
+CONFIG_GFX_GMA=y
+CONFIG_GFX_GMA_CPU="Sandybridge"
+CONFIG_GFX_GMA_CPU_VARIANT="Normal"
+# CONFIG_GFX_GMA_INTERNAL_IS_EDP is not set
+CONFIG_GFX_GMA_INTERNAL_IS_LVDS=y
+CONFIG_GFX_GMA_INTERNAL_PORT="LVDS"
+CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC"
+# CONFIG_DRIVER_INTEL_I210 is not set
+# CONFIG_DRIVERS_INTEL_MIPI_CAMERA is not set
+CONFIG_DRIVERS_INTEL_WIFI=y
+# CONFIG_USE_SAR is not set
+# CONFIG_DRIVERS_LENOVO_HYBRID_GRAPHICS is not set
+# CONFIG_DRIVER_MAXIM_MAX77686 is not set
+# CONFIG_DRIVER_PARADE_PS8625 is not set
+# CONFIG_DRIVER_PARADE_PS8640 is not set
+CONFIG_DRIVERS_MC146818=y
+CONFIG_LPC_TPM=y
+CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000
+# CONFIG_TPM_INIT_FAILURE_IS_FATAL is not set
+# CONFIG_SKIP_TPM_STARTUP_ON_NORMAL_BOOT is not set
+# CONFIG_TPM_DEACTIVATE is not set
+CONFIG_VGA=y
+CONFIG_DRIVERS_RICOH_RCE822=y
+# CONFIG_DRIVER_SIEMENS_NC_FPGA is not set
+# CONFIG_NC_FPGA_NOTIFY_CB_READY is not set
+# CONFIG_DRIVERS_SIL_3114 is not set
+# CONFIG_MAINBOARD_HAS_SPI_TPM_CR50 is not set
+# CONFIG_DRIVER_TI_TPS65090 is not set
+# CONFIG_DRIVERS_TI_TPS65913 is not set
+# CONFIG_DRIVERS_TI_TPS65913_RTC is not set
+# CONFIG_DRIVER_XPOWERS_AXP209 is not set
+# CONFIG_COMMONLIB_STORAGE is not set
+
+#
+# Security
+#
+
+#
+# Verified Boot (vboot)
+#
+
+#
+# Trusted Platform Module
+#
+# CONFIG_TPM is not set
+# CONFIG_MAINBOARD_HAS_TPM_CR50 is not set
+CONFIG_MAINBOARD_HAS_LPC_TPM=y
+# CONFIG_MAINBOARD_HAS_TPM2 is not set
+CONFIG_ACPI_SATA_GENERATOR=y
+CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y
+# CONFIG_ACPI_AMD_HARDWARE_SLEEP_VALUES is not set
+# CONFIG_BOOT_DEVICE_NOT_SPI_FLASH is not set
+CONFIG_BOOT_DEVICE_SPI_FLASH=y
+CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
+# CONFIG_BOOT_DEVICE_SUPPORTS_WRITES is not set
+CONFIG_RTC=y
+
+#
+# Console
+#
+CONFIG_SQUELCH_EARLY_SMP=y
+# CONFIG_SPKMODEM is not set
+# CONFIG_CONSOLE_NE2K is not set
+# CONFIG_CONSOLE_SPI_FLASH is not set
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_7 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_4 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_3 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_2 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_1 is not set
+# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0 is not set
+# CONFIG_CMOS_POST is not set
+CONFIG_CONSOLE_POST=y
+# CONFIG_NO_EARLY_BOOTBLOCK_POSTCODES is not set
+CONFIG_HWBASE_DEBUG_CB=y
+CONFIG_HAVE_ACPI_RESUME=y
+# CONFIG_ACPI_HUGE_LOWMEM_BACKUP is not set
+CONFIG_RESUME_PATH_SAME_AS_BOOT=y
+CONFIG_HAVE_HARD_RESET=y
+# CONFIG_HAVE_ROMSTAGE_CONSOLE_SPINLOCK is not set
+# CONFIG_HAVE_ROMSTAGE_NVRAM_CBFS_SPINLOCK is not set
+# CONFIG_HAVE_ROMSTAGE_MICROCODE_CBFS_SPINLOCK is not set
+CONFIG_HAVE_MONOTONIC_TIMER=y
+# CONFIG_GENERIC_UDELAY is not set
+# CONFIG_TIMER_QUEUE is not set
+CONFIG_HAVE_OPTION_TABLE=y
+# CONFIG_PIRQ_ROUTE is not set
+CONFIG_HAVE_SMI_HANDLER=y
+# CONFIG_PCI_IO_CFG_EXT is not set
+CONFIG_IOAPIC=y
+CONFIG_USE_WATCHDOG_ON_BOOT=y
+# CONFIG_GFXUMA is not set
+CONFIG_HAVE_ACPI_TABLES=y
+CONFIG_COMMON_FADT=y
+# CONFIG_ACPI_NHLT is not set
+
+#
+# System tables
+#
+# CONFIG_GENERATE_MP_TABLE is not set
+# CONFIG_GENERATE_PIRQ_TABLE is not set
+CONFIG_GENERATE_SMBIOS_TABLES=y
+
+#
+# Payload
+#
+# CONFIG_PAYLOAD_NONE is not set
+# CONFIG_PAYLOAD_ELF is not set
+# CONFIG_PAYLOAD_BAYOU is not set
+# CONFIG_PAYLOAD_FILO is not set
+CONFIG_PAYLOAD_GRUB2=y
+# CONFIG_PAYLOAD_SEABIOS is not set
+# CONFIG_PAYLOAD_UBOOT is not set
+# CONFIG_PAYLOAD_LINUX is not set
+# CONFIG_PAYLOAD_TIANOCORE is not set
+CONFIG_PAYLOAD_FILE="payloads/external/GRUB2/grub2/build/default_payload.elf"
+CONFIG_GRUB2_STABLE=y
+# CONFIG_GRUB2_MASTER is not set
+# CONFIG_GRUB2_REVISION is not set
+CONFIG_GRUB2_EXTRA_MODULES="gcry_rijndael gcry_sha256 gcry_seed lvm luks cryptodisk all_video jpeg png cat videoinfo videotest crypto gfxmenu gfxterm_menu gfxterm_background password password_pbkdf2 pbkdf2 usbserial_pl2303 usbserial_ftdi usbserial_usbdebug"
+CONFIG_GRUB2_INCLUDE_RUNTIME_CONFIG_FILE=y
+CONFIG_GRUB2_RUNTIME_CONFIG_FILE="../config/grub.cfg"
+CONFIG_PAYLOAD_OPTIONS=""
+# CONFIG_PXE is not set
+CONFIG_COMPRESSED_PAYLOAD_LZMA=y
+# CONFIG_COMPRESSED_PAYLOAD_LZ4 is not set
+# CONFIG_PAYLOAD_IS_FLAT_BINARY is not set
+CONFIG_COMPRESS_SECONDARY_PAYLOAD=y
+
+#
+# Secondary Payloads
+#
+# CONFIG_COREINFO_SECONDARY_PAYLOAD is not set
+# CONFIG_MEMTEST_SECONDARY_PAYLOAD is not set
+# CONFIG_NVRAMCUI_SECONDARY_PAYLOAD is not set
+# CONFIG_TINT_SECONDARY_PAYLOAD is not set
+
+#
+# Debugging
+#
+# CONFIG_FATAL_ASSERTS is not set
+# CONFIG_DEBUG_CBFS is not set
+CONFIG_HAVE_DEBUG_RAM_SETUP=y
+# CONFIG_DEBUG_RAM_SETUP is not set
+# CONFIG_HAVE_DEBUG_CAR is not set
+CONFIG_HAVE_DEBUG_SMBUS=y
+# CONFIG_DEBUG_SMBUS is not set
+# CONFIG_DEBUG_SMI is not set
+# CONFIG_DEBUG_SMM_RELOCATION is not set
+# CONFIG_DEBUG_MALLOC is not set
+# CONFIG_DEBUG_ACPI is not set
+# CONFIG_DEBUG_SPI_FLASH is not set
+# CONFIG_TRACE is not set
+# CONFIG_DEBUG_BOOT_STATE is not set
+# CONFIG_DEBUG_ADA_CODE is not set
+# CONFIG_ENABLE_APIC_EXT_ID is not set
+CONFIG_WARNINGS_ARE_ERRORS=y
+# CONFIG_POWER_BUTTON_DEFAULT_ENABLE is not set
+# CONFIG_POWER_BUTTON_DEFAULT_DISABLE is not set
+# CONFIG_POWER_BUTTON_FORCE_ENABLE is not set
+# CONFIG_POWER_BUTTON_FORCE_DISABLE is not set
+# CONFIG_POWER_BUTTON_IS_OPTIONAL is not set
+# CONFIG_REG_SCRIPT is not set
+# CONFIG_CREATE_BOARD_CHECKLIST is not set
+# CONFIG_MAKE_CHECKLIST_PUBLIC is not set
+# CONFIG_NO_XIP_EARLY_STAGES is not set
+CONFIG_EARLY_CBMEM_INIT=y
+# CONFIG_EARLY_CBMEM_LIST is not set
+CONFIG_RELOCATABLE_MODULES=y
+CONFIG_BOOTBLOCK_CUSTOM=y

config/grub.cfg

@@ -0,0 +1,271 @@
+set prefix=(memdisk)/boot/grub
+
+insmod nativedisk
+insmod ehci
+insmod ohci
+insmod uhci
+insmod usb
+insmod usbms
+insmod part_msdos
+insmod ext2
+insmod lvm
+insmod gcry_rijndael
+insmod gcry_sha256
+insmod luks
+insmod cryptodisk
+# insmod usbserial_pl2303
+# insmod usbserial_ftdi
+# insmod usbserial_usbdebug
+insmod gfxmenu
+insmod gfxterm_menu
+insmod gfxterm_background
+insmod chain
+insmod jpeg
+
+# Serial and keyboard configuration, very important.
+# serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
+# terminal_input --append  serial
+# terminal_output --append serial
+terminal_input --append at_keyboard
+terminal_output --append cbmemc
+
+gfxpayload=keep
+terminal_output --append gfxterm
+
+set menu_color_normal=white/black
+set menu_color_highlight=white/cyan
+
+# Default to first option, automatically boot after 1 second
+set default="0>0"
+set timeout=1
+
+# This is useful when using 'cat' on long files on GRUB terminal
+set pager=1
+
+# Set a background image from CBFS
+background_image (cbfsdisk)/background.jpg
+
+# Set DejaVu Sans Mono as the default font
+loadfont (cbfsdisk)/dejavusansmono.pf2
+
+# Default keymap
+keymap usqwerty
+
+function try_user_config {
+    set root="${1}"
+    for dir in boot grub grub2 boot/grub boot/grub2; do
+        for name in '' autoboot_ libreboot_ coreboot_; do
+            if [ -f /"${dir}"/"${name}"grub.cfg ]; then
+                unset superusers
+                configfile /"${dir}"/"${name}"grub.cfg
+            fi
+        done
+    done
+}
+function search_grub {
+    for i in 0 1; do
+        # raw devices
+        try_user_config "(${1}${i})"
+        for part in 1 2 3 4 5; do
+            # MBR/GPT partitions
+            try_user_config "(${1}${i},${part})"
+        done
+    done
+}
+function try_isolinux_config {
+    set root="${1}"
+    for dir in '' /boot; do
+        if [ -f "${dir}"/isolinux/isolinux.cfg ]; then
+            syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg
+        elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then
+            syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg
+        fi
+    done
+}
+function search_isolinux {
+    for i in 0 1; do
+        # raw devices
+        try_isolinux_config "(${1}${i})"
+        for part in 1 2 3 4 5; do
+            # MBR/GPT partitions
+            try_isolinux_config "(${1}${i},${part})"
+        done
+    done
+}
+
+menuentry 'Qubes, with Xen hypervisor' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
+	set root='hd0,msdos1'
+	if [ x$feature_platform_search_hint = xy ]; then
+	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	else
+	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	fi
+	echo	'Loading Xen 4.8.3 ...'
+        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
+            xen_rm_opts=
+        else
+            xen_rm_opts="no-real-mode edd=off"
+        fi
+	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
+	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
+	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder iomem=relaxed root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
+	echo	'Loading initial ramdisk ...'
+	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
+}
+
+menuentry 'Qubes, with Xen hypervisor FDE' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
+	cryptomount -a
+	set root='lvm/qubes_dom0-boot'
+	if [ x$feature_platform_search_hint = xy ]; then
+	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	else
+	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
+	fi
+	echo	'Loading Xen 4.8.3 ...'
+        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
+            xen_rm_opts=
+        else
+            xen_rm_opts="no-real-mode edd=off"
+        fi
+	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
+	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
+	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder iomem=relaxed root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
+	echo	'Loading initial ramdisk ...'
+	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
+}
+
+submenu 'Boot from a LUKS+LVM setup  [l]' --hotkey='l' {
+    menuentry 'Linux-libre kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux-libre root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux-libre.img
+    }
+    menuentry 'Linux-libre-lts kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux-libre-lts.img
+    }
+    menuentry 'Linux-libre-grsec kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux-libre-grsec root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux-libre-grsec.img
+    }
+    menuentry 'Linux kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux.img
+    }
+    menuentry 'Linux-lts kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux-lts root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux-lts.img
+    }
+    menuentry 'Linux-grsec kernel' {
+        cryptomount -a
+        set root='lvm/matrix-system'
+        linux /boot/vmlinuz-linux-grsec root=/dev/matrix/system cryptdevice=/dev/sda1:lvm cryptkey=rootfs:/etc/keyfile resume=/dev/mapper/matrix-swap
+        initrd /boot/initramfs-linux-grsec.img
+    }
+}
+menuentry 'Load operating system from HDD  [o]' --hotkey='o' {
+# GRUB2 handles (almost) every possible disk setup, but only the location of
+# /boot is actually important since GRUB2 only loads the user's config.
+
+# LVM, RAID, filesystems and encryption on both raw devices and partitions in
+# all various combinations need to be supported. Since full disk encryption is
+# possible with GRUB2 as payload and probably even used by most users, this
+# configuration tries to load the operating system in the following way:
+
+# 1. Look for user configuration on unencrypted devices first to avoid
+# unnecessary decryption routines in the following order:
+
+#    1) raw devices and MBR/GPT partitions
+    search_grub ahci
+    search_grub ata
+#    2) LVM and RAID which might be used accross multiple devices
+    lvm="lvm/matrix-rootvol lvm/matrix-boot"
+    raid="md/0 md/1 md/2 md/3 md/4 md/5 md/6 md/7 md/8 md/9"
+    for vol in ${lvm} ${raid}; do
+        try_user_config "(${vol})"
+    done
+# 2. In case no configuration could be found, try decrypting devices. Look
+# on raw crypto devices as well as inside LVM volumes this time.
+
+#    The user will be prompted for a passphrase if a LUKS header was found.
+    for dev in ahci0 ata0 ${lvm}; do
+        cryptomount "(${dev})"
+    done
+#    3) encrypted devices/partitions
+    for i in 0 1; do
+        for part in 1 2 3 4 5; do
+            for type in ahci ata; do
+                cryptomount "(${type}${i},${part})"
+            done
+        done
+    done
+
+#    3) encrypted devices/partitions
+    search_grub crypto
+#    4) LVM inside LUKS containers
+    for vol in ${lvm}; do
+        try_user_config "(${vol})"
+    done
+
+    # Last resort, if all else fails
+    set root=ahci0,1
+    for p in / /boot/; do
+        if [ -f "${p}vmlinuz" ]; then
+            linux ${p}vmlinuz root=/dev/sda1 rw
+            if [ -f "${p}initrd.img" ]; then
+                initrd ${p}initrd.img
+            fi
+        fi
+    done
+
+    # Last resort (for GA-G41-ES2L which uses IDE emulation mode for SATA)
+    set root=ata0,1
+    for p in / /boot/; do
+        if [ -f "${p}vmlinuz" ]; then
+            linux ${p}vmlinuz root=/dev/sda1 rw
+            if [ -f "${p}initrd.img" ]; then
+                initrd ${p}initrd.img
+            fi
+        fi
+    done
+}
+submenu 'Search for systems on external media  [u]' --hotkey="u" {
+    menuentry 'Search ISOLINUX menu (USB)  [u]' --hotkey='u' {
+        search_isolinux usb
+    }
+    menuentry 'Search ISOLINUX menu (AHCI)  [a]' --hotkey='a' {
+        search_isolinux ahci
+    }
+    menuentry 'Search ISOLINUX menu (CD/DVD)  [d]' --hotkey='d' {
+        insmod ata
+        for dev in ata0 ata1 ata2 ata3 ahci1; do
+            try_isolinux_config "(${dev})"
+        done
+    }
+    menuentry 'Search for GRUB2 configuration on external media  [s]' --hotkey='s' {
+        search_grub usb
+    }
+    menuentry 'Load test configuration (grubtest.cfg) inside of CBFS  [t]' --hotkey='t' {
+        set root='(cbfsdisk)'
+        configfile /grubtest.cfg
+    }
+    menuentry 'Chainload bootloader on external media  [c]' --hotkey='c' {
+        set root='(usb0)'
+        chainloader +1
+    }
+}
+menuentry 'Reboot  [r]' --hotkey='r' {
+    reboot
+}
+menuentry 'Poweroff  [p]' --hotkey='p' {
+    halt
+}