Google omnigul retry with tpm duk supposed to work

[tlaurion]

Putting it out there in case @MrChromebox willing to test omnigul produced rom from CircleCI artifact for the board? I am willing to fix other issues if there is a tester for omnigul (interest is to give chromebook port some better guidelines in the future, not so much for omnigul itself but since the port exists....)

If you are willing to test and report TPM DUK sealing unsealing works, I would be willing to fix other issues in this PR and bring it par to other boards. Otherwise, I will close it until there is interest into another chromebook from community and help there again (this is port dating from before Mar 6, 2025, there are things outdated here, including coreboot fork used and kernel used (6.8 used for other boards).

[Copilot]

Pull request overview

Adds initial support for the Google “Omnigul” board by introducing a new board config, selecting a newer Linux kernel version, adding a coreboot fork source, and wiring a CI build to produce artifacts for testing.

Changes:

• Add a new boards/omnigul target and include generated coreboot/Linux configs for it.
• Add Linux kernel version 6.6.30 to the build system and introduce a corresponding patch set directory.
• Add a mrchromebox coreboot git fork module and a CircleCI workflow job to build omnigul.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
patches/linux-6.6.30/0001-fake-acpi.patch	Adds ACPI behavior overrides (currently with incorrect patch paths / questionable logic).
patches/linux-6.6.30/0002-nmi-squelch.patch	Disables unknown-NMI reporting/panic via preprocessor guard (currently with incorrect patch paths).
patches/linux-6.6.30/0010-winterfell-ahci.patch	Adds AHCI PORTS_IMPL forcing workaround (currently with incorrect patch paths and risky behavior).
modules/linux	Adds kernel version/hash selection for 6.6.30.
modules/coreboot	Adds the MrChromebox coreboot fork as a selectable module.
config/linux-omnigul.config	Adds generated Linux 6.6.30 kernel configuration for Omnigul.
config/coreboot-omnigul.config	Adds generated coreboot configuration for Omnigul.
boards/omnigul/omnigul.config	Introduces the Omnigul board definition and build/runtime options.
.circleci/config.yml	Adds an Omnigul CI build job to produce artifacts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

export CONFIG_AUTO_BOOT_TIMEOUT is defined twice (line 67 and again at the end). This duplication is easy to miss and can cause confusing overrides—please keep a single definition.

Suggested change

export CONFIG_AUTO_BOOT_TIMEOUT=5

[Copilot]

Minor text issues in the board header comment: "a Acer" should be "an Acer", and "Wi-FI" should be "Wi-Fi".

Suggested change

	# Configuration for a Acer Chromebook Plus 515 (CB515-2H/OMNIGUL)
	# Intel iGPU "UHD Graphics", 12th Gen Intel Core i3-1215U, 8GB RAM
	# 128GB UFS Storage (iNAND brand), Intel AX211 Wi-FI 6E,
	# Configuration for an Acer Chromebook Plus 515 (CB515-2H/OMNIGUL)
	# Intel iGPU "UHD Graphics", 12th Gen Intel Core i3-1215U, 8GB RAM
	# 128GB UFS Storage (iNAND brand), Intel AX211 Wi-Fi 6E,

[Copilot]

These patch headers target linux-4.9.80/... paths (and even ./clean/linux-4.9.80/...). With the current build system using git apply --directory build/.../linux-6.6.30, this patch will not apply to the extracted 6.6.30 kernel tree (which has paths like drivers/..., arch/...). Please regenerate/rewrite the patch against the 6.6.30 source tree with correct paths (prefer diff --git a/... b/... or at least paths rooted at the kernel top-level).

Suggested change

	diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c
	--- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500
	+++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500
	diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
	--- a/drivers/ata/libahci.c
	+++ b/drivers/ata/libahci.c

[Copilot]

After adding return_ACPI_STATUS(AE_OK);, the existing return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); becomes unreachable and contradicts the new behavior. Please remove the dead return or restructure the logic so the function returns exactly one status for this condition.

[Copilot]

In the ACPI_FAILURE(status) branch you now return ACPI_SYS_MODE_ACPI, but the following return_UINT32(ACPI_SYS_MODE_LEGACY); is left in place and becomes unreachable. Please delete the unreachable return (and keep indentation consistent).

Suggested change

	@@ -168,12 +168,16 @@
	status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value);
	if (ACPI_FAILURE(status)) {
	+printk("%s:%d faking ACPI mode\n", __func__, __LINE__);
	+ return_UINT32(ACPI_SYS_MODE_ACPI);
	return_UINT32(ACPI_SYS_MODE_LEGACY);
	@@ -168,12 +168,15 @@
	status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value);
	if (ACPI_FAILURE(status)) {
	+printk("%s:%d faking ACPI mode\n", __func__, __LINE__);
	+ return_UINT32(ACPI_SYS_MODE_ACPI);

[Copilot]

The comment says the MrChromebox fork is based on coreboot 4.22, but the module definition doesn't reuse the 4.22.01 toolchain (second arg is empty). This will build a separate crossgcc/toolchain for the fork, increasing CI/build time and cache size. Consider setting the toolchain parameter to 4.22.01 and (if used in CI) adding the corresponding build/cache path.

Suggested change

	$(eval $(call coreboot_module,mrchromebox,))
	$(eval $(call coreboot_module,mrchromebox,4.22.01))

[Copilot]

Forcing HOST_PORTS_IMPL to 0x1 and removing the vers < 0x10300 condition changes AHCI port discovery globally and may disable ports or misconfigure controllers. If this is a board/controller-specific workaround, it should be gated (e.g., by PCI ID/DMI match or a module param) and avoid hardcoding a single-port bitmap unless that's truly correct for the hardware.

Suggested change

	+ if (!port_map) { // && vers < 0x10300) {
	+ printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map);
	+ writel(0x1, mmio + HOST_PORTS_IMPL);
	+ port_map = readl(mmio + HOST_PORTS_IMPL);
	+
	+ //port_map = (1 << ahci_nr_ports(cap)) - 1;
	- if (!port_map) { // && vers < 0x10300) {
	- printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map);
	- writel(0x1, mmio + HOST_PORTS_IMPL);
	- port_map = readl(mmio + HOST_PORTS_IMPL);
	-
	- //port_map = (1 << ahci_nr_ports(cap)) - 1;

[Copilot]

These patch headers reference linux-4.9.80/... and ./clean/linux-4.9.80/..., so git apply will not patch the linux-6.6.30 sources as intended. Please regenerate the patch against linux 6.6.30 with paths relative to the kernel root (e.g., drivers/acpi/...).

[Copilot]

This workflow job uses the non-persisting build job type, so it won't contribute to the shared workspace/caches and may repeatedly rebuild the MrChromebox coreboot toolchain from scratch each run. If you want faster iteration and/or reusable caches, consider using build_and_persist (and adding coreboot-mrchromebox paths to save_cache).

[Copilot]

The option CONFIG_UNLOCK_FLASH_REGIONS=y disables SPI flash region write protections, allowing host software to modify BIOS and ME regions at runtime. An attacker who gains code execution in the OS can use this to flash a persistent firmware or ME-level rootkit that survives OS reinstalls and bypasses higher-level integrity checks. For production images, keep SPI flash regions locked and perform firmware updates only via a controlled, authenticated update path or external programmer rather than globally unlocking them at boot.

Suggested change

	CONFIG_UNLOCK_FLASH_REGIONS=y
	# CONFIG_UNLOCK_FLASH_REGIONS is not set