[coreboot] Re: Coreboot on newer hardware after some hardware mods?
Nico Huber wrote: > > if the system integrator has enabled BootGuard in the > > "wrong" way then the signature verification is intended to make it > > impossible to install coreboot onto the system. > > This seems a bit misleading. BootGuard is independent of the flash > chip and write access to it. You're of course correct. I didn't express my point very well. I wanted to make clear that, as you write, BootGuard is intended to disallow any firmware other than from the integrator, and bar some bug in chipset lockdown or SMM it can be expected to indeed be effective. BootGuard itself doesn't control flash write access, but its idea is contrary toleaving the flash chip accessible e.g. by flashrom, and by now I think it's fair to expect that machines using BootGuard will also lock down flash write access such that only correctly (as decided by the manufacturer) signed firmware can be flashed in a running system. Whether BootGuard allows a foreign firmware to boot is the next hurdle, and if no then no soldering iron helps. I second Nico: Do everyone a favour and buy hardware actually designed for coreboot if you want coreboot. :) //Peter ___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
[coreboot] Re: Coreboot on newer hardware after some hardware mods?
Am 12.04.21 um 14:33 schrieb Peter Stuge: maxime.corne--- via coreboot wrote: After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry). Encryption (signatures actually, not encryption) isn't relevant for porting, but if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system. In that case, and a few others, the only option is to desolder the flash chip and work with external programming options. This seems a bit misleading. BootGuard is independent of the flash chip and write access to it. BootGuard reads the BIOS (more accurately the bootblock) and acts on what it sees. If it is configured in verifi- cation mode, it will deny to boot if the BIOS' signature isn't valid. Only the OEM who configured BootGuard can provide a valid signature. BootGuard is not tied to the flash chip but the PCH (which is part of the CPU module in ultrabooks). That's a lot more work to replace. Older versions of BootGuard may be susceptible to a TOCTOU discrepancy, i.e. you might get around it with a flash emulator that presents a bootblock with a valid signature to BootGuard and lets the CPU execute another later. But this won't be easy if possible at all. I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip? Lenovo is known to set up BootGuard in verification mode on Thinkpads. Actually, Intel implemented BootGuard for OEMs like Lenovo who asked for it. I didn't watch the whole video, but what I remember: 9elements bought a rare Thinkpad with BootGuard disabled. Might have been an early prototype or a development sample. Generally not easy to get. So TL;DR coreboot on modern hardware: no problem at all (if you "own" the hardware and accept some blobs). coreboot on modern Thinkpads: totally up to Lenovo who "owns" all modern Thinkpads even after selling them. If it doesn't have to be a Thinkpad, please consider buying hardware that ships with coreboot ;) If it does, you have to talk to Lenovo. We resell Thinkpads and talked to them... short version: we're selling too few to get a custom Boot- Guard configuration :-( Maybe if you take 10,000+ units, they're more interested (actually, I've no idea how much we sell). If you talk to a sales representative, they'll promising you anything; but that doesn't mean you get the deal. So it's not easy to figure out even a rough number. Also, this was some years ago. Always worth another shot to ask. Nico -- M. Sc. Nico Huber Senior Consultant SINA Software Development and Verification Division Defence & Space secunet Security Networks AG Phone: +49-201-5454-3635, Fax: +49-201-5454-1325 E-Mail: nico.hu...@secunet.com Mergenthalerallee 77, 65760 Eschborn, Deutschland www.secunet.com _ secunet Security Networks AG Registered at: Kurfuerstenstraße 58, 45138 Essen, Germany Amtsgericht Essen HRB 13615 Management Board: Axel Deininger (CEO), Torsten Henn, Dr. Kai Martius, Thomas Pleines Chairman of Supervisory Board: Ralf Wintergerst __ OpenPGP_0xBD56B4A4138B3CE3.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature ___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
[coreboot] Re: Coreboot on newer hardware after some hardware mods?
maxime.corne--- via coreboot wrote: > I know this question had been asked many times, but is it possible > to have Coreboot on modern hardware? The general answer is yes, it is possible under certain conditions. What those conditions are depends both on the particular hardware platform (CPU+chipset generation) and on what decisions the system integrator (ODM and/or OEM) has made before shipping the machine. Fairly modern consumer products are indeed supported in the coreboot master tree. Another set of conditions determines *how* a coreboot image could be installed onto a machine which was sold without coreboot. Regardless of those conditions, desoldering the flash chip and either reprogramming it externally or soldering a new, already programmed flash chip onto the mainboard will always work, assuming of course that the flash is a discrete component, which is not always the case. The boot flash is sometimes part of an embedded controller - I've only seen this on some Thinkpads so far. > After some research on the Internet, I found out coreboot couldn’t > be port to modern hardware because of an Intel technology which > encrypt the bios (I might be wrong, if so, sorry). Encryption (signatures actually, not encryption) isn't relevant for porting, but if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system. In that case, and a few others, the only option is to desolder the flash chip and work with external programming options. > On the other end, companies like System76 are able to ship modern > processor with Coreboot. Because they are the system integrator they are allowed to make the neccessary decisions to enable coreboot on their machines, and they are better positioned to have access to the relevant information for porting coreboot - but don't be fooled, the platform vendors (Intel, AMD) do not release the neccessary information for coreboot porting to anyone at all. Anyone who asks for it is told the same old lie: "Nobody is asking for that information so we don't make it available." > I’d be more than happy to tinker with my hardware, so how you would > you do to put coreboot on a recent thinkpad by replacing the bios chip? Desolder the flash chip and create a header solution for the 5 relevant pins so that you can move the flash chip between your laptop and a programmer like a beaglebone or worst case raspberrypi, make a backup of the original contents outside your laptop, download and build coreboot, program the flash outside your laptop, connect it to the laptop, try to boot, and start debugging why the boot fails... ;) Hope this helps //Peter ___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
[coreboot] Re: HP compaq 8200 compatability
Hi Peter, list, On Mon, Apr 12, 2021 at 12:06 PM Peter Stuge wrote: > > ppbruhuwu--- via coreboot wrote: > > Hello so i was talking to my friend about coreboot but i saw that > > only the SFF version of the compaq 8200 was compatible and so i > > wanted to know why that is? > > Those adding that code were only interested in supporting that model. Or only had a SFF model to test things on. > > Also will coreboot be available for the compaq 8200 in the future? > > It could, if you or someone else makes it happen. If you're interested > then you should not wait for someone else to do it for you, since > that's unlikely. It shouldn't be too hard to add support for the other form factors. After making sure the GPIO settings match (use util/autoport and compare the gpio.c files), it might be as simple as enabling a few devices in the devicetree. > //Peter > ___ > coreboot mailing list -- coreboot@coreboot.org > To unsubscribe send an email to coreboot-le...@coreboot.org Best regards, Angel ___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
[coreboot] Re: HP compaq 8200 compatability
ppbruhuwu--- via coreboot wrote: > Hello so i was talking to my friend about coreboot but i saw that > only the SFF version of the compaq 8200 was compatible and so i > wanted to know why that is? Those adding that code were only interested in supporting that model. > Also will coreboot be available for the compaq 8200 in the future? It could, if you or someone else makes it happen. If you're interested then you should not wait for someone else to do it for you, since that's unlikely. //Peter ___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
[coreboot] Coreboot on newer hardware after some hardware mods?
Hello everyone, I know this question had been asked many times, but is it possible to have Coreboot on modern hardware? After looking at a video ([https://www.youtube.com/watch?v=Tt3bXZXsrE4](https://www.youtube.com/watch?v=Tt3bXZXsrE4&t=1s)) I learned that some people were able to put coreboot on recent thinkpads by soldering a new BIOS chip. After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry). On the other end, companies like System76 are able to ship modern processor with Coreboot. I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip? Thanks in advance.___ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org