Re: [coreboot] Fund a TALOS Secure Workstation as coreboot build system

[ron minnich]

Zoran, you are one of The Good Guys in my world. But I don't understand
what you're trying to say.

ron
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Fund a TALOS Secure Workstation as coreboot build system

[Zoran Stojsavljevic]

Ron (also Stefan Reinauer),

You're all Google employees. Coreboot primes bought by Google. You all
(Patrick, I am targeting you as well) earn lot of bucks... Don't you all?

And you all have an influence. Don't deny this!

And... Sergey Brin makes lot of monies. Quite. And... I know Russian
mentality. I do. As Russian language. Russian teachers (from Detain camps
in Sebirea teached me).  Do NOT sell to me (at least) these reasons. Do not
sell me this sh@@t!

Either: Google will support Coreboot, either, Google will let you all to
beg... And here, you (Google employees) you are asking?! For what???

Thank you,
Zoran Stojsavljevic (independent/not to be blackmailed by anybody)
contributor!

On Wed, Jan 18, 2017 at 2:14 AM, ron minnich  wrote:

> Speaking from a former buyer of hardware, I can tell you from long
> experience, it is *really* hard to specify coreboot as a mandatory
> requirement. I've got stories going back 17 years now.
>
> Even when it makes sense, it's hard.
>
> I don't think we should count on the gov't to do the right thing.
>
> ron
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Merlin Büge]

On Thu, 19 Jan 2017 20:51:53 -0600
Timothy Pearson  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 01/19/2017 08:48 PM, Merlin Büge wrote:
> >> But I have a problem with all that badmouthing of her I recently
> >> encountered, on this somewhat miscarried article on Phoronix [0],
> >> on
> >> #librecore, and #libreboot. I mean, I'm also annoyed of the GNU/FSF
> >> drama and so on, but that's no reason to personally offend her (no
> >> matter how subtle), or dragging libreboot through the mire.
> > 
> >> Note that this is no direct response to your initial mail. I just
> >> wanted to tell people, before they are reading stuff like the
> >> article linked above:
> 
> Fair enough.  I misinterpreted your intent, my apologies.
> 
>  So, before you make up your mind, also listen to the other side.
> > 
> > 
> >> How comes that not everyone can just play nice with each other..?
> > 
> >> That makes me sad.



> Same here.  Let's refocus on the project and leave this behind.  All
> that's really changed is that Raptor Engineering has effectively
> donated a complete port for the KCMA-D8 (CPU, RAM, and southbridge)
> to the project, as well as getting it upstreamed.  I think that's
> quite enough for the x86 side for a few years...time to work on
> POWER! ;-)



Thank you. =)


 
> - -- 
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJYgXtGAAoJEK+E3vEXDOFbVh4IAL1eIM/CShSC/NFnjBYourxz
> i/95IdXw4l3hT7asgQSoH3MSR7pkIJLUnp/L0TiiFrY0h3SPiLKgJVX5RiCbxNug
> dnbwvkEmrXlQ5bih4Z4KGJa2b91wd2aoLtIr15+63hq2HWVGVzloWl1n8cx04DV9
> 7p7CIh0e13N9E6sYT93gCkbM25Q36uMt15ugMDti69KcMuOP3nJueb1PfTVfkBhj
> umlIiaVJ+qZjaBsELk3fm0J5V+xDxReKlhmace895IwSgXmX2f5myg5aA4rMphWm
> vjKNlG3AfuXOaW35GMHCZAupCEtAHgy9DjfpK8z7RAaXr+iobCFPiCD3+8bch1o=
> =CwCY
> -END PGP SIGNATURE-


-- 
Merlin Büge 

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/19/2017 08:48 PM, Merlin Büge wrote:
>> But I have a problem with all that badmouthing of her I recently
>> encountered, on this somewhat miscarried article on Phoronix [0], on
>> #librecore, and #libreboot. I mean, I'm also annoyed of the GNU/FSF
>> drama and so on, but that's no reason to personally offend her (no
>> matter how subtle), or dragging libreboot through the mire.
> 
>> Note that this is no direct response to your initial mail. I just
>> wanted to tell people, before they are reading stuff like the article
>> linked above:

Fair enough.  I misinterpreted your intent, my apologies.

 So, before you make up your mind, also listen to the other side.
> 
> 
>> How comes that not everyone can just play nice with each other..?
> 
>> That makes me sad.

Same here.  Let's refocus on the project and leave this behind.  All
that's really changed is that Raptor Engineering has effectively donated
a complete port for the KCMA-D8 (CPU, RAM, and southbridge) to the
project, as well as getting it upstreamed.  I think that's quite enough
for the x86 side for a few years...time to work on POWER! ;-)

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgXtGAAoJEK+E3vEXDOFbVh4IAL1eIM/CShSC/NFnjBYourxz
i/95IdXw4l3hT7asgQSoH3MSR7pkIJLUnp/L0TiiFrY0h3SPiLKgJVX5RiCbxNug
dnbwvkEmrXlQ5bih4Z4KGJa2b91wd2aoLtIr15+63hq2HWVGVzloWl1n8cx04DV9
7p7CIh0e13N9E6sYT93gCkbM25Q36uMt15ugMDti69KcMuOP3nJueb1PfTVfkBhj
umlIiaVJ+qZjaBsELk3fm0J5V+xDxReKlhmace895IwSgXmX2f5myg5aA4rMphWm
vjKNlG3AfuXOaW35GMHCZAupCEtAHgy9DjfpK8z7RAaXr+iobCFPiCD3+8bch1o=
=CwCY
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Merlin Büge]

On Thu, 19 Jan 2017 19:38:34 -0600
Timothy Pearson  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 01/19/2017 07:15 PM, Merlin Büge wrote:
> > On Thu, 19 Jan 2017 11:58:03 -0600
> > Timothy Pearson  wrote:
> > 
> > 
> > 
> >> Sorry to revive an old thread, but as many of you are aware
> >> Minifree (Leah Rowe) contracted with us to port the KCMA-D8 and
> >> release it.  We performed this work and the KCMA-D8 continues to
> >> operate, however Minifree has decided not to pay their contract on
> >> this work.  We strongly recommend that no person do any business
> >> with Minifree or its founder Leah Rowe, as they do not honor their
> >> legally binding contracts.
> > 
> > 
> > I see that my mail does belong to this list as little as this ^
> > 
> > However, I just want to remind you folks that there's always two
> > sides to a story. I've seen a lot of badmouthing of Leah,
> > especially the last few hours in IRC etc... questionable, to say
> > the least.
> > 
> > So, before you make up your mind, also listen to the other side.
> > 
> > 
> > Thanks,
> > 
> >  Merlin
> 
> Since you state that the criticism is questionable, can you please
> indicate where you disagree with said criticism?  As you say there are
> two sides to any story, and I have not presented a clear picture of
> our side for the sake of brevity and not wanting to drag the list
> along for the ride.

I feel quite uncomfortable discussing this here, not because it's
public, but because it's rather off-topic. Also I don't want to quote
freenode logs here.

I have no problem with (fair) criticism of how Leah is driving the
libreboot project, and that she still did not pay for the KCMA-D8 port
is clearly morally questionable.

But I have a problem with all that badmouthing of her I recently
encountered, on this somewhat miscarried article on Phoronix [0], on
#librecore, and #libreboot. I mean, I'm also annoyed of the GNU/FSF
drama and so on, but that's no reason to personally offend her (no
matter how subtle), or dragging libreboot through the mire.

Note that this is no direct response to your initial mail. I just
wanted to tell people, before they are reading stuff like the article
linked above:

> > So, before you make up your mind, also listen to the other side.


How comes that not everyone can just play nice with each other..?

That makes me sad.


 Merlin



[0]
https://www.phoronix.com/scan.php?page=news_item=Librecore-Formation






> 
> It comes down to a simple contract non-payment; no dissatisfaction
> with our work was registered until today when I was informed that the
> KCMA-D8 contract would not be paid.  These contracts were originally
> signed back in 2015 and the goal was to make all of these systems
> available for sale to the community; functional sources were given to
> Rowe early 2016 but sadly Minifree did not list them for sale until
> late 2016.  By that time the market had shifted further and,
> partially due to the ongoing controversy regarding Libreboot and the
> FSF, we observed a very public refusal to support Minifree further.
> Instead of honoring the debt incurred as part of this business
> opportunity, Rowe simply decided to walk away from it.
> 
> Rowe also does not have the knowledge or authority required to comment
> on our internal development processes regarding the KCMA-D8, including
> time taken, effort expended, and overall cost.  The KCMA-D8 is not a
> trivial port in the sense of, for instance, the T400 to T500
> conversion; a quick glance at the coreboot GIT repository, noting the
> logs referring to the C32 socket (the socket used on the KCMA-D8),
> will indicate that there was DDR3 initialization work required to get
> the KCMA-D8 operational and stabilized, in addition to handling the
> new layout and modified components of the mainboard itself.  Our
> quote was fully in line with industry standards for the type of work
> performed.
> 
> I don't want to go into further detail on this list; this is our side
> and really all you need to know.
> 
> - -- 
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJYgWoYAAoJEK+E3vEXDOFbibsH/03TbzMfvxZtDh1xDwAZ5oTR
> JEl7pU+ooyQb20yIl7IzokBt8ew2Ch2PDEQY3D7h2CE7tS/Wzpqv5U1D4GRHMviI
> ieZjIgh/FjjMP8XOR+DJLvmMg2/mQUyvnc90kQd1tJ8z7sBd5sb7Z06w3aOQEPwP
> CaXchg2gow6+Jkm69KfG3c3BJfpTyFCtaOW4d1mQKSWrGlIUNHwUqnXgq5rWjjND
> 1qTr/oA6vCiBSnUDd9fZg+4sLW3u/KtiAfNaIPmP9u/mu8/nbw2zPtillrkIYbeA
> XvR4nuWlRNgouycnZKReTRPusSkq5y/00sxAK6soEZmap0KS4l4syjEMZDOgoJA=
> =uAu9
> -END PGP SIGNATURE-


-- 
Merlin Büge 

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Proposal: "Freedom level" field for boards supported by coreboot

[Andrés Domínguez]

Sorry if my reply begins to be a little of topic or uninteresting.
Everyone has different company working experience, live in different
countries etc. and my suggestion was well intended so I want to
clarify the way I see this topic:

1) We all want more open systems like power8/9 or, even better, risc-v
to dominate the market from top to bottom.
2) Sure any sysadmin in San Jose, California, makes 100k+/year, most
IT workers in many countries don't remotely make that. Also, many
companies will not see a lot of increase in productivity buying more
expensive power8 computers.
3) Most users and companies want to buy modern, fast and inexpensive,
even if restricted/obscure, x86 systems. Because of this...
4) all major computer companies will use modern x86 for most of their
desktops and servers in the near future.
5) If users/companies see in the coreboot web page red "Pawned" for
all the systems that they would buy, this doesn't encourage to buy
coreboot supported boards.
6) If the companies selling a lot of coreboot computers (chromebooks)
think about using coreboot for their x86 computers (some could even
have similar hardware as their chromeos ones), they will prefer not be
listed in the coreboot page than marked in red as "Pwned".
7) Being able to run coreboot+seabios/depthcharge etc. instead of
proprietary BIOS should be displayed as positive, even if they don't
get a medal in freedom.
8) Encouraging the use of coreboot in restricted x86 systems will also
increase the visibility of the medals for the more free/trustful
systems.

Sorry for the long mail, and in case I don't write again next week,
Happy New Year!

Andrés

2017-01-20 0:52 GMT+01:00 taii...@gmx.com :
> On 01/19/2017 06:16 PM, Andrés Domínguez wrote:
>
>> 2017-01-18 23:39 GMT+01:00 Timothy Pearson
>> :
>>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> All,
>>>
>>> I've been working on a new way to classify boards supported by coreboot
>>> based on their freedom level.
>>
>> Very good idea.
>>
>>> I uploaded the classification criteria to
>>> the Wiki here
>>>
>>> https://www.coreboot.org/Board_freedom_levels
>>
>> There are a few things that I don't like about your categories,
>> specially the "scary red Pwned": Don't you think that people reading
>> the coreboot web page, will think that the "Pwned" are worse than
>> buying any random board not supported by coreboot, with the same
>> freedom issues? I would use not colored not named for the last
>> category. Gold, Silver and Bronze sound good to me, you could always
>> add Platinum and Iridium if more free boards appear and + or - for
>> every category that needs subcategories.
>>
>> I also agree with Julius about the ARM platforms that have not
>> supported GPU or WIFI. For many use cases GPU is not needed, and WIFI
>> can be replaced by PCIe or USB one.
>>
>> Andrés
>
> FSP coreboot isn't the real thing, it is almost absolutely pointless as it
> doesn't really do anything at all - we shouldn't entertain the purism idiots
> who support that.
>
>
> x86 is dead, in a year or so you won't be able to find any new non
> FSP/ME/PSP type motherboards so we will be reduced to buying overpriced used
> boards from ebay (kgpe-d16 - get em new while you can boys)
>
> At this point the only realistic option is a campaign to make libre one of
> the more affordable POWER8 systems, eventually they will come down in price
> and it'll be affordable (in 2012 a brand new kgpe d16 plus new cpu ram etc
> would be just as much as a lower end POWER8 is now)
>
> Unfortunate despite all the linux sysadmin's who are making 100K+ per year
> the authentic "hacker" culture[1] is nearly dead so nobody really cares
> about free firmware enough to cough up real money for to make it a reality,
> which is why TALOS failed.
>
> [1] people who work for facebook, google or another web 2.0 trendster
> company and who call themselves a "hacker" don't fall in to this category.

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/19/2017 07:15 PM, Merlin Büge wrote:
> On Thu, 19 Jan 2017 11:58:03 -0600
> Timothy Pearson  wrote:
> 
> 
> 
>> Sorry to revive an old thread, but as many of you are aware Minifree
>> (Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
>> performed this work and the KCMA-D8 continues to operate, however
>> Minifree has decided not to pay their contract on this work.  We
>> strongly recommend that no person do any business with Minifree or its
>> founder Leah Rowe, as they do not honor their legally binding
>> contracts.
> 
> 
> I see that my mail does belong to this list as little as this ^
> 
> However, I just want to remind you folks that there's always two sides
> to a story. I've seen a lot of badmouthing of Leah, especially the
> last few hours in IRC etc... questionable, to say the least.
> 
> So, before you make up your mind, also listen to the other side.
> 
> 
> Thanks,
> 
>  Merlin

Since you state that the criticism is questionable, can you please
indicate where you disagree with said criticism?  As you say there are
two sides to any story, and I have not presented a clear picture of our
side for the sake of brevity and not wanting to drag the list along for
the ride.

It comes down to a simple contract non-payment; no dissatisfaction with
our work was registered until today when I was informed that the KCMA-D8
contract would not be paid.  These contracts were originally signed back
in 2015 and the goal was to make all of these systems available for sale
to the community; functional sources were given to Rowe early 2016 but
sadly Minifree did not list them for sale until late 2016.  By that time
the market had shifted further and, partially due to the ongoing
controversy regarding Libreboot and the FSF, we observed a very public
refusal to support Minifree further.  Instead of honoring the debt
incurred as part of this business opportunity, Rowe simply decided to
walk away from it.

Rowe also does not have the knowledge or authority required to comment
on our internal development processes regarding the KCMA-D8, including
time taken, effort expended, and overall cost.  The KCMA-D8 is not a
trivial port in the sense of, for instance, the T400 to T500 conversion;
a quick glance at the coreboot GIT repository, noting the logs referring
to the C32 socket (the socket used on the KCMA-D8), will indicate that
there was DDR3 initialization work required to get the KCMA-D8
operational and stabilized, in addition to handling the new layout and
modified components of the mainboard itself.  Our quote was fully in
line with industry standards for the type of work performed.

I don't want to go into further detail on this list; this is our side
and really all you need to know.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgWoYAAoJEK+E3vEXDOFbibsH/03TbzMfvxZtDh1xDwAZ5oTR
JEl7pU+ooyQb20yIl7IzokBt8ew2Ch2PDEQY3D7h2CE7tS/Wzpqv5U1D4GRHMviI
ieZjIgh/FjjMP8XOR+DJLvmMg2/mQUyvnc90kQd1tJ8z7sBd5sb7Z06w3aOQEPwP
CaXchg2gow6+Jkm69KfG3c3BJfpTyFCtaOW4d1mQKSWrGlIUNHwUqnXgq5rWjjND
1qTr/oA6vCiBSnUDd9fZg+4sLW3u/KtiAfNaIPmP9u/mu8/nbw2zPtillrkIYbeA
XvR4nuWlRNgouycnZKReTRPusSkq5y/00sxAK6soEZmap0KS4l4syjEMZDOgoJA=
=uAu9
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Merlin Büge]

On Thu, 19 Jan 2017 11:58:03 -0600
Timothy Pearson  wrote:



> Sorry to revive an old thread, but as many of you are aware Minifree
> (Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
> performed this work and the KCMA-D8 continues to operate, however
> Minifree has decided not to pay their contract on this work.  We
> strongly recommend that no person do any business with Minifree or its
> founder Leah Rowe, as they do not honor their legally binding
> contracts.


I see that my mail does belong to this list as little as this ^

However, I just want to remind you folks that there's always two sides
to a story. I've seen a lot of badmouthing of Leah, especially the
last few hours in IRC etc... questionable, to say the least.

So, before you make up your mind, also listen to the other side.


Thanks,

 Merlin





> - -- 
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJYgP4nAAoJEK+E3vEXDOFbIv4H/2LVc83j2TvIDXW5owce6X94
> SUwbyLhAlAyrqSmrOwwmaam+w85APVSW8+fZWXsNW76yWnuHsYirr5va5XWUTkDm
> egPZDnWz1W/mg35GTcnQe2aQNZpQ6Q7VX5WiVgBHxtmfRbu/mswQyP3LAqO7vIhh
> pheQdSUyRoYomqMkhx7o3t2EtDti4oR3L3AqykvxhuszFhkQNrtRj4vFyLBy3j6/
> io5xeE3QKObSvC2waVkGq3cJzOGzfgtZb3Nwqrt6NZl4Cz5GMQM5MBV4jx4gGcO5
> rzRFbXZm/zOdICOc4c45n5B4P/kUz/AmkB6hVEgJjQHQS+p93sZ5xLVJlzqdDRk=
> =RcgR
> -END PGP SIGNATURE-
> 
> -- 
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot


-- 
Merlin Büge 

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot binary for ASUS F2A85-M

[Daniel Kulesz via coreboot]

Hi Max,

I had my F2A-85M working with an A10-6700 which needed some additional tweaking 
because the Quadcore-CPU was causing timing issues in SeaBIOS. On my previous 
cpu (A4-5300) everything was fine so I suppose the same should work on your 
dualcore as well. 

You can find my config files (for the A10-6700) together with some logs in this 
commit:

https://review.coreboot.org/cgit/board-status.git/commit/?id=947fdae2518172e305a96b9de5684dba0bbbabbc

However, I also had the issue that I didn't receive any video output unless the 
Linux kernel initialized the video or I plugged an PCIe GPU. I tried including 
the VBIOS, but were out of luck for both CPUs/APUs. 

Did you try hooking up a serial cable to see what is going on (provided you 
have debug instructions compiled in).

Cheers, Daniel

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/19/2017 05:55 PM, taii...@gmx.com wrote:
> On 01/19/2017 06:51 PM, Timothy Pearson wrote:
> 
> On 01/19/2017 05:41 PM, taii...@gmx.com wrote:
 On 01/19/2017 12:58 PM, Timothy Pearson wrote:

 On 11/10/2015 10:40 PM, Alex G. wrote:
>>> This is something I'd be interested in: Making a 501(c)
>>> (tax-deductible)
>>> contribution towards this goal. Is there a way to make this
>>> happen? Can
>>> the FSF get involved in this somehow? (they have 501(c)(3) status).
>>>
>>> Alex
 Sorry to revive an old thread, but as many of you are aware Minifree
 (Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
 performed this work and the KCMA-D8 continues to operate, however
 Minifree has decided not to pay their contract on this work.  We
 strongly recommend that no person do any business with Minifree or its
 founder Leah Rowe, as they do not honor their legally binding contracts.

 -- Timothy Pearson
 Raptor Engineering
 +1 (415) 727-8645 (direct line)
 +1 (512) 690-0200 (switchboard)
 https://www.raptorengineering.com
 That is sad, I guess she really went off the deep end what an awful
 thing to screw you guys over like that
 I despise customers that don't payafter being burned a few times I
 now always get money up front for any consulting work over $300
 This should be publicized more.
 They are the only retail vendor that sells ready to go libre coreboot
 computers I imagine a lot of people buy from them...
> We are offering at least the desktop, workstation, and server variants
> now:
> 
> https://www.raptorengineering.com/content/base/news/19.01.2017
> 
> Those proceeds do go to development of libre systems, so perhaps at
> least US customers can now purchase straight from the development vendor
> (Raptor) instead of a third party.  I don't expect much uptake but it is
> an option at least, and we do bring experience on the server side that
> was not present with the other vendor.
> 
> -- Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
>>
> Nice.
> It might be prudent to create a web-store where people can purchase via
> credit card etc, a lot of people are incredibly lazy slash antisocial
> and don't wish to call for a quote.

Yeah, this was just a quick announcement for the server end mostly.  It
will take a couple of days to get the product pages up for the desktop /
workstation "generic" systems.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgVPQAAoJEK+E3vEXDOFbdeAH+wfwlUrb9GLMpmGA01MGXBL2
z8MMq5T3MAA7ZWyyXsMpCzAWSacgEKlyUf1jiUHVs3QClTdug1z6Phmtvfy5+/Mc
4JlHa8tzVOe+pZIDmJE8WqWoKxhey+u65PXYAYL5P2wqBAu5IxAhdRqHWceEFwkh
K/VE2VnFjXcbTdCPIWxD7hRUyX6BMOwwvjxRPiPB6LWJVBqHP/3+D6X7LSiqeuyP
VYCIImycuw4I2+aOuU3Tg4d5ddWuPDjUYJ/fjq0VKOFtgZWquOKDlXoSAy28Fabc
hZoxvb53PGYXQHH7vbl/tFVrYlpLKlWQ70Fmt3vxt+LRsYUIgXVuQcGBfS5Jf0o=
=E9lb
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[taii...@gmx.com]

On 01/19/2017 06:51 PM, Timothy Pearson wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/19/2017 05:41 PM, taii...@gmx.com wrote:

On 01/19/2017 12:58 PM, Timothy Pearson wrote:

On 11/10/2015 10:40 PM, Alex G. wrote:

This is something I'd be interested in: Making a 501(c) (tax-deductible)
contribution towards this goal. Is there a way to make this happen? Can
the FSF get involved in this somehow? (they have 501(c)(3) status).

Alex

Sorry to revive an old thread, but as many of you are aware Minifree
(Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
performed this work and the KCMA-D8 continues to operate, however
Minifree has decided not to pay their contract on this work.  We
strongly recommend that no person do any business with Minifree or its
founder Leah Rowe, as they do not honor their legally binding contracts.

-- Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
That is sad, I guess she really went off the deep end what an awful
thing to screw you guys over like that
I despise customers that don't payafter being burned a few times I
now always get money up front for any consulting work over $300
This should be publicized more.
They are the only retail vendor that sells ready to go libre coreboot
computers I imagine a lot of people buy from them...

We are offering at least the desktop, workstation, and server variants now:

https://www.raptorengineering.com/content/base/news/19.01.2017

Those proceeds do go to development of libre systems, so perhaps at
least US customers can now purchase straight from the development vendor
(Raptor) instead of a third party.  I don't expect much uptake but it is
an option at least, and we do bring experience on the server side that
was not present with the other vendor.

- -- 
Timothy Pearson

Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgVEVAAoJEK+E3vEXDOFbnv0H/A0uZotgAmPQ1vB8+lIsYADo
vxAAYO0Gf5lrw5Qi4bhaEHSM3Pd+//sJgg/EfrbdqQCMd3NesxRUpIRHhv+B4B11
Tk+d/spjkc2BUxfRsE43LYfLaVYnVWaVCI7Y2hVtnTnxJ7QlnoZqx1fkoL85rVRW
zPFJzAbh6W+S9RCkjayWx3JCLCa3A0gxs6NWtKOeC+GFHo8zJ8gOo+672401zU75
aCXM9SUcekLXIjbxmmsrwxe36il0RaqtfkHCOBXyoAha8Ocg+KHEr7iv52tR6xag
Fp7Fy0A5SxowS8BhNnQJ15bNRRQuWrAYgDN0jzK4lwFw2D5F2lWbjofT/shkp0Q=
=kTPH
-END PGP SIGNATURE-


Nice.
It might be prudent to create a web-store where people can purchase via 
credit card etc, a lot of people are incredibly lazy slash antisocial 
and don't wish to call for a quote.


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Proposal: "Freedom level" field for boards supported by coreboot

[taii...@gmx.com]

On 01/19/2017 06:16 PM, Andrés Domínguez wrote:


2017-01-18 23:39 GMT+01:00 Timothy Pearson :

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've been working on a new way to classify boards supported by coreboot
based on their freedom level.

Very good idea.


I uploaded the classification criteria to
the Wiki here

https://www.coreboot.org/Board_freedom_levels

There are a few things that I don't like about your categories,
specially the "scary red Pwned": Don't you think that people reading
the coreboot web page, will think that the "Pwned" are worse than
buying any random board not supported by coreboot, with the same
freedom issues? I would use not colored not named for the last
category. Gold, Silver and Bronze sound good to me, you could always
add Platinum and Iridium if more free boards appear and + or - for
every category that needs subcategories.

I also agree with Julius about the ARM platforms that have not
supported GPU or WIFI. For many use cases GPU is not needed, and WIFI
can be replaced by PCIe or USB one.

Andrés
FSP coreboot isn't the real thing, it is almost absolutely pointless as 
it doesn't really do anything at all - we shouldn't entertain the purism 
idiots who support that.



x86 is dead, in a year or so you won't be able to find any new non 
FSP/ME/PSP type motherboards so we will be reduced to buying overpriced 
used boards from ebay (kgpe-d16 - get em new while you can boys)


At this point the only realistic option is a campaign to make libre one 
of the more affordable POWER8 systems, eventually they will come down in 
price and it'll be affordable (in 2012 a brand new kgpe d16 plus new cpu 
ram etc would be just as much as a lower end POWER8 is now)


Unfortunate despite all the linux sysadmin's who are making 100K+ per 
year the authentic "hacker" culture[1] is nearly dead so nobody really 
cares about free firmware enough to cough up real money for to make it a 
reality, which is why TALOS failed.


[1] people who work for facebook, google or another web 2.0 trendster 
company and who call themselves a "hacker" don't fall in to this category.


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/19/2017 05:41 PM, taii...@gmx.com wrote:
> On 01/19/2017 12:58 PM, Timothy Pearson wrote:
> 
> On 11/10/2015 10:40 PM, Alex G. wrote:
 This is something I'd be interested in: Making a 501(c) (tax-deductible)
 contribution towards this goal. Is there a way to make this happen? Can
 the FSF get involved in this somehow? (they have 501(c)(3) status).

 Alex
> Sorry to revive an old thread, but as many of you are aware Minifree
> (Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
> performed this work and the KCMA-D8 continues to operate, however
> Minifree has decided not to pay their contract on this work.  We
> strongly recommend that no person do any business with Minifree or its
> founder Leah Rowe, as they do not honor their legally binding contracts.
> 
> -- Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
>>
> That is sad, I guess she really went off the deep end what an awful
> thing to screw you guys over like that
> I despise customers that don't payafter being burned a few times I
> now always get money up front for any consulting work over $300

> This should be publicized more.
> They are the only retail vendor that sells ready to go libre coreboot
> computers I imagine a lot of people buy from them...

We are offering at least the desktop, workstation, and server variants now:

https://www.raptorengineering.com/content/base/news/19.01.2017

Those proceeds do go to development of libre systems, so perhaps at
least US customers can now purchase straight from the development vendor
(Raptor) instead of a third party.  I don't expect much uptake but it is
an option at least, and we do bring experience on the server side that
was not present with the other vendor.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgVEVAAoJEK+E3vEXDOFbnv0H/A0uZotgAmPQ1vB8+lIsYADo
vxAAYO0Gf5lrw5Qi4bhaEHSM3Pd+//sJgg/EfrbdqQCMd3NesxRUpIRHhv+B4B11
Tk+d/spjkc2BUxfRsE43LYfLaVYnVWaVCI7Y2hVtnTnxJ7QlnoZqx1fkoL85rVRW
zPFJzAbh6W+S9RCkjayWx3JCLCa3A0gxs6NWtKOeC+GFHo8zJ8gOo+672401zU75
aCXM9SUcekLXIjbxmmsrwxe36il0RaqtfkHCOBXyoAha8Ocg+KHEr7iv52tR6xag
Fp7Fy0A5SxowS8BhNnQJ15bNRRQuWrAYgDN0jzK4lwFw2D5F2lWbjofT/shkp0Q=
=kTPH
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[taii...@gmx.com]

On 01/19/2017 12:58 PM, Timothy Pearson wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/10/2015 10:40 PM, Alex G. wrote:

This is something I'd be interested in: Making a 501(c) (tax-deductible)
contribution towards this goal. Is there a way to make this happen? Can
the FSF get involved in this somehow? (they have 501(c)(3) status).

Alex

Sorry to revive an old thread, but as many of you are aware Minifree
(Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
performed this work and the KCMA-D8 continues to operate, however
Minifree has decided not to pay their contract on this work.  We
strongly recommend that no person do any business with Minifree or its
founder Leah Rowe, as they do not honor their legally binding contracts.

- -- 
Timothy Pearson

Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgP4nAAoJEK+E3vEXDOFbIv4H/2LVc83j2TvIDXW5owce6X94
SUwbyLhAlAyrqSmrOwwmaam+w85APVSW8+fZWXsNW76yWnuHsYirr5va5XWUTkDm
egPZDnWz1W/mg35GTcnQe2aQNZpQ6Q7VX5WiVgBHxtmfRbu/mswQyP3LAqO7vIhh
pheQdSUyRoYomqMkhx7o3t2EtDti4oR3L3AqykvxhuszFhkQNrtRj4vFyLBy3j6/
io5xeE3QKObSvC2waVkGq3cJzOGzfgtZb3Nwqrt6NZl4Cz5GMQM5MBV4jx4gGcO5
rzRFbXZm/zOdICOc4c45n5B4P/kUz/AmkB6hVEgJjQHQS+p93sZ5xLVJlzqdDRk=
=RcgR
-END PGP SIGNATURE-

That is sad, I guess she really went off the deep end what an awful 
thing to screw you guys over like that
I despise customers that don't payafter being burned a few times I 
now always get money up front for any consulting work over $300


This should be publicized more.
They are the only retail vendor that sells ready to go libre coreboot 
computers I imagine a lot of people buy from them...


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Proposal: "Freedom level" field for boards supported by coreboot

[Sam Kuper]

On 19/01/2017, Andrés Domínguez  wrote:
> 2017-01-18 23:39 GMT+01:00 Timothy Pearson :
>> https://www.coreboot.org/Board_freedom_levels
>
> There are a few things that I don't like about your categories,
> specially the "scary red Pwned": Don't you think that people reading
> the coreboot web page, will think that the "Pwned" are worse than
> buying any random board not supported by coreboot, with the same
> freedom issues?

Any random board that *isn't* pre-2010 Intel or pre-2014 AMD?

I think the "Pwned" category is pretty well described.

Timothy: good work. Thank you for doing it.

Btw, about SBCs, might be worth seeing if the classifications used on
the FSF's SBC page, and those used within Coreboot (if Timothy's
proposal is adopted), could be harmonised. That would, I hope, improve
clarity/standardisation, and reduce confusion. I'm CC'ing Paul
Kocialkowsi, the maintainer of the FSF page.
https://www.fsf.org/resources/hw/single-board-computers

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Proposal: "Freedom level" field for boards supported by coreboot

[Andrés Domínguez]

2017-01-18 23:39 GMT+01:00 Timothy Pearson :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> All,
>
> I've been working on a new way to classify boards supported by coreboot
> based on their freedom level.

Very good idea.

> I uploaded the classification criteria to
> the Wiki here
>
> https://www.coreboot.org/Board_freedom_levels

There are a few things that I don't like about your categories,
specially the "scary red Pwned": Don't you think that people reading
the coreboot web page, will think that the "Pwned" are worse than
buying any random board not supported by coreboot, with the same
freedom issues? I would use not colored not named for the last
category. Gold, Silver and Bronze sound good to me, you could always
add Platinum and Iridium if more free boards appear and + or - for
every category that needs subcategories.

I also agree with Julius about the ARM platforms that have not
supported GPU or WIFI. For many use cases GPU is not needed, and WIFI
can be replaced by PCIe or USB one.

Andrés

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Using as default external monitor for booting in x230

[Car.cuevas via coreboot]

Hi,

thanks for both answers Nico and Ron,

Well actually, for me what's important is that I can be able to see through DP2 
from the docker, If I can alter actually the backlight sequence, and setup the 
DP2 as the first one, but I have to say sorry because from your explanations I 
am not sure if it means that with Coreboot, the OS would be able to handle to 
show through the DP2 the video signal or not?.. For the mod, I have now 
actually in the BIOS didn't have to do a thing, just to set up in the bios as 
default screen the DP2, but nothing else was needed, actually the operating 
system detects as they were 2 screens and manage them.

Thanks once more for your help :)





 Original Message 
Subject: Re: [coreboot] Using as default external monitor for booting in x230
Local Time: January 15, 2017 7:20 PM
UTC Time: January 15, 2017 6:20 PM
From: rminn...@gmail.com
To: Nico Huber , Car.cuevas , 
coreboot@coreboot.org 





On Sun, Jan 15, 2017 at 10:09 AM Nico Huber  wrote:


It wouldn't matter as the current native gfx code in coreboot doesn't
support external displays.

Yes. I started that code as a "let's get chromebooks to not use the video 
binary blob" project. That was five years ago, if you can believe it. I did not 
realize when I started it just how complicated it would get. But external 
display support was not a goal. Of course, with support from the chipset vendor 
it would have gone much more smoothly and we could have all been using open 
source gfx code for five years now, but you all know how that story ends ...

Note that x86 chromebooks still use the VGA BIOS.



If you want OSS for the gfx initialization, there's also libgfxinit
(written in Ada, see 3rdparty/libgfxinit in the coreboot tree). It can
enable external displays but would need some patching to make the panel
power and backlight control work with that.

Yes. I think the Ada code is far superior to the C code at this point. I think 
it makes sense to focus on extending it as opposed to working on the C gfx code.

ron-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] ASUS KCMA-D8 workstation board port offer

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/10/2015 10:40 PM, Alex G. wrote:
> This is something I'd be interested in: Making a 501(c) (tax-deductible)
> contribution towards this goal. Is there a way to make this happen? Can
> the FSF get involved in this somehow? (they have 501(c)(3) status).
> 
> Alex

Sorry to revive an old thread, but as many of you are aware Minifree
(Leah Rowe) contracted with us to port the KCMA-D8 and release it.  We
performed this work and the KCMA-D8 continues to operate, however
Minifree has decided not to pay their contract on this work.  We
strongly recommend that no person do any business with Minifree or its
founder Leah Rowe, as they do not honor their legally binding contracts.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYgP4nAAoJEK+E3vEXDOFbIv4H/2LVc83j2TvIDXW5owce6X94
SUwbyLhAlAyrqSmrOwwmaam+w85APVSW8+fZWXsNW76yWnuHsYirr5va5XWUTkDm
egPZDnWz1W/mg35GTcnQe2aQNZpQ6Q7VX5WiVgBHxtmfRbu/mswQyP3LAqO7vIhh
pheQdSUyRoYomqMkhx7o3t2EtDti4oR3L3AqykvxhuszFhkQNrtRj4vFyLBy3j6/
io5xeE3QKObSvC2waVkGq3cJzOGzfgtZb3Nwqrt6NZl4Cz5GMQM5MBV4jx4gGcO5
rzRFbXZm/zOdICOc4c45n5B4P/kUz/AmkB6hVEgJjQHQS+p93sZ5xLVJlzqdDRk=
=RcgR
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Fund a TALOS Secure Workstation as coreboot build system

[Martin Roth]

Hey Merlin,
  I was taking and keeping track of the pledges for Talos, so I'd be
happy to continue.

Martin

On Wed, Jan 18, 2017 at 7:15 PM, Merlin Büge  wrote:
> Everyone,
>
>
>> We would like to see $20k USD from the community; we'll match (and
>> actually slightly exceed) that internally to get the port completed
>> and production qualified.  From what I understand this amount is very
>> close to what had been allocated originally for a Talos coreboot
>> build server; the BMC work would allow more KGPE-D16 systems to be
>> used to host pieces of coreboot worldwide.
>
>
> What do you think?
>
> It's not a Talos Workstation, of course, but it would still be a great
> step forward, having a performant board like the D8/D16 running fully
> libre soft- and firmware with a libre remote management option.
>
> It seems like the D16 might become a long runner for quite some
> people, maybe like the libreboot-compatible GM45 platforms (X200, T400,
> T500), so probably this work would be of great benefit!
>
>
> What do you think would be a good way to collect interest? The same way
> we were collecting pledges for a Talos build server?
>
> How could we make pledging for this easily accessible to non mailing
> list members? We could set up a very simple webpage for that, maybe
> with an email address people can write to if they are willing to
> financially support the BMC porting. Or just link to the mailing list
> thread?
>
> Is someone (who is more involved in the community than me) willing to
> coordinate gathering pledges, like taking them via email and keeping a
> list of them?
>
>
> Thank you,
>
>  Merlin
>
>
>
>
>
>>
>> As an added bonus, the BMC work would be directly applicable to the
>> KGPE-D16's little sister, the KCMA-D8.  The same (or slightly
>> modified) BMC firmware should work on both machines.
>>
>> Thanks!
>>
>> - --
>> Timothy Pearson
>> Raptor Engineering
>> +1 (415) 727-8645 (direct line)
>> +1 (512) 690-0200 (switchboard)
>> https://www.raptorengineering.com
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJYfp1mAAoJEK+E3vEXDOFbLZgH/jS05CjmnfIB08X9YeR6qiPo
>> mZn1j0QkuEa8bIVQG6DCer405gywPJzaYd3zlahTPBjG2D8LM8F2YEp/KXvB+eId
>> kuV8SYqq2W9tTMrrCP4m/5wbfEhku1SpU8j0kEnCD14UCNjjEmd2eJ2ZK6rHJf9p
>> YvrGXyzPHBl3fNJaTEoLCGEzhEozX8M4rYdcKpLEbQZXWmJe9r94TXxMD5TIWlkZ
>> TPhUsVdrPLpEMmzDSa8EOB3lGx9bMTR+GplKpAHnKg0+ZbeerEePyBnd4rzTjRAj
>> Pk/iOvWWwdtYj1W5eIkCHtwsj4coyos1Pjq6opNfNlJQSbvKCZ3kH90TTV2Binc=
>> =CT6t
>> -END PGP SIGNATURE-
>
>
> --
> Merlin Büge 
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] [Resend] Tapping into the core (33C3)

[Maxim Goryachy]

Hello Denis.

On Tue, 17 Jan 2017 11:11:38 +
Maxim Goryachy  
wrote:

[...]


If I understand correctly, when DCI is disabled in the flash
descriptor, such attacks are not possible and the computer is safe.

Unfortunately no, DCI can be activated through P2SB device at any
time.  We checked it on Skylake and Kabylake.


As I understand from the datasheet screenshot on the slides, the P2SB
device is a PCIe device, and to enable DCI you have to:
- Write to the DCI IO port. Under GNU/Linux you typically need to be
  root to write to IO ports (man 2 iopl).
- Write to to the P2SB SBREG BAR. Under GNU/Linux probably needs
  root too.

  I don't know well enough the datasheet of x86 chipsets to be able
  to tell if there are more ways to restrict that access than using the
  CPU's privileges rings. If there are such ways, it might be possible
  to make use of them with Coreboot.

Since I didn't understand what "PCH sideband interface" is, so I cannot
tell if the ways mentioned above (IO port and BAR) would be accessible
form other devices than the CPU, if it does, to have a secure laptop you
would need:
- Not to have the PCIe bus exposed on any external connector (no
  thunderbolt).
- Not to have any malicious PCIe device, or PCIe device that can be
  abused to write to the register of the P2SB device by either
  malicious hardware or non-privileged code. I wonder if protecting
  against such attacks is even possible if we use modern GPUs.

So to summarize:
---
If DCI is disabled on the flash descriptor:
- On skylake hardware, if you have root, you can, with a simple USB3
  cable you can:
  - (1) Execute code in kernel mode.
  - (2) Execute code in hypervisor mode.
  - (3) Execute code in SMM.
- An attacker that is sitting in front of your laptop[1][2] can't
  magically take control of your computer by plugging an USB device in
  it. The attacker first needs to enable DCI, and that requires root
  privileges under GNU/Linux (for access to the IO space or to the
  PCI BARs address space).

So if an attacker need both root and physical access to be able to do
some privilege escalation, it shouldn't be a big issue.

An attacker then might try to do remote privilege escalation, for
instance by:
- Programming that USB device with kernel privileges to send DCI
  commands.
- Programming any USB device on the same bus to send DCI commands
- Programming any nearby devices to do spoofing and send DCI commands.

However, as far as I understand:
- There are other ways than SMM to protect the boot flash and prevent
  the OS from reflashing it. I'd guess that if the boot firmware is
  written correctly, and that there are no huge hardware flaws, such
  ways are reliable, but I don't know everything.
  One way would be, to ask the flash chip to do it, that is to prevent
  writing until the next reboot.
  There are patches for flashrom to support such features.
  It is also possible to add support for theses in Coreboot.
- Practical virtual machine escape is not possible that way either,
  because you need either access to the PCIe bus or the P2SB PCIe
  device, and users, distribution maintainers and virtual machine
  providers typically won't export the P2SB PCIe device in a virtual
  machine, right?


You are partially right. But on my target system DCI setting saves after
shutdown or reboot (Documentation says that this setting is
stored in th CMOS). And I see fellow:
1. Attacker switch on DCI through P2SB (boot disk or UEFi-shell
for example);
2. Unlock IA32_DEBUG_INTERFACE (via resetbreak for example);
2. Attacker can  take control of you computer by plugging
an USB device in it.

But your right, you need have root permission for enable DCI. After that
you can rewrite BIOS bypassing all security checks.

In my opinion, this technique more useful for research and debug.




Some questions:
- Can the debug port be used as an usb device controller?

Sorry? I don't understand the question.


"USB devices controller" are called by many different names, so it
doesn't help clarity, so I'll rephrase.
Can the USB debug port be used as an USB OTG port, like on
Android smartphones, where you can make the smartphone appear as a mass
storage device, serial port, Ethernet card and so on.

References:
---
[1] Here I assume that the attacker has no way to disassemble the
laptop without being noticed.
[2] The laptop could be on, off, or in suspend-to-ram.
If the laptop is on or suspended, the attacker might have better
chances trying to bypass the screensaver for instance.

Denis.



-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

[coreboot] Warning: changed location of EC nvram settings on thinkpad X60 and T60

[Arthur Heymans]

Hi

EC nvram parameters on Lenovo thinkpad X60 and T60, which allow to
configure things like wlan, bluetooth, trackpoint, etc are not
checksummed. This means that defaults for these parameters are never
applied when the checksum is invalid, which happens for instance when
cmos is cleared or when coming from vendor bios.

This patch 
https://review.coreboot.org/#/c/17041/
puts these parameters in the checksummed area to overcome this issue.

A problem with this is that the checksum is most likely already valid so
that after this patch these nvram parameters will be at whatever the
nvram currently is at these locations.

To overcome this issue either:
- have coreboot set defaults on next boot by making checksum invalid:
"nvramtool -c 0" where 0 is a checksum which is hopefully not correct
- reboot and manually set your desired nvram settings
"nvramtool -w wlan=Enable, nvramtool -w bluetooth=Enable, etc"

Kind regards

--
Arthur Heymans

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

[coreboot] x200s' nvram will reset to default value if last boot is a normal boot of debian.

[Persmule]

Hi all,

I recently built and flashed a coreboot image to my thinkpad x200s, with
an IFD generated by libreboot's ich9gen. After flashing, everything
seems okay, but if I let the Debian GNU/Linux installed on that machine
finish its booting, all the reasonable value inside NVRAM will be reset
to default during next boot (detected via nvrancui), whether I shut it
down properly or cut its power violently.

I have done several tests, whose result is listed below:

Boot mode
NVRAM reset?
payload (reboot immediately)no
parted magic
no
trisquel live
no
kali live
no
Debian recovery mode (reboot immediately)
no
Debian installer
no
Debian normal boot (with or without display manager)
yes
Debian recovery mode (finish recovery and continue booting)
yes
Debian normal boot with kernel of Debian installer  yes


If I modify those value with nvramtool and reboot, they will be reset to
default. If I zero the nvram region in a normal booted Debian by running
"# nvramtool -B /dev/zero" and reboot, the content of NVRAM will keep
all zero, and will reset during next reboot.

Now in order to keep using my preferred value, I may have to write those
value to cmos.default, enable STATIC_OPTION_TABLE, and then build them
into the image.

The problem should be inside the Debian user land. Do you guys have any
clue how to locate it?

Best regards,

Persmule


# This image was built using coreboot 4.5-843-g404f8ef420
CONFIG_CCACHE=y
CONFIG_USE_OPTION_TABLE=y
CONFIG_COLLECT_TIMESTAMPS=y
CONFIG_BOOTBLOCK_NORMAL=y
CONFIG_VENDOR_LENOVO=y
CONFIG_CBFS_SIZE=0x7fd000
CONFIG_HAVE_IFD_BIN=y
CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y
CONFIG_CONSOLE_POST=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_BOARD_LENOVO_X200=y
CONFIG_USBDEBUG=y
CONFIG_UART_PCI_ADDR=0
CONFIG_CPU_MICROCODE_CBFS_NONE=y
CONFIG_ON_DEVICE_ROM_LOAD=y
CONFIG_FRAMEBUFFER_KEEP_VESA_MODE=y
CONFIG_USBDEBUG_DEFAULT_PORT=1
CONFIG_USBDEBUG_DONGLE_FTDI_FT232H=y
# CONFIG_DRIVERS_INTEL_WIFI is not set
CONFIG_CONSOLE_USB=y
CONFIG_PXE=y
CONFIG_BUILD_IPXE=y
CONFIG_PXE_ROM_ID="8086,10f5"
CONFIG_COREINFO_SECONDARY_PAYLOAD=y
CONFIG_MEMTEST_SECONDARY_PAYLOAD=y
CONFIG_NVRAMCUI_SECONDARY_PAYLOAD=y
CONFIG_TINT_SECONDARY_PAYLOAD=y
CONFIG_DEBUG_CBFS=y
CONFIG_DEBUG_RAM_SETUP=y
CONFIG_DEBUG_SMI=y
CONFIG_DEBUG_MALLOC=y
CONFIG_DEBUG_ACPI=y
CONFIG_DEBUG_USBDEBUG=y
USB


coreboot-4.5-843-g404f8ef420 Tue Jan 17 17:46:25 UTC 2017 romstage starting...
running main(bist = 0)
Stepping B3
2 CPU cores
AMT enabled
capable of DDR2 of 800 MHz or lower
VT-d enabled
GMCH: GS45, using high-power mode
TXT enabled
Render frequency: 533 MHz
IGD enabled
PCIe-to-GMCH enabled
GMCH supports DDR3 with 1067 MT or less
GMCH supports FSB with up to 1067 MHz
SMBus controller enabled.
0:50:b
2:51:b
DDR mask 5, DDR 3
Bank 0 populated:
 Raw card type:F
 Row addr bits:   15
 Col addr bits:   10
 byte width:   1
 page size: 1024
 banks:8
 ranks:2
 tAAmin:105
 tCKmin: 15
  Max clock: 533 MHz
 CAS:   0x01e0
Bank 1 populated:
 Raw card type:F
 Row addr bits:   15
 Col addr bits:   10
 byte width:   1
 page size: 1024
 banks:8
 ranks:2
 tAAmin:105
 tCKmin: 15
  Max clock: 533 MHz
 CAS:   0x01e0
Trying CAS 7, tCK 15.
Found compatible clock / CAS pair: 533 / 7.
Timing values:
 tCLK:   15
 tRAS:   20
 tRP: 7
 tRCD:7
 tRFC:  104
 tWR: 8
 tRD:11
 tRRD:4
 tFAW:   20
 tWL: 6
Setting IGD memory frequencies for VCO #1.
Memory configured in dual-channel assymetric mode.
Memory map:
TOM   =   512MB
TOLUD =   512MB
TOUUD =   512MB
REMAP:	 base  = 65535MB
	 limit = 0MB
usedMEsize: 0MB
Performing Jedec initialization at address 0x.
Performing Jedec initialization at address 0x0800.
Performing Jedec initialization at address 0x1000.
Performing Jedec initialization at address 0x1800.
Final timings for group 0 on channel 0: 6.1.0.2.1
Final timings for group 1 on channel 0: 6.0.2.6.6
Final timings for group 2 on channel 0: 6.1.2.0.7
Final timings for group 3 on channel 0: 6.1.0.6.6
Final timings for group 0 on channel 1: 6.0.2.7.7
Final timings for group 1 on channel 1: 6.0.2.2.4
Final timings for group 2 on channel 1: 6.1.0.6.7
Final timings for group 3 on channel 1: 6.1.0.4.5
Lower bound for byte lane 0 on channel 0: 0.0
Upper bound for byte lane 0 on channel 0: 10.7
Final timings for byte lane 0 on channel 0: 5.3
Lower bound for byte lane 1 on channel 0: 0.0
Upper bound for byte lane 1 on channel 0: 10.5
Final timings for byte lane 1 on channel 0: 5.2
Lower bound for byte lane 2 on channel 0: 0.0
Upper bound for byte lane 2 on channel 0: 9.5
Final timings for byte lane 2 on channel 0: 4.6
Lower bound for byte lane 3 on channel 0: 0.0
Upper bound for byte lane 3 on channel 0: 8.7
Final timings for byte lane 3 on channel 0: 4.3
Lower bound for byte lane 4 on channel 0: 0.0
Upper bound for byte lane 4 on channel 0: 8.7
Final timings for byte lane 4 on channel 0: