Lenovo G505S Coreboot

[Asterysk]

>First of all we need to make sure that you are prepared for flashing. coreboot image cannot be >flashed internally on Lenovo G505S through a purely software way (I tried with >internal:laptop=force_I_want_a_brick flashrom option, it always fails, cant do that!) .

>To install a coreboot, you will have to:
>1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8 test clip
>2) tear down your laptop to access the motherboard
>3) take SOIC-8 test clip and attach its wires to USB flasher that is supported by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS chip with 8 legs, then plug USB flasher device to another computer with Linux (while it is still connected to G505S motherboard through wires and SOIC-8 test clip)
>4) using flashrom, make a dump of your existing BIOS just in case, then flash a new coreboot image with verification 5) assemble your laptop in reverse order . That is exactly how computer repair shops are repairing laptops with failed BIOS updates, and are earning pretty good money on it

>Here is a hardware flashing manual - http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate .

Everything is described in a great detail here: complete list of tools and where you could buy them (need to spend from $0 to $30, depends on what tools you already have), how to connect these tools properly, a lot of helpful photos - for example, photo of G505S motherboard, so you could easily see where is that BIOS chip with 8 legs is located, dont need to spend time reading the motherboard chip labels. While this instruction mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher are exactly the same - only a flashrom command is different (could see this command at the end of page)

My current coreboot build is from December 2016 - it is not the latest, but still pretty recent, so I am not going to rebuild it from scratch yet. Still, there is one component inside BIOS image that could be easily updated: KolibriOS, tiny wonderful open source operating system that fits on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no changes to your computer saved). After you tell that you are prepared for hardware BIOS flashing, I will take KolibriOS latest daily build, add it to ROM and send a complete coreboot BIOS ROM to you

Please reply if you have any questions

Best regards,
qmastery
-----------------------------------------------

Is it possible to also reflash the USB firmware at the same time in case it has been tampered by Bad USB ?

[qmast...@gmail.com]

среда, 18 января 2017 г., 14:34:29 UTC+3 пользователь Asterysk написал:

Asterysk, what do you mean by "reflash the USB firmware" ? USB firmware of G505S laptop? on Lenovo G505S platform, USB ports seem to be directly connected to Bolton-M3 Fusion Controller Hub FCH ("southbridge"), according to LA-A091P datasheet - https://justnote.by/assets/files/sch/Compal%20LA-A091P%20r1.0.pdf . There is a Bolton-M3 AMD datasheet for BIOS developers - http://support.amd.com/TechDocs/51205_Bolton_FCH_BIOS_Dev_Guide.pdf , but I cant understand if Bolton-M3 has any personal built-in memory which is possible to rewrite (and infect!), or it only maps the attached stuff to its memory map like LPC and PCI roms... Please help me to clarify!

If we talk about the RAM of Bolton-M3 : computer's BIOS, while booting, could install XHCI blob to this RAM to enable USB 3.0. I hate closed source blobs with a passion, so - while building a coreboot - I chose not to include USB 3.0 XHCI blob ; so it is most likely that my laptop's "USB 3.0" blue ports are working only on USB 2.0 speed. That USB speed downgrade is the only downside of my open source build vs the official BIOS

If we will look from a side of BadUSB flash drive, behind Bolton-M3 there are some USB devices like Card Reader and Web Camera. They have their personal USB controllers. So, even if Bolton-M3 does not have a personal possible-to-write memory, maybe a BadUSB device with super sophisticated firmware targeting this FCH could somehow hack Bolton-M3 FCH and force it to send the commands to reprogram the USB controllers of connected internal USB devices. To successfully perform this attack the attacker will need to learn a lot of HUGE datasheets! For example, here are two datasheets about Bolton-M3 registers - http://support.amd.com/TechDocs/51191_Bolton_FCH_RPR.pdf , http://support.amd.com/TechDocs/51192_Bolton_FCH_RRG.pdf , 750 pages in total! And that is not talking about other Bolton-M3 datasheets, the datasheets of USB controllers which need to be hacked, and lots of other stuff too... Perhaps only N$A can do that - if they care enough, they are welcome to waste a few million $$$ to develop this hack XD That is, if they can't find a more simple to exploit vulnerability like a vulnerability of your software (such as web browser) or a network controller to infect its' ROM directly

At the moment, I know about and could read/write two firmwares on this laptop:
1) BIOS firmware of 4MB size - http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
closed source BIOS could be replaced by (almost) open source coreboot ("almost" - because e.g. there is a vga blob of 61952 bytes size with closed source code, but coreboot's YABEL feature blocks this blob from a possible undocumented access to other PCI devices, making it harmless)
2) EC firmware of 128KB size - http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate - sadly this closed source firmware doesn't have an open source alternative for replacement, but at least you could read/write it, which is useful! For example: there are a lot of free space at KB9012 128KB memory and, by default, KB9012 stores various personal identifying information like serial numbers near the end of unoccupied memory ; so, I extracted a clean KB9012 firmware from Lenovo's BIOS update and flashed it to my KB9012, so now its completely clean... By the way, there is a project to create open source replacement firmware for KB9012 , called Origami EC ( http://git.code.paulk.fr/gitweb/?p=origami-ec.git;a=summary ) already some small demonstrating code is there, but it seems there are not enough common interest in this project...

Please write if you have more questions to discuss

[Asterysk]

With regard to the Bolton-M3 Fusion Controller Hub FCH ("southbridge"), I think the attack would be to the SPI ROM.
There is also the SMM and of course SSD/HDD firmware plus Webcam plus Audio Controller (reprogramming to make output an input and turn speaker into microphone).

I'm not sure if Coreboot over writes the UEFI as well as legacy BIOS.

I've only recently started researching this so a long way to go

[qmast...@gmail.com]

среда, 18 января 2017 г., 19:44:03 UTC+3 пользователь Asterysk написал:

SPI ROM - is it SPI flash chip of 4MB size which contains BIOS, or something else? What do you think?

Interesting idea about turning speaker into microphone, did not know these devices have a similar structure... but from the online tutorials - looks like it requires a hardware modification. BTW on this laptop both microphone and speaker are controlled by the same Conexant chip (according to the datasheet), so there are no reasons to try using the (removable) speaker when you could use internal microphone (which is soldered to motherboard, but could be desoldered or damaged intentionally by you). Also this Conexant is attached through PCI, not through USB, if that matters

I don't think that Evil Maid attacker will bother developing a custom BadUSB for this laptop, when he could just clone a coreboot project, add malware code to it, build a malicious BIOS image and flash it to your laptop when you aren't at home. It takes about 1 hour to tear down a laptop, attach a hardware flasher to its' BIOS chip, read a BIOS image, calculate its' checksum to make sure that it has not been altered by any malware since the last time of your flashing, and then assemble a laptop back in reverse order. Or maybe faster than 1 hour after you have done it many times. Some coreboot people remove a piece of plastic from laptop's bottom (either by drilling it, or using a gas lighter to heat a knife to slice through plastic) - to make it possible to access BIOS chip in a matter of seconds... but of course this increases "Evil Maid" security risk, would be much faster for attacker to quickly come, infect your BIOS and go away unnoticed

coreboot is a complete replacement of original closed source InsydeH2O UEFI/BIOS. When I install coreboot using a hardware flasher, I erase the whole BIOS chip with 0xFFFFFFFF, then overwrite it completely with my own (almost) open source BIOS image - which contains coreboot, (small vga blob) and coreboot's payloads. No traces of original BIOS image, it is 100% replaced ;)

[Tai...@gmx.com]

As always physical access is a checkmate situation, you need to not be
an idiot and don't leave your stuff in overseas hotel rooms or not have
secure locks on your door.

[Asterysk]

Unless USB port seals (e.g. http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as soon as the laptop is removed from the manufacturers box it is impossible to know whether someone has installed a device that has in turn infected firmware. A similar situation for any DMA access ports (Thunderbolt etc)

I'm interested in being able to take a possibly infected laptop (i.e. infected with firmware malware) and reset it to a known safe starting point. Coreboot seems to handle the BIOS (thank you for clarification that it completely rewrite legacy and UEFI). Replacing the HD with a new SSD should handle that firmware attack vector. That leaves the other EEPROMS.

I figure, if I'm going to strip down my G505S to reflash with Coreboot, I should see what other EEPROMs I can reflash.

Apart from the obvious RAM and SSD upgrade and possible putting switches on peripherals, are there any other hardware mods you can suggest for the G505S.

Having sorted out the hardware, I am then going to be looking to use Qubes to protect against any attempts to reflash through Malware and after thats done, I'll be looking for ways to detect that any attack is being attempted.

All in all I think I've got about a years work ahead !

[qmast...@gmail.com]

четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:

To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD drive, web camera ; Maybe also a small board with LS-9901P part number (dont confuse with LA-9901P), see its' google pictures online - and according to G505S laptop's LA-A091P motherboard datasheet (which also contains a datasheet for laptop's smaller boards) this board has a Realtek chip for card reader. By the way, you could either find out what lines of flex cable the card reader is using, and install a custom jumper on them ; or maybe get a flex cable with the same number of pins / same pitch between them , find (from datasheet?) what lines that lonely USB port is using to get to Bolton-M3 FCH, get a USB female header and solder a custom adapter which adds only a USB port to laptop (so no card reader chip). Probably the hardest thing to do is to disconnect a web camera - you will need to tear down a screen which is quite risky. BTW screen also contains the internal reprogrammable memory (e.g. for storing EDID), and a malicious firmware could cause screen to transfer information through electromagnetic impulses (TEMPEST? - http://www.surasoft.com/articles/tempest.php )

Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, Power Jack Wire, and Power Button Board attached (could make a custom power button adapter with huge convenient buttons!) and create a custom case for all this stuff. If you are lucky you could find someone selling a used G505S with broken screen for very cheap price, and do that. This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, and internal keyboard (see below why)

Maybe don't need to seal the USB ports yet: it not just seriously reducing the usability of this laptop, but also makes it impossible to connect a USB keyboard. Maybe you would prefer that, when you type, your keystrokes are going through external keyboard's USB controller, rather than through laptop's Embedded Controller KB9012 which has a closed source firmware and controls PS/2-like laptop's internal keyboard. You could make your own open hardware USB keyboard with open source firmware, and using it will be slightly safer (and slightly less convenient) than laptop's internal one

Also, another possible hardware mod (not related to security) - instead of DVD drive you could install a fan for extra cooling, see http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ . Although dont know if it worth it, because some really great external USB coolers are available - https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html

[qmast...@gmail.com]

четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com написал:

Please read a message above... If we are talking about the motherboard, main board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's internal memory, I am not aware about any other "EEPROMs" on this board which could be reflashed and how to reflash them. Well, there is probably a CMOS memory somewhere, but I dont know where it is located and dont know how to access (nvramcui payload gives an opportunity to change some values, but doesn't have a feature to show the full dump) . If you could notice new memories, or know how to read/write CMOS memory and where its located, please tell !

Full summary of what I did to my G505S to this moment:

1) Erase a BIOS chip and flash it with coreboot - http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . For a BIOS image you could either:

*) build your own - it will be slightly newer, but without some goodies like KolibriOS and FILO bootloader, plus some of my small improvements like a newer version of tetris TINT payload (fixes two buffer overflows), enabled USB keyboard for some payloads, and (probably??) improved discrete GPU handling? <--- rarely play computer games, so didnt had a chance to test yet, so cant notice the difference

*) get my BIOS image from here, from an archive attached to forum post (SHA1 checksums provided in post) - http://board.kolibrios.org/viewtopic.php?t=3446 , could use google translate. Everything what I did while building a coreboot, all the modifications to coreboot's source code, all the steps are completely described in a great detail under spoilers. Sorry for that inconvenience, honestly I tried to commit my changes to coreboot - tried to contribute and also to avoid the need of manual work the next time I clone the latest version of their official repository -- but it is so hard to get your commit accepted, and gerrit is very inconvenient, I tried several times and no luck, only wasted a lot of time! Proof of my painful experiences - https://review.coreboot.org/#/c/17439/ , https://review.coreboot.org/#/c/17505/ , https://review.coreboot.org/#/c/17506/ , https://review.coreboot.org/#/c/17507/

Small advantage of my build is that (almost) all the parts of it have been done on this laptop with open source BIOS and under free-as-in-freedom Trisquel GNU/Linux OS (the only part which was done on another computer is a FILO bootloader, it failed to compile under Trisquel x86_64 OS , so I had to use my old laptop with Xubuntu 16.04.1 i386 - by the way its' 10 years old BIOS contains a Computrace tracking malware - https://www.absolute.com/en/about/persistence - although it has never been activated on this old laptop and in any case doesn't work with Linux, if you are more worried than me - this coreboot archive also contains a version without FILO)

If you choose to flash my coreboot build, please tell when you have prepared all the necessary tools for flashing, I can quickly put the latest KolibriOS daily build to coreboot BIOS image and share it with you. KolibriOS has lots of great features, also could create RamDisks and manage them, beautiful!

2) Erase KB9012 internal memory and flash it with a "clean" KB9012 firmware, without serial numbers and other personally identifying info - http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate . Where I got this "clean" KB9012 firmware? Extracted it from the latest 3.0 BIOS update by Lenovo - open their WinVALGC300.bin in hex editor, found $_IFLASH_EC_IMG_ near 424020 Hex offset, then - starting with 424020 Hex offset, cut 128KB (131072 bytes) into a new file - that is EC firmware now. You could either repeat it all by yourself, or download a clean image from here - https://www.datafilehost.com/d/d9e9758c (SHA1 should be = 56c0bc9e89bc95ae0195caaf32b32f2abefc9d9e , unselect "download with secure manager" (if you see it) below a grey Download button before clicking

3) Replace pre-installed broadcom wifi adapter (which requires proprietary closed source drivers) with Atheros AR9462 which has open source drivers, 2.4GHz, 5.0GHz and Bluetooth - costs less than $10 at AliExpress or eBay . The only downside that it becomes slightly more difficult to connect the antenna wires to this card, because of that additional metal rectangular (will need to spend a couple of minutes to carefully align the wires to fit them properly)

4) Replace pre-installed thermal paste (which is similar to a tooth paste XD) with Gelid GC-Extreme <--- probably the greatest non conductive thermal paste, and almost as good as liquid metal from those comparison tables I've seen online

5) Install 16 GB of 1600MHz SODIMM DDR3 (or DDR3L 1.35V low voltage) RAM with low quick timings for the best Qubes experience - should be CL9 timings; avoid CL11 because it sucks (1600MHz of CL11 is almost the same as 1333MHz CL9) . Costs about $100 but you better get this RAM upgrade as soon as possible: the supplies of these "gamer's DDR3 laptop RAM" are running out while the manufacturers are switching their high end offers to DDR4, and after some time you will not be able to find 16GB RAM upgrade with good frequency/timings (I am sure because the same stuff happened to DDR2)

From 1600MHz CL9 SO-DIMMs, I think there are three possible cases of CL9 timings: 9-9-9-24 Crucial Ballistix Sport, Patriot Viper, Corsair Vengeance (failed memtest so returned, maybe Corsair has a higher failure rate) ; 9-9-9-27 Kingston HyperX ; 9-9-9-28 G.SKILL Ripjaws . It is the best if you get those with 9-9-9-24, but could be difficult because Kingston flooded a market with their 9-9-9-27 which cost slightly cheaper but also slightly slower. G.SKILL is the worst, dont know why these guys From all these, Patriot Viper is probably the best because it has two aluminium heatspreaders , while Crucial Ballistix Sport - only one heatspreader, and I think that Kingston just using "aluminium stickers" not a real heatspreader. BTW any of those heatspreaders are quite thin (maybe extra 1mm) , so no installation problems

P.S. also keep in mind that after Qubes 3.2 installation you will need to repair MBR because its corrupted out-of-the-box (probably everyone is using UEFI computers with Qubes, and nobody have noticed this bug) - more information here https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ

[Asterysk]

"1) Erase a BIOS chip and flash it with coreboot http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate "

Did you buy the necessary components from AliExpress as linked in the article ? They are saying a couple of months delivery time !!

[Asterysk]

On Thursday, 19 January 2017 18:17:59 UTC+4, Asterysk wrote:
> "1) Erase a BIOS chip and flash it with coreboot http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate "
>
> Did you buy the necessary components from AliExpress as linked in the article ? They are saying a couple of months delivery time !!

All components now ordered, most from Ali Express but a couple from USA. I should hopefully be good to start in about a month

[Asterysk]

Everything ordered, managed to get the Patriot Viper and Atheros Wifi on Amazon at reasonable prices. The rest is Aliexpress and with shipping came to $92 (I typically went for the higher end options desribed in the PDF).

I will pop an SSD in the G505S and install Qubes, thanks for the link about MBR issue. Probably next week if I get a chance. The Coreboot flash will have to be late February but I am definitely going to do it. I've been brushing up on my Assembler so its a good project from that perspective. What I would like to do is modify Coreboot so that I can set a canary for the boot, something that probes a switch during boot and if the switch isn't pressed it toggles one of the LED's, that way I know if someone else has booted it. I am favouring Bad USB protection over Anti Evil Maid so having this canary would maybe give me both.

[qmast...@gmail.com]

четверг, 19 января 2017 г., 18:31:35 UTC+3 пользователь Asterysk написал:

I think that you will not encounter MBR issue if you are using closed source "official" UEFI BIOS - because it is UEFI and so your Qubes should install GPT instead of MBR . But you could have other problems: e.g. I dont know if IOMMU is enabled in "official" BIOS - even if it is enabled, its implementation might be incorrect... Also last time I remember - "official" BIOS works bad with Linux, could not even install Ubuntu to this laptop until I made empty 1GB at the beginning of hard drive and changed boot order

Yes, I order everything from AliExpress because:
1) want to save up as much as possible and AliExpress usually has the lowest prices (partially because higher supply, partially because no Paypal extra fees included, partially because Chinese government subsidies their shipping so they could sell some items for $0.5 with free international shipping and still manage to earn some profit)
2) no Paypal - there are many reasons to hate it, but here is an additional: it wants to share the list of person's purchases with a government, e.g. in my country it started to ask government ID of customers, and accounts which didn't provide it - were blocked and all funds are frozen
3) AliExpress has a better customers protection than eBay/Paypal, also at eBay purchases you can open a dispute only during 45 days since the order, while at AliExpress you could ask the seller to extend the order's protection as much as you want

For me the shipping is about 1 month on average, maybe much faster for you if your country has a good logistics, but here is a problem - there will be a Chinese New Year big holidays soon, some packages which would not be quick enough to leave a country before 28th January could be stuck there for a while. Thats probably why they are showing this long delivery time

What is a CPU in your G505S ? E.g. if it is A8, you could upgrade it to A10-5750M, just search for "5750M" at AliExpress (just make sure to look at the photo, because some sellers put 5750M in title while another CPU is displayed. Everywhere should be 5750M, both on photo and in description) . 1 week ago it costed $55, now it costs $61 cheapest price, but I think they will eventually decrease their price because A10 of previous generation could be found for $40, so maybe in a couple of years I will order a spare CPU ;)

[qmast...@gmail.com]

четверг, 19 января 2017 г., 17:17:59 UTC+3 пользователь Asterysk написал:

> "1) Erase a BIOS chip and flash it with coreboot http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate "
>
> Did you buy the necessary components from AliExpress as linked in the article ?

Yes, the same components, but not necessarily from the same links, because the prices are always changing... I copy the each item's name and search which seller has a cheapest price for it, and check if a seller has at least 80% rating (if its a rare hard to find item) or 90-95% at least if its a common item

For example: Compal POST cards became cheaper since the last update of this table, you could read more about it here - http://dangerousprototypes.com/docs/Compal_POST_diagnostic_card , could be a useful stuff! (but some people complain that they got card which shows only 00 code because of bad card soldering <-- a seller might argue that a problem is your motherboard, so if you got a faulty card, will need to produce a convincing proof to win a dispute and get full refund)

Don't forget about some parts from http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate#Total_expenses if you plan to flash a clean KB9012 image you will need absolutely a "keyboard" flex cable. By the way: laptop's leds (power led and charging led) are controlled by EC, I don't know if you could change their function from BIOS (probably not, if EC is refreshing their state constantly your results will not be visible)

[Asterysk]

>Don't forget about some parts from http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate#Total_expenses if you plan to flash a clean KB9012 image you will need absolutely a "keyboard" flex cable. By >>the way: laptop's leds (power led and charging led) are controlled by EC, I don't know if you could change their function from BIOS (probably not, if EC is refreshing their state constantly your results will not be visible)

Thanks for the heads-up, I've just updated my AliExpress order accordingly

[qmast...@gmail.com]

четверг, 19 января 2017 г., 19:58:03 UTC+3 пользователь Asterysk написал:

> >Don't forget about some parts from http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate#Total_expenses if you plan to flash a clean KB9012 image you will need absolutely a "keyboard" flex cable. By >>the way: laptop's leds (power led and charging led) are controlled by EC, I don't know if you could change their function from BIOS (probably not, if EC is refreshing their state constantly your results will not be visible)
>
> Thanks for the heads-up, I've just updated my AliExpress order accordingly

OK. forgot to tell: in addition to CPU (if you dont have A10 5750M) and other stuff, it is possible to:

1) upgrade a power adapter from 65W to 90W - https://www.aliexpress.com/item/Rectangle-20V-4-5A-90W-AC-Adapter-Charger-Power-Supply-For-Lenovo-IdeaPad-Thinkpad-IBM-B490/32435938795.html (3 prong power cord is not included, could get it separately or borrow from 65W adapter). Although I am not sure if this will allow to faster charge a battery, at least - even if laptop would not consume more than 65W, if adapter is rated 90W it could provide those 65W more reliably and serve longer than a default Lenovo's adapter

2) upgrade G505S battery from 4 cells to 8 cells - almost double a battery life, https://www.aliexpress.com/item/Wholesale-New-8cells-Laptop-Battery-For-deaPad-G400s-G405s-G410S-S410p-G500s-G505S-Series-L12S4E01-L12L4A02/32372822478.html - search for "g505s 8cells"

3) also, while not related - the only USB 3 flash drive which I know that has a hardware write protection physical switch , https://www.aliexpress.com/item/Netac-U335-USB-3-0-Hardware-Write-Protection-Flash-Drive/32250142250.html <--- initially I got it for making a secure Qubes installation drive, but sadly, if I enable write protection switch, coreboot BIOS cant see this drive ; could see only if I disable it... will research more about this problem when I have time; meanwhile went back to optical disks :P

P.S. what sucks about aliexpress is that some high end products like laptop "gamer's RAM" cannot be found there, and all these chinese SSDs are not reliable (using the cheapest components) . Also just in case, video tape while unpacking the packages, so that if something goes wrong (e.g. some cunning seller sent 9 items instead of 10, hoping that you dont notice) you could easily win a dispute in your favor

[Blooorp]

Hey, I'm having some heavy trouble getting coreboot on my G505s, could you take a look at how I did it to see if you spot any difference compared to how you did it?

Here is how I built, flashed and tested it : https://ghostbin.com/paste/wprhk

Basically, I built it with the extracted vgabios binary from the stock rom, flashed it with Bus Pirate and tried to start the laptop.
The screen would not turn on, at all.

Thanks in advance :)

[awokd]

On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
> Hey, I'm having some heavy trouble getting coreboot on my G505s, could
> you take a look at how I did it to see if you spot any difference
> compared to how you did it?
>
> Here is how I built, flashed and tested it :
> https://ghostbin.com/paste/wprhk

They seem to block Tor users. I can take a look if you put it on
pastebin.com for example.

[Blooorp]

Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf
Full make output https://pastebin.com/nAPbNjJG

If you need any more information, just ask me, I don't know exactly what may be relevant to pinpoint my issue but I really want to get it done :)

[awokd]

On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
> Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
>
>> On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
>>
>>> Hey, I'm having some heavy trouble getting coreboot on my G505s,
>>> could you take a look at how I did it to see if you spot any
>>> difference compared to how you did it?
>>>
>>> Here is how I built, flashed and tested it :
>>> https://ghostbin.com/paste/wprhk
>>>
>>
>> They seem to block Tor users. I can take a look if you put it on
>> pastebin.com for example.
>
> Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf
> Full make output https://pastebin.com/nAPbNjJG

I think you are very close to having it working, probably only the video.

Try the following options in your menuconfig:
General/Use CMOS for configuration values
General/Allow use of binary-only repository
Chipset/Add imc firmware (don't specify location or IDs, let it
auto-populate)
Chipset/SATA Mode 2 (don't specify location or IDs, let it auto-populate)
Devices/Add a VGA BIOS image (don't specify location or IDs, let it
auto-populate)
Payload/SeaBIOS 1.11.0

And to keep this on topic for the Qubes Users mailing list, if you plan on
running Qubes 4.0 on there, you'll also want this Coreboot patch currently
waiting on code review: https://review.coreboot.org/#/c/coreboot/+/22843 .

[Blooorp]

I do plan on running Qubes 4.0, how to I actually patch coreboot before the build?

[awokd]

See the changes I made in that link to those two files, and copy and paste
them into your own source files manually. If you don't trust the blob I
provided (and you shouldn't!) perform the following steps to verify it:

Executing the following on a Debian Stretch install:
dd skip=5284 iflag=skip_bytes
if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin
xxd -i amd.bin
Then copying and pasting.

Executing these steps against
coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
provides identical results.

[awokd]

Forgot to add, you should also include nvramcui as a secondary payload to
let you change CMOS options.

[Blooorp]

make: *** No rule to make target 'vgabios.bin', needed by 'build/coreboot.pre'. Stop.

Looks like it didn't work, should I put the location and ID of the one I extracted from the stock bios?

[awokd]

On Mon, December 25, 2017 3:07 pm, Blooorp wrote:
>
> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> auto-populate) "
>
> make: *** No rule to make target 'vgabios.bin', needed by
> 'build/coreboot.pre'. Stop.
>
>
> Looks like it didn't work, should I put the location and ID of the one I
> extracted from the stock bios?

I think I copied mine to the top level coreboot folder as "vgabios.bin"
and let it find it there.

Email me directly if it's still not working and I can help, we're off
topic from qubes-users now...

[Blooorp]

Everything works now, my mistake was using the wrong vgabios.bin, the stock bios contains the ones for each version of the laptop but I didn't know that so I took the first that I found, with device ID 6663.
The one I then searched for and that worked, thanks to awokd, was with device ID 990b, appropriate for the G505s with integrated graphics and not discrete card.

[Tai...@gmx.com]

Don't forget about that microcode update - it is mandatory both for for
security and IOMMU.

Use the patch that awoke made, a true service to the community - the
lenovo g505s is now properly working and is the best laptop for qubes as
it supports an open source init version of coreboot without ME/PSP
unlike purisms laptops with the not really disabled ME and entirely
blobbed silicon init via intel FSP.

[Blooorp]

Didn't forget about it, he did some awesome work :)

I took my time to choose the right laptop to get into Qubes, really feels that I made the right choice !
But now, I need to make Qubes work on it, I'm collecting the issues haha

[qma ster]

The perfect VGA BIOSes for Lenovo G505S could be obtained here - https://mail.coreboot.org/pipermail/coreboot/2017-July/084680.html

Go to "g505s-atombios" repository and download one or two vgabios files (depending on if your G505S had just integrated GPU, or integrated+discrete), then compare their checksums - and, if the checksums are correct - feel free to add them to your completed coreboot BIOS build. At the ReadMe of this repository, you could see how to add (or remove) a vgabios file to coreboot BIOS after its building - one or two simple commands.

Actually, for G505S with "integrated+discrete GPU" even a single vgabios for integrated GPU - would be enough to show the image on display. I just hope that, if you add both vgabios you could somehow make your discrete GPU working (it still doesnt work for me)

[awokd]

On Mon, March 26, 2018 6:36 am, qubesth...@gmail.com wrote:

Could you please trim emails when you reply? It was hard to find your
questions in all that text!

> Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi
> card?

I'm not sure you could fit one in there, the hole is only big enough for
half-height mini-PCIe cards.

> Would 1866MHz @ CL10 be as good/better?

Not sure on this one; Coreboot can be picky on memory timings. Might have
to dig in to the source code to see if that is supported, if nobody else
knows.

> I just ordered a G505S and several of these upgrades and I'm excited to
> try flashing coreboot and getting Qubes going on it. Thanks for all the
> tips/help.

Welcome! Some of us G505s users are putting together a page with tips on
Coreboot and Qubes, but I'm not sure where it will end up yet.

[qubesth...@gmail.com]

On Tuesday, March 27, 2018 at 4:52:33 PM UTC-5, awokd wrote:

>
> Could you please trim emails when you reply? It was hard to find your
> questions in all that text!
>

Sorry about not trimming the original!

>
> I'm not sure you could fit one in there, the hole is only big enough for
> half-height mini-PCIe cards.
>

Okay. I found some half mini PCIe SSD but it appears to just use SATA interface and probably not worth losing WiFi.

>
> Not sure on this one; Coreboot can be picky on memory timings. Might have
> to dig in to the source code to see if that is supported, if nobody else
> knows.
>

Good to know.

> Welcome! Some of us G505s users are putting together a page with tips on
> Coreboot and Qubes, but I'm not sure where it will end up yet.

That would be amazing and much appreciated. This seems like a great hardware choice for running Qubes. I have the tools and have flashed a BIOS chip before so I feel okay about that part, but building the coreboot file is going to stretch me a bit.

[qubesth...@gmail.com]

> 1) Erase a BIOS chip and flash it with coreboot - http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . For a BIOS image you could either:

I decided to use your prebuilt rom and flashed it successfully on my G505s last night. Afterwards, I began the Qubes 4.0 installation. It installed fine, but following the restart it freezes while setting up the Template VMs. I waiting several hours to verify that it was indeed frozen. I restarted and tried setup again and it keeps freezing at various points (Fedora Template, Debian Template, Whonix). I then tried a fresh reinstall but that yielded the same result.

I'm currently in the process of downloading 4.0 again and I'll try the install on a different usb stick. Is there anything else that I might try to make this work? Thanks for any assistance.

[awokd]

If you're referring to the rom from Qmaster's post from a year ago, it
doesn't contain the microcode update needed to run 4.0. See
https://review.coreboot.org/22843? . There are some more notes
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking, but be warned
it's still pretty rough. I can help you build your own Coreboot image with
the patch or if you trust anonymous strangers bearing gifts, send you the
one I built for myself. Let me know if you need either!

[Tai...@gmx.com]

FYI the microcode update is mandatory no matter what OS you are running
otherwise I could literally root your computer with a few commands due
to the NMI exploit on piledriver CPU's and of course the IOMMU wouldn't
work either so no DMA protection.

[qubesth...@gmail.com]

I'd love to try your prebuilt one!

[Ivan Ivanov]

Thank you very much for answering the qubesthrowaway's questions !
Regarding

> Some of us G505s users are putting together a page with tips on
Coreboot and Qubes, but I'm not sure where it will end up yet

- sorry for delay! we just got a bit distracted with KolibriOS driver stuff
(will be really awesome if that assembly network driver becomes a reality!),
in the same time we would like to
1) upgrade the LZMA libraries of coreboot/seabios - the currently used
ones are very very outdated
2) add paq8px compression support for putting even more useful stuff
to our small 4 MB BIOS chips
By the way it could be possible to upgrade a BIOS chip to 8 MB or even
to 16 MB ;-)
Asterysk has been trying to test this but accidentally damaged a
copper track on his motherboard,
so its going to take a while before we find out the answer to this question.
Ideally we'd like to stay at 4 MB, because if some of us would be
sitting at 8 MB / 16 MB
while everyone else is at 4 MB BIOS chips - that would result in
unnecessary fragmentation,
so more of our efforts should be going towards those "compression methods".
On average, paq8px is 25% better compression than LZMA used by coreboot/SeaBIOS,
but it is much slower - perhaps it is going to take about 3 minutes to
extract 1.44MB KolibriOS floppy
to boot it, although we have not tested this on bare metal (from
coreboot) yet - could be faster!
There are also some extra challenges, e.g. paq8px sources are C++ but
coreboot is C
and doesn't even have g++ in its' toolchains, so I'm unsure how to
merge them together.
And using a "random g++" provided by some distro does not guarantee
that this will be bootable.
Maybe you know a great way of how to put C++ code into coreboot and
make it compile?

Best regards,
Ivan Ivanov aka qmastery

2018-03-28 0:52 GMT+03:00 'awokd' via qubes-users
<qubes...@googlegroups.com>:

> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion.
> For more options, visit https://groups.google.com/d/optout.

[qubesth...@gmail.com]

Among other suggestions, I added an 8-cell battery to my G505s. What kind of battery life are people getting with these? Mine seems hardly better than the OEM 4-cell. Just wondering if I got a bum battery or if the improvement isn't really that significant.

Thanks again to everyone for helping me get my G505s up and going with coreboot and for all the useful info on recommended upgrades here.

[Ivan Ivanov]

Hi there Friend ! What 8 cells battery you have got, and from which seller?
It is either your battery needs a few power cycles to get to its' full
performance,
or maybe you have received a battery with the different power cells
(not SANYO) :
e.g. your original battery was SANYO but that new 8cells could be SMP ? :P

If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S laptop
(easily found online, contains many FRU replacement parts
descriptions/IDs, useful)
you will see that - even for the official G505S batteries, there were
three manufacturers:
Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much
better than SMP/LG.

Please look at the attached picture - it contains a small review of
the battery cells (could be expanded)

my 8cells battery is Sanyo, and its almost twice longer battery life!
Mike result is ~1.5x longer,
but he haven't told me who made his cells, or I forgot what he has
replied to me and couldnt find.
Guess its a bit of a lottery... If your battery would not perform
better after a few power cycles,
you could try getting another 8 cells battery, preferably from another
seller - for a higher chance
that these batteries would be from the different batches with the
different internals - and we will see

However, if you would look through this guide above, there are some
more worthy investments:
in example, AR9462 wireless network adapter from ath9k family - does
not need the binary blobs,
runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth,
works fine even at the
Stallman-endorsed Linux distros. Ideally, batteries should be bought
after you have got everything else.
By the way, 2-3 times per year you could get 10-20% off AliExpress
coupons for a great real discount

Retyped table from the attached image (so that it will be searchable
through the Internet) :

Laptop batteries for | Model -- ___ | ______ | Stated __| Max energy
capacity | Max energy capacity __| ______|
G505S and other __| battery cells | _______| capacity | by design
__________| after 3 months of _____| ______|
compatible Lenovo | manufacturer | Voltage | in mAh _| (as seen by
________| heavy usage _________| Rating |
laptops __________|___________| _______|_________| Ubuntu Linux OS )
__| ____________________| ______|
official Lenovo ____| L12S4E01 -- | 14.4V | 2900 mAh | 3.8 Wh
____________| 3.5 Wh (94% of design) | medium |
4 cells battery ____| SANYO
____|______|__________|___________________| ____________________|
battery |
(older revision)
____|___________|______|__________|____________________|_____________________|______|
official Lenovo ____| L12M4E01 -- | 14.88V | 2800 mAh | 3.8 Wh
____________| 3.1 Wh (81% of design) | bad__ |
4 cells battery ____| Simplo
_____|_______|__________|___________________| ____________________|
battery |
(newer revision) ____| Technology
|_______|__________|___________________|____________________|_______|
__________________| ( SMP )
___|______|__________|____________________|____________________|_______|
8cells G505S battery | " Replace | 14.4V _| 5200 mAh | 6.3 Wh
____________| 6.1 Wh (96% of design) | the best |
by AliExpress seller _| L12L4A02,
|______|__________|___________________| ___________________| battery
!_|
MX (HK) LTD -- _____| L12L4E01,
|______|__________|___________________|____________________|________|
Ming Xuan ________| L12M4A02 "
|_____|__________|___________________|____________________|_________|
__________________| -- SANYO
|______|__________|___________________|____________________|_________|

NOTE: battery model number is L12*4E01, where * letter means the
manufacturer of battery cells.
in L12S4E01 , S means SANYO, || in L12M4E01 , M means Simplo Technology ( SMP ),
in L12L4E01, L means LG chemicals || Older (official) batteries were
usually SANYO, newer
(official) batteries are usually SMP, sadly. My experience: SANYO
cells are the best performance

Best regards,
Ivan Ivanov aka qmastery

2018-04-04 4:53 GMT+03:00 <qubesth...@gmail.com>:
> Among other suggestions, I added an 8-cell battery to my G505s. What kind of battery life are people getting with these? Mine seems hardly better than the OEM 4-cell. Just wondering if I got a bum battery or if the improvement isn't really that significant.
>
> Thanks again to everyone for helping me get my G505s up and going with coreboot and for all the useful info on recommended upgrades here.
>

> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b9d5ae8-6650-47de-9de1-1d520e7b77d5%40googlegroups.com.

[qubesth...@gmail.com]

Thanks for all the info! I bought my battery from some random seller on eBay and it was disappointing initially but seems better after a few cycles. I may check out your recommended ones anyway. I did many of the other recommended upgrades already, including replacing the thermal paste, the WiFi adapter and upgrading to 16gb of Patriot Viper RAM and an SSD.

I'm very happy with my current setup thanks to you and others. One question I have is regarding boot time for 4.0. Is it several minutes long for you on coreboot/Qubes 4.0? I also get a Failed to Load Kernel Modules message early on in Qubes boot if that matters. Once it's up and running, things run smoothly.

[River~~]

<qubesth...@gmail.com> wrote:

On Tuesday, April 10, 2018 at ...

 One question I have is regarding boot time for 4.0.  Is it several minutes long for you on coreboot/Qubes 4.0? 

It is what I am seeing. Is this significantly longer than for Qubes 3.2? (I am new here and  never used 3.2)

My assumption is that the time is explained by the fact that it is not only booting the physical machine but also the various CMs that are tagged to be started at bootup. 

I also get a Failed to Load Kernel Modules message early on 

Yes, I see this as the first line after the four Tuxes appear.

I think the message is slightly different - from memory it is 

Failed to Start Load Kernel Modules 

[River~~]

correction where I said

My assumption is that the time is explained by the fact that it is not only booting the physical machine but also the various CMs that are tagged to be started at bootup. 

I meant VMs, not CMs

[David Hobach]

Yes, it tends to be 7s for normal booting with SSD and 30s+ for the VMs
- that's normal. There is a feature request [1] out there to get the VMs
started after X instead of before. So that might change in the future.

[1] https://github.com/QubesOS/qubes-issues/issues/3149

[Andrew B]

OK, just to clarify, if I am to build the coreboot image, I need to do that on the G505s by say running Debian or Ubuntu (presumably could use a Live disc/USB) or similar and building the image as shown here?
https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image

Then I take the created coreboot.rom file and load it onto a separate computer where I can externally flash the G505s as shown here: http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate

[Tai...@gmx.com]

On 04/30/2018 08:49 PM, Andrew B wrote:

> OK, just to clarify, if I am to build the coreboot image, I need to do that on the G505s by say running Debian or Ubuntu (presumably could use a Live disc/USB) or similar and building the image as shown here?
> https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image

Yeah.
But you need another PC in case something goes wrong.

> Then I take the created coreboot.rom file and load it onto a separate computer where I can externally flash the G505s as shown here: http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate

Get a USB CH341A, they're easier.

[Andrew B]

Got it. I understand I need to build the coreboot image and flash it. However still a little confused on how exactly to implement the microcode update? I assume its still not a part of the latest coreboot.

Was it these two files I am looking for changes in?
src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnEquivalenceTable.c
src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnMicrocodePatch0600110F_Enc.c

or do I understand correctly that I can run these commands at a Debian terminal and get the needed output too?

dd skip=5284 iflag=skip_bytes
if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin
xxd -i amd.bin

I then copy some/all of that content and paste it into the image file itself?

[mattheww...@gmail.com]

On Wednesday, January 18, 2017 at 6:34:29 AM UTC-5, Asterysk wrote:
> >First of all we need to make sure that you are prepared for flashing. coreboot image cannot be >flashed internally on Lenovo G505S through a purely software way (I tried with >internal:laptop=force_I_want_a_brick flashrom option, it always fails, cant do that!) .
>
> >To install a coreboot, you will have to:
> >1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8 test clip
> >2) tear down your laptop to access the motherboard
> >3) take SOIC-8 test clip and attach its wires to USB flasher that is supported by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS chip with 8 legs, then plug USB flasher device to another computer with Linux (while it is still connected to G505S motherboard through wires and SOIC-8 test clip)
> >4) using flashrom, make a dump of your existing BIOS just in case, then flash a new coreboot image with verification 5) assemble your laptop in reverse order . That is exactly how computer repair shops are repairing laptops with failed BIOS updates, and are earning pretty good money on it
>
> >Here is a hardware flashing manual - http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate .
>
> Everything is described in a great detail here: complete list of tools and where you could buy them (need to spend from $0 to $30, depends on what tools you already have), how to connect these tools properly, a lot of helpful photos - for example, photo of G505S motherboard, so you could easily see where is that BIOS chip with 8 legs is located, dont need to spend time reading the motherboard chip labels. While this instruction mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher are exactly the same - only a flashrom command is different (could see this command at the end of page)
>
> My current coreboot build is from December 2016 - it is not the latest, but still pretty recent, so I am not going to rebuild it from scratch yet. Still, there is one component inside BIOS image that could be easily updated: KolibriOS, tiny wonderful open source operating system that fits on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no changes to your computer saved). After you tell that you are prepared for hardware BIOS flashing, I will take KolibriOS latest daily build, add it to ROM and send a complete coreboot BIOS ROM to you
>
> Please reply if you have any questions
>
> Best regards,
> qmastery
> -----------------------------------------------
>
> Is it possible to also reflash the USB firmware at the same time in case it has been tampered by Bad USB ?

Does anybody know where I can find an up-to-date copy of the microcode for this laptop? The latest microcode images I've been able to find *anywhere* are
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
which according to the logs date back to 2016 and therefore can't possibly contain spectre mitigations for an A10-5750M CPU.

Supposedly AMD has/will release mitigating microcode for family 15h but I don't think AMD has an equivalent to: https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File

Does AMD even announce when they release microcode for a particular family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one can only dream I guess...

The next step of course will be figuring out how to build coreboot to load the microcode image, but, one step at a time.

[mattheww...@gmail.com]

EDIT: https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html doesn't seem to have been up since 2016

[awokd]

On Sat, May 12, 2018 7:58 pm, mattheww...@gmail.com wrote:
> On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com

>> Does anybody know where I can find an up-to-date copy of the microcode
>> for this laptop? The latest microcode images I've been able to find
>> *anywhere* are
>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
>> which according to the logs date back to 2016 and therefore can't
>> possibly contain spectre mitigations for an A10-5750M CPU.
>>
>> Supposedly AMD has/will release mitigating microcode for family 15h but
>> I don't think AMD has an equivalent to:
>> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
>>
>> Does AMD even announce when they release microcode for a particular
>> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one
>> can only dream I guess...
>>
>> The next step of course will be figuring out how to build coreboot to
>> load the microcode image, but, one step at a time.
>
> EDIT:
> https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html
> doesn't seem to have been up since 2016

See below. There seems to be a way to do it if you edit the patch file
directly into microcode_amd_fam15h.bin (but we might be getting off-topic
for Qubes here).

https://www.mail-archive.com/core...@coreboot.org/msg51496.html

[Ivan Ivanov]

These microcodes from platomav are not new enough to have spectre v2
fixed at them! We are in the process of requesting an updated
microcodes from AMD, and there is already some progress: we have been
offered the updated microcodes with spectre V2 fix under the NDA.
However, most likely this NDA requirement is only because of the Ryzen
microcodes and maybe the microcodes for the other CPUs with built-in
PSP Platform Secure Processor. We have asked AMD to offer us a smaller
set of the microcodes (for the older CPUs only) which will be possible
to obtain without signing the NDA, and we are currently waiting for
reply. It does not make sense to ask the NDA for the microcodes of
CPUs that are ~5 years old, also, the older microcodes could be found
as publicly shared at e.g. linux-firmware.git and nobody sent a DMCA
takedown regarding them , so most likely it means that both 15h and
16h microcodes, as well as some other older ones, should be possible
to obtain without any NDAs. We will keep you updated

Best regards,
Ivan Ivanov

> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in.

[Tai...@gmx.com]

*ML thread reply*
Hey guys you can install the latest microcode now from linux-firmware,
no NDA or w/e I believe this is the latest version.
See my thread on the coreboot ML for more info.

Remember folks the G505S has a piledriver cpu and thus it NEEDS a
microcode update to have IOMMU (and thus work for V4) and be secure due
to various exploits.

before:
microcode: CPU0 patch_level=0x0600084f

after:
microcode: CPU0: new patch_level=0x06000852

I think this is the latest version but I don't know for sure.

[Ivan Ivanov]

I think: at the moment, the only possible way to become confident that
a new 15h microcode at linux-firmware.git is the same (or at least
close to being the same) as being offered to us under an NDA, without
signing this NDA, is to install this microcode to your coreboot and
then run some tests to see the degree of vulnerability to the various
spectres. Also, that AMD person has uploaded only 15h and 17h -
meanwhile, there are some nice desktop coreboot-supported 16h boards
like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor,
only late-16h has), and these 16h boards are still vulnerable. I will
try to contact to "remind" about 16h. Maybe they don't share the
microcodes publicly until they have fully tested them, and NDA is a
way for OEMs to get the not-publicly-released-yet microcodes to test
on their hardware. It could be that AMD's guidelines require fully
testing a new microcode at all the compatible platforms before
releasing it publicly even if its just a matter of setting a few bits
- to make sure that all the other functions are still working
correctly

Best regards,
Ivan

> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.

[Ivan Ivanov]

Alternatively, it could be that NDA is required not exactly to get
these updated microcode files for our a-bit-old CPUs, but to
understand - against what vulnerabilities these microcodes are trying
to give the protection. Maybe there are some secret release notes that
usually come with these microcodes to the OEMs. If you would look at
the commit message which came with 15h/17h files, you would not notice
any mention of the vulnerabilities and spectre - or any other mention
of what has been changed or improved. Its "just an update" -
https://marc.info/?l=linux-kernel&m=152651230014241&w=2 . More
messages from this author -
https://marc.info/?a=137244797100003&r=1&w=2

Best regards,
Ivan