coreboot on modern hardware?

[jrsm...@gmail.com]

Spent several hours yesterday trying to track down what I would need to do to install coreboot on all of my computers, starting with my Qubes box: a Levnovo Thinkpad T480.

The bottom line from what I can tell is that if you have an Intel CPU made since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that have PSP), you are out of luck. Libreboot spells this out in their docs. I'm not sure if that is because of coreboot itself or something specific to Libreboot. I was stuck by how they seemed perfectly fine walling themselves off from the present and the future.

I could find nothing indicating that anyone had even tried, much less succeeded, in installing coreboot on a T480 and everything I did find was for much older hardware.

I read through the coreboot docs where they just wave their hands at the end of the build process and say "now go flash". I also read through the heads docs, which say more or less the same thing.

Hackaday has an article on the horrors of installing coreboot on a Toshiba laptop. Not only do they neglect to say which model they used, at the end of the article they had it working.

The gist is that the information that's out there is out of date, incomplete, misleading, and sometimes just incompetent.

I'm hoping that someone here has first-hand knowledge and can advise me (and others who read this).

Thanks,
John Smiley

[ron...@riseup.net]

I'd suggest visiting https://coreboot.org/status/board-status.html to
see if your box is compatible with coreboot. From what I can see, the
T480 is not coreboot friendly.

The coreboot web site generally is a very good starting point in
establishing the how, what and when procedures for installing coreboot
successfully.

[799]

Hello,

<ron...@riseup.net> schrieb am So., 24. März 2019, 10:11:

On 2019-03-23 19:03, jrsm...@gmail.com wrote:
> Spent several hours yesterday trying to track down what I would need
> to do to install coreboot on all of my computers, starting with my
> Qubes box: a Levnovo Thinkpad T480.

[...]

I'd suggest visiting https://coreboot.org/status/board-status.html to
see if your box is compatible with coreboot. From what I can see, the
T480 is not coreboot friendly.

The provided link is the right place to see, I have also invested some time for the research before flashing my X230 with Coreboot and again when I tried to flash my W540.

It seems that everything after the X230/T430/W530 is not corebootable.

On the other hand the ?30-Series offers enough performance for most workloads.

Newer hardware will (very likely) not work with Coreboot (if you look into Lenovo) and NOT buying Lenovo and talk about it why you are not buying it, might be the only way to convince companies to change (even when this is very (!) unlikely).

- O

[jrsm...@gmail.com]

That was one of the first places I looked. Maybe I’m just a hardhead, but I found it difficult to believe that there really was no support for coreboot in any form for modern hardware.

[799]

Hello,

<jrsm...@gmail.com> schrieb am Mo., 25. März 2019, 02:15:

That was one of the first places I looked. Maybe I’m just a hardhead, but I found it difficult to believe that there really was no support for coreboot in any form for modern hardware. 

The problem seems to be that on modern hardware it is not possible to run unsigned Firmware because of a feature on newer hardware called "boot guard"

https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot

What Intel is saying about this "feature":

https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf

- O

[Chris Laprise]

It serves as a reminder that the 'Wintel' platform is really closed.
Open source projects like Coreboot cannot make progress where
information about the hardware is kept secret.

I also think Intel's combination of secrecy and high rate of
vulnerabilities is particularly toxic; some of this stuff can't be
patched so running a 'secure' OS on Intel chips now looks like a futile
exercise.

AMD are also closed, but appear to be more conscientious about how they
design their CPUs given how they are less vulnerable to side-channel
attacks.

FWIW, I think Qubes devs may have seen the handwriting on the wall and
now have at least some level of interest in moving to open hardware like
the POWER CPUs.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[jrsm...@gmail.com]

What does this say about the direction Joanna and Golem are taking? Everyone build clouds on Intel hardware. No getting around that.

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 3/25/19 4:49 PM, jrsm...@gmail.com wrote:
> What does this say about the direction Joanna and Golem are
> taking?

I am severely confused about that. I'd have thought the direction to
go is open hardware, more local, more decentralized, more
compartmentalized, zero trust.

/Sven
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlydJdgACgkQ2m4We49U
H7ZZ9w/7Bc1xKBcK6UuV3yvodiFbSxG5mu3sXCq/6o9kKtmhX3K2GObluqWknq1R
WrM4uMj8PjdVmuOZn/A4etylmm6TrEim2iFHnrS4I7KLFrR+7FJrfgx1F3Tzfy/c
jVWyVDwruXb7OmxXOem3iSzWSLKqEsh26/821huMFdNxPp0DZAK5JDry4YSbd3Ov
JTtBhbXlEYdQ0yuRYLinI53yFyqPxG/xcrL5JT6DX/4phHEuvtZhPu1n+wXI/FM0
bCiOQUpBwPSMf/yL84ah1EqEd+KfCHM5SmRUobJEqTSO/cwbgu7glpF6nf2AwSGV
6XFjA9wiCLqTfMKK2/8vr4h0aMWGLGiKGCpqCkDDClWILTYHmKxB8GjHwQFvXqmf
xQmn06Dmzz1VMo6rEUvANweAUmE1541RF8n5bwhleDsISGbOJOep+GNyQA7mqbGD
dbc7oNgxaRt9PE9+737eAGQ+5/M+whsUYWVU5++GJsKPrO7LdPn2gXK8KL/YknXT
xlrbjYo9TZsCcjjJJ5b46ylYwmXu1kl/b64hLNVdl7n58UuINVJJTLUtRyw1yHKH
kJv5ao3ttZ95tSOciAAcLTOHffPQpdAnAC5I/G1ivKGyj+qx9ntDDIciUXtwwahk
stMw6Lb1U0nGau7tbn2PEhyV/pKok1VZ8JpcCg8SRD2kitZHex8=
=zT7e
-----END PGP SIGNATURE-----

[Chris Laprise]

On 3/28/19 3:51 PM, Sven Semmler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 3/25/19 4:49 PM, jrsm...@gmail.com wrote:
>> What does this say about the direction Joanna and Golem are
>> taking?
>
> I am severely confused about that. I'd have thought the direction to
> go is open hardware, more local, more decentralized, more
> compartmentalized, zero trust.

I think the idea is that "zero trust" can come from a crypto-based
algorithm and that the hardware will be locally owned like bitcoin. But
I don't necessarily agree with this model; it feeds the "monetize every
relationship and action" trend along with other problems like pollution.
And if the basis is intimately financial, then economies of scale and
expertise will weigh heavily on it they way they have with crypto
currencies: eventual centralization will be baked-in.

Also there are many examples of zero trust (or accountability) in
traditional methods, like counting paper ballots or balancing your
checkbook from bank statements; its not an invention of Computer
Science. But we love computers and must now throw billions of
transistors at each instance of every little problem; A-Z must receive
the silicon blessing.

-

What I love about personal computers is that they're the opposite of
"strap some chips onto objects and forget about it". They're never mere
"gadgets" but more like a workshop. They do many things and so we focus
on one or two units most of the time.... we worry about how fit and
secure our PCs are and we have a dialog with them about it. OTOH, iot
and other gadgets rarely even real anything like an operating system to
us bc we're not supposed to care.

I want operating systems to reveal even more about a computer's internal
state - in snazzy, intuitive ways - than they already are. That's why I
thought at the beginning that "Invisible Things Lab" was such an awesome
moniker while exposing awful things that hide in a computer. Then to
boot they provided a solution that manifests itself in the window frames
we constantly look at. Definitely not a trendy move but great nonetheless.

[jrsm...@gmail.com]

From a recent System76 announcement:

“In firmware news, our engineer Jeremy has made a lot of progress in porting Coreboot to the Darter Pro and multiple versions of Galago Pro. It can now run both BIOS and UEFI implementations. However, certain bugs need to be worked out before we can officially release Coreboot on any of our laptops, such as a bug that causes the computer to open from suspend in airplane mode, or another that prevents the user from activating the webcam via keyboard functions. These and other bugs are being worked out in testing, and many of us across different departments are testing Coreboot on our own computers.”

[jrsm...@gmail.com]

https://github.com/system76/coreboot

Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up Thierry hands and declared defeat.

[Chris Laprise]

On 3/29/19 7:18 PM, jrsm...@gmail.com wrote:
> https://github.com/system76/coreboot
>
> Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up Thierry hands and declared defeat.

Maybe they see something they can no longer stomach.

I bought my first AMD system this week.

[awokd]

Chris Laprise wrote on 3/30/19 2:44 AM:

> On 3/29/19 7:18 PM, jrsm...@gmail.com wrote:
>> https://github.com/system76/coreboot
>>
>> Clearly they think they can handle modern hardware. Makes me wonder

>> why the coreboot folks have thrown up [their?] hands and declared defeat.

If I understand it right, on newer Intel systems Coreboot is limited to
only calling closed-source, proprietary initialization procedures versus
older systems where it handles the entire process (less some binary blobs).

> Maybe they see something they can no longer stomach.
>
> I bought my first AMD system this week.
>

Welcome to the club! Hope they don't continue following Intel's path
with closed-source PSP etc.

[seshu]

In terms of open source hardware has any tried RISD V (https://riscv.org/ )? or have thoughts on its potential? They are not selling hardware, albiet it's pretty expensive, through the company Sifive (https://www.sifive.com/boards )

This has been an interesting forum thread to read, So, I was wondering what potential RISC V and SiFive offer?

[Chris Laprise]

I agree. But even so, AMD are better by some noticeable margin.

Intel... OMGWTF. With the 'VISA' exploit they're contradicting the
researchers, and with 'Foreshadow' they said app programmers should deal
with it.

BTW, like some other Qubers I got a G505s with the AMD A10. Still need
to figure out how to flash it.

[Chris Laprise]

On 3/30/19 2:43 PM, seshu wrote:

> In terms of open source hardware has any tried RISD V (https://riscv.org/ )? or have thoughts on its potential? They are not selling hardware, albiet it's pretty expensive, through the company Sifive (https://www.sifive.com/boards )
>
> This has been an interesting forum thread to read, So, I was wondering what potential RISC V and SiFive offer?

Sifive isn't interesting for PCs/laptops. IIRC it is the BOOM processor
project that is said to take RISC-V in that direction.

[awokd]

Chris Laprise wrote on 3/30/19 7:10 PM:

> I agree. But even so, AMD are better by some noticeable margin.
>
> Intel... OMGWTF. With the 'VISA' exploit they're contradicting the
> researchers, and with 'Foreshadow' they said app programmers should deal
> with it.

I saw that too WRT Foreshadow: "Just code around it!" That's a swing and
a miss for a real answer. I'll have to catch up on VISA.

> BTW, like some other Qubers I got a G505s with the AMD A10. Still need
> to figure out how to flash it.

Mike Banon's done some great work here. Check out
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
(pictures are from a G505s) and
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to
Taiidan too for promoting the platform. Feel free to contact me with any
questions, on or off list.

[jrsm...@gmail.com]

After doing some more reading, I've fount that I was hasty to judgement in saying that the coreboot team had thrown up their hands in defeat at the limitations of modern hardware. As it turns out, the Docs are just horribly out of date. Looking at the release notes for the past few years shows that they have not only not given up, but have already made significant progress in adapting to changes in the hardware we live with. My apologies to the coreboot team for my mis-statement.

[Chris Laprise]

I'm ordering parts from Mike's guide now, but a little confused about
something: If I order reasonably short wires and the advanced clip, will
I need to do any soldering?

Another thing that isn't clear is how power is applied, but I'll cross
that bridge when I get to it. I plan to use a CH341A flasher.

[awokd]

Chris Laprise wrote on 4/6/19 2:08 PM:

> On 3/30/19 3:47 PM, 'awokd' via qubes-users wrote:
>> Chris Laprise wrote on 3/30/19 7:10 PM:

>>> BTW, like some other Qubers I got a G505s with the AMD A10. Still
>>> need to figure out how to flash it.
>>
>> Mike Banon's done some great work here. Check out
>> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
>> (pictures are from a G505s) and
>> http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to
>> Taiidan too for promoting the platform. Feel free to contact me with
>> any questions, on or off list.
>
> I'm ordering parts from Mike's guide now, but a little confused about
> something: If I order reasonably short wires and the advanced clip, will
> I need to do any soldering?
>
> Another thing that isn't clear is how power is applied, but I'll cross
> that bridge when I get to it. I plan to use a CH341A flasher.
>

No soldering needed on these laptops with a clip. FWIW, I got away with
12" wires but I was only flashing at 1 or 2 MHz. Power is supplied from
the CH341A through the clip, so pay attention to that warning about 3.3V
vs. 5V.

[Tai...@gmx.com]

System seventysuck, pur.idiots etc are LYING about having "open source
firmware"

System seventysuck also lies about having "made in usa" hardware
literally all they did was make a metal case here and somehow a metal
box equals a computer in their world.

Their "coreboot" is nothing more than a wrapper layer for Intel FSP
binary blobs, it doesn't init any hardware and just like their "made in
usa" claims is entirely bullshit.

New AMD hardware has PSP which is their version of ME and just as terrible.

New x86 hardware will NEVER be free since intel/amd not only refuse to
provide documentation and sources but also lock down their systems more
and more with ME, boot "guard", "secure" boot etc.


If you want owner controlled open source firmware hardware buy an
OpenPOWER system from RaptorCS like the Blackbird or TALOS 2 both of
which provide better performance and features than enterprise x86
systems you would get for the same price.

Someday there will even be AAA games on POWER just like people said that
there would never be DRM free AAA linux games and now there are many, as
of now there are a few meh open source 3D games and the unreal tech demo
but gaming is the only thing you sacrifice and you can always have an
older pre-PSP AMD owner controlled system for that like I do.

[Mark Newman]

On 3/23/19 3:03 PM, jrsm...@gmail.com wrote:

I don't think Libreboot is "fine with walling themselves off from the
future", I just think they would rather not have a back door open that
they cannot close. See:
https://libreboot.org/faq.html#intel (scroll down for AMD) and
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
For myself, I also only use AMD CPUs prior to 2013. If this means I
can't run Qubes 4, much as I would like to, I will have to take other
security precautions, especially since I read that Joanna Rutkowska said
that using IOMMU does not protect from this remote management attack.
(Sorry I can't find that reference).