Patrick Rudolph has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add VBOOT on Lenovo devices ......................................................................
Documentation: Add VBOOT on Lenovo devices
Describe VBOOT implementation details for retrofitted Lenovo devices.
Change-Id: Ibabcc939d9d01f00a93fd42adc48057966ad877e Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M Documentation/mainboard/index.md A Documentation/mainboard/lenovo/vboot.md 2 files changed, 36 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/51/39151/1
diff --git a/Documentation/mainboard/index.md b/Documentation/mainboard/index.md index 126a8fb..6e833cf 100644 --- a/Documentation/mainboard/index.md +++ b/Documentation/mainboard/index.md @@ -70,6 +70,7 @@ - [R60](lenovo/r60.md) - [T4xx common](lenovo/t4xx_series.md) - [X2xx common](lenovo/x2xx_series.md) +- [VBOOT](lenovo/vboot.md)
### Nehalem series
diff --git a/Documentation/mainboard/lenovo/vboot.md b/Documentation/mainboard/lenovo/vboot.md new file mode 100644 index 0000000..559ea53 --- /dev/null +++ b/Documentation/mainboard/lenovo/vboot.md @@ -0,0 +1,35 @@ +# Using coreboot's verified boot on Lenovo devices + +By default a single instance of coreboot is present in the firmware flash, +no verification is done and it doesn't write protect the flash to allow +firmware updates from the OS. +The verified boot mechanism also called [VBOOT] allows secure firmware +updates using an A/B partitioning scheme once enabled. + +## Enabling VBOOT +You can enable [VBOOT] in the *security menu*. Besides a verified boot you +can also enable a measured boot by setting `CONFIG_VBOOT_MEASURED_BOOT`. +Both options need a working TPM, which is present on all recent Lenovo +devices. + +## Updating and recovery +As the A/B partition is writeable you can still update them from the OS. +By using the [VBOOT] mechanism you store a copy of coreboot in the `RO` +partition that acts as failsaife in case the regular firmware update, that +goes the `A` or `B` partition fails. + +On *Lenovo* devices you can enable the *Fn* key as recovery mode switch, by +enabling `CONFIG_H8_FN_KEY_AS_VBOOT_RECOVERY_SW`. +Holding the *Fn* at boot will then switch to the recovery image, allowing +to boot and flash a working image to the A/B partition. + +## 8MiB ROM limitation +*Lenovo* devices with 8MiB ROM only have a `RO`+`A` partition enabled in the +default FMAP. They are missing the `B` partition, due to size contrains. +You can still provide your own FMAP if you need `RO`+`A`+`B` partitions. + +## CMOS +[VBOOT] on *Lenovo* devices uses the CMOS to store configuration data, like +boot failures and the last successfully booted partition. + +[VBOOT]: ../../security/vboot/index.md
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add VBOOT on Lenovo devices ......................................................................
Patch Set 1: Code-Review+1
(1 comment)
https://review.coreboot.org/c/coreboot/+/39151/1/Documentation/mainboard/len... File Documentation/mainboard/lenovo/vboot.md:
https://review.coreboot.org/c/coreboot/+/39151/1/Documentation/mainboard/len... PS1, Line 15: ## Updating and recovery Is it worth stating that currently no write protection mechanism is applied?
Hello Arthur Heymans, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/39151
to look at the new patch set (#2).
Change subject: Documentation: Add VBOOT on Lenovo devices ......................................................................
Documentation: Add VBOOT on Lenovo devices
Describe VBOOT implementation details for retrofitted Lenovo devices.
Change-Id: Ibabcc939d9d01f00a93fd42adc48057966ad877e Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M Documentation/mainboard/index.md A Documentation/mainboard/lenovo/vboot.md 2 files changed, 40 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/51/39151/2
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add VBOOT on Lenovo devices ......................................................................
Patch Set 2:
(1 comment)
https://review.coreboot.org/c/coreboot/+/39151/1/Documentation/mainboard/len... File Documentation/mainboard/lenovo/vboot.md:
https://review.coreboot.org/c/coreboot/+/39151/1/Documentation/mainboard/len... PS1, Line 15: ## Updating and recovery
Is it worth stating that currently no write protection mechanism is applied?
Done
Patrik Tesarik has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add VBOOT on Lenovo devices ......................................................................
Patch Set 2:
(1 comment)
https://review.coreboot.org/c/coreboot/+/39151/2/Documentation/mainboard/len... File Documentation/mainboard/lenovo/vboot.md:
https://review.coreboot.org/c/coreboot/+/39151/2/Documentation/mainboard/len... PS2, Line 18: partition that acts as failsaife in case the regular firmware update, that Typo: failsaife -> failsafe
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add vboot on Lenovo devices ......................................................................
Patch Set 8: Code-Review+2
Patrick Rudolph has submitted this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add vboot on Lenovo devices ......................................................................
Documentation: Add vboot on Lenovo devices
Describe vboot implementation details for retrofitted Lenovo ThinkPad devices.
Change-Id: Ibabcc939d9d01f00a93fd42adc48057966ad877e Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com Signed-off-by: Marcello Sylvester Bauer sylv@sylv.io Reviewed-on: https://review.coreboot.org/c/coreboot/+/39151 Reviewed-by: Paul Menzel paulepanter@users.sourceforge.net Reviewed-by: Patrick Rudolph siro@das-labor.org Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M Documentation/mainboard/index.md A Documentation/mainboard/lenovo/vboot.md 2 files changed, 40 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Paul Menzel: Looks good to me, but someone else must approve Patrick Rudolph: Looks good to me, approved Marcello Sylvester Bauer: Looks good to me, but someone else must approve
diff --git a/Documentation/mainboard/index.md b/Documentation/mainboard/index.md index 57df302..3426395 100644 --- a/Documentation/mainboard/index.md +++ b/Documentation/mainboard/index.md @@ -74,6 +74,7 @@ - [R60](lenovo/r60.md) - [T4xx common](lenovo/t4xx_series.md) - [X2xx common](lenovo/x2xx_series.md) +- [VBOOT](lenovo/vboot.md)
### Arrandale series
diff --git a/Documentation/mainboard/lenovo/vboot.md b/Documentation/mainboard/lenovo/vboot.md new file mode 100644 index 0000000..3e4d43b --- /dev/null +++ b/Documentation/mainboard/lenovo/vboot.md @@ -0,0 +1,39 @@ +# Using coreboot's verified boot on Lenovo devices + +By default a single instance of coreboot is present in the firmware flash, +no verification is done and the flash is not write-protected, so as to allow +firmware updates from the OS. +The verified boot mechanism also called [VBOOT] allows secure firmware +updates using an A/B partitioning scheme once enabled. + +## Enabling VBOOT +You can enable [VBOOT] in Kconfig's *Security* section. Besides a verified +boot you can also enable a measured boot by setting +`CONFIG_VBOOT_MEASURED_BOOT`. Both options need a working TPM, which is +present on all recent Lenovo devices. + +## Updating and recovery +As the A/B partition is writeable you can still update them from the OS. +By using the [VBOOT] mechanism you store a copy of coreboot in the `RO` +partition that acts as failsafe in case the regular firmware update, that +goes to the `A` or `B` partition fails. + +**Note:** The `RO` partition isn't write-protected by default. There's a patch +pending on gerrit [CB:32705] that write-protects the `RO` partition. + +On *Lenovo* devices you can enable the *Fn* key as recovery mode switch, by +enabling `CONFIG_H8_FN_KEY_AS_VBOOT_RECOVERY_SW`. +Holding the *Fn* at boot will then switch to the recovery image, allowing +to boot and flash a working image to the A/B partition. + +## 8 MiB ROM limitation +*Lenovo* devices with 8 MiB ROM only have a `RO`+`A` partition enabled in the +default FMAP. They are missing the `B` partition, due to size constaints. +You can still provide your own FMAP if you need `RO`+`A`+`B` partitions. + +## CMOS +[VBOOT] on *Lenovo* devices uses the CMOS to store configuration data, like +boot failures and the last successfully booted partition. + +[VBOOT]: ../../security/vboot/index.md +[CB:32705]: https://review.coreboot.org/32705
9elements QA has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/39151 )
Change subject: Documentation: Add vboot on Lenovo devices ......................................................................
Patch Set 9:
Automatic boot test returned (PASS/FAIL/TOTAL): 3/1/4 Emulation targets: "QEMU x86 q35/ich9" using payload TianoCore : SUCCESS : https://lava.9esec.io/r/2684 "QEMU x86 q35/ich9" using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/2683 "QEMU x86 i440fx/piix4" using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/2682 "QEMU AArch64" using payload LinuxBoot_u-root_kexec : FAIL : https://lava.9esec.io/r/2681
Please note: This test is under development and might not be accurate at all!
-
9elements QA (Code Review) -
Arthur Heymans (Code Review)
-
Patrick Rudolph (Code Review)
-
Patrik Tesarik (Code Review)