coreboot October 2018

coreboot@coreboot.org

53 participants
145 discussions

Re: [coreboot] Burn 2MB coreboot.rom on 8MB flash chip
by Jose Trujillo 05 Oct '18

05 Oct '18

I have no idea bro.... I cannot help you with that. I am just curious.... Which brand and model of board are you using? ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, October 5, 2018 6:05 AM, Zvi Vered <veredz72(a)gmail.com> wrote: > Hi Jose, Mariusz,All, > > The vendor's rom file size is: 5,242,880 bytes > > After running: > dd if=coreboot.rom of=coreboot.rom.new bs=1M skip=3 > > I got a new file with the same size. > > I tried to program this new file and got the following message from the vendor's utlity: > > WARNING ! > This Image file doesn't match current System design! > Force update it will destroy the System's Activation Key. > We do not recommend flashing your BIOS. > Press "Y" to force update BIOS. > Press "N" to quit flash. > - Please select one of the options: > > I ignored the warning and programmed the BIOS. > > After reset, I got nothing. > > What is "System's Activation Key" ? > I'm sure that FSP (and other files) for my board are not properly configured yet. > But I suspect this is not the reason for the message. > > Thank you, > Zvika > > On Thu, Oct 4, 2018 at 9:47 PM Zvi Vered <veredz72(a)gmail.com> wrote: > >> Hi Jose, >> >> I probably made a mistake and erased the main BIOS chip (and also the secondary one) >> Currently my target is not booting OS at all. >> So I can not try Mariusz procedure. >> Hope to have an identical target soon. >> >> Thank you very much for your help, >> Zvika >> >> On Thu, Oct 4, 2018 at 6:31 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: >> >>> Zvika: >>> Doing a full flash doesn't work for you, this is what I been doing. >>> Try to use flashrom from linux if you want to do the full flash (may be it will work). >>> >>> An external programmer would be the optimal choice. >>> >>> Did you tried what Mariusz said? >>> Jose. >>> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> On Thursday, October 4, 2018 6:20 PM, Zvi Vered <veredz72(a)gmail.com> wrote: >>> >>>> Hi Mariusz, Jose, All, >>>> >>>> Mariusz - Thank you very much for the solution. >>>> Jose - You wrote "I have never done this way...". >>>> Can you please suggest a better alternative ? >>>> >>>> Thank you, >>>> Zvika >>>> >>>> On Wed, Oct 3, 2018 at 8:39 PM Mariusz Szafrański via coreboot <coreboot(a)coreboot.org> wrote: >>>> >>>>> Hi Jose, >>>>> >>>>> In your case set: >>>>> ROM chip size = 8MB (your case) >>>>> CBFS_SIZE <= 5MB (your specific case) >>>>> >>>>> This will build 8M file. After that just cut last 5M of this 8M file (using any hexeditor) or use something like below from command line: >>>>> >>>>> dd if=coreboot.rom of=corebootout.rom bs=1M skip=3 >>>>> >>>>> (before doing that double check if original vendor`s rom file size is 5242880 bytes long) >>>>> >>>>> Mariusz >>>>> >>>>> W dniu 03.10.2018 o 08:53, Jose Trujillo via coreboot pisze: >>>>> >>>>>> You can do that but I have never done this way and I cannot help you with that. >>>>>> >>>>>> Someone else can advise on this? >>>>>> >>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>> On Tuesday, October 2, 2018 9:39 PM, Zvi Vered [<veredz72(a)gmail.com>](mailto:veredz72@gmail.com) wrote: >>>>>> >>>>>>> Hi Jose, All, >>>>>>> >>>>>>> Highly appreciate your answers. >>>>>>> It seems the vital information in your replies are not documented. >>>>>>> >>>>>>> The original vendor's rom file size is 5MB. >>>>>>> Do you think I can create a 5MB coreboot.rom ? >>>>>>> >>>>>>> It seems that AfuEfix64.efi supplied by vendor is looking for 5MB rom file like the original one. For any other file size, AfuEfix64 fails. >>>>>>> >>>>>>> Thank you, >>>>>>> Zvika >>>>>>> >>>>>>> On Mon, Oct 1, 2018 at 2:08 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: >>>>>>> >>>>>>>> Zvika: >>>>>>>> >>>>>>>> There are 2 ways to build coreboot: (choose one).... >>>>>>>> 1.- Including IFD, TXE, GBE etc.... inside coreboot CBFS. >>>>>>>> 2.- Using the original firmware(FW) with IFD, TXE, GBE already in flash and just rewrite coreboot on top of the BIOS block. >>>>>>>> >>>>>>>> Your original computer Firmware = Intel FW + "BIOS" >>>>>>>> >>>>>>>> Intel FW = IFD +PD+ME/TXE+GBE >>>>>>>> BIOS=AMI-Phoenix etc... >>>>>>>> >>>>>>>> IFD=Intel Firmware Descriptor Table. >>>>>>>> PD=Parameters >>>>>>>> ME=Management Engine (For "Core" kind of processors). >>>>>>>> TXE=Trusted Execution Engine (For "Atom" kind of processors). >>>>>>>> GBE=Network card firmware. >>>>>>>> >>>>>>>> Zvika said: >>>>>>>> "After creating coreboot.rom should I always use the original BIOS with ifdtool to convert rom to bin ?" >>>>>>>> Answer: >>>>>>>> No, there are other methods and tools that can do the merge.... (ifdtool and Intel's FIT are working fine for me) >>>>>>>> >>>>>>>> After the creation of the coreboot build you have 2 ways of doing the flashing for your case: (with fpt). >>>>>>>> 1.- Flash the full 8MB (Intel FW+coreboot) if the SPI flash is blank or have unknown firmware. >>>>>>>> Use IFDTool in this case to inject coreboot to Intel FW..... then flash it with fpt . >>>>>>>> 2.- Flash only the BIOS block (5MB your specific case) in this case ask someone else how to do it with fpt.... >>>>>>>> >>>>>>>> I hope this answered your questions. >>>>>>>> Jose.. >>>>>>>> >>>>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>>>> On Saturday, September 29, 2018 12:24 AM, Zvi Vered <veredz72(a)gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi Jose, >>>>>>>>> >>>>>>>>> You wrote: >>>>>>>>> "My recommended approach is using the original Intel FW with already included the FD, TXE". >>>>>>>>> >>>>>>>>> What is "original intel FW" ? >>>>>>>>> What is FD, TXE ? >>>>>>>>> >>>>>>>>> After creating coreboot.rom should I always use the original BIOS with ifdtool to convert rom to bin ? >>>>>>>>> >>>>>>>>> Thank you, >>>>>>>>> Zvika >>>>>>>>> >>>>>>>>> On Wed, Sep 26, 2018 at 7:27 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: >>>>>>>>> >>>>>>>>>> You are right Nico, >>>>>>>>>> >>>>>>>>>> I just forgot the troubles this caused me. >>>>>>>>>> I am sorry Vika... My mistake. >>>>>>>>>> >>>>>>>>>> I can confirm with Nico: >>>>>>>>>> ROM chip size = 8MB (your case) >>>>>>>>>> CBFS_SIZE = 2 to 5MB (your specific case) >>>>>>>>>> >>>>>>>>>> My recommended approach is using the original Intel FW with already included the FD, TXE. >>>>>>>>>> >>>>>>>>>> I never tested adding regions to coreboot but you can try. >>>>>>>>>> >>>>>>>>>> To have better chances of success you should be dumping hardware settings booting with your original "BIOS" (look for the attached file). >>>>>>>>>> >>>>>>>>>> Check if the system is "Memory down"or/and ECC because it will be needed to edit FSP (if using it). >>>>>>>>>> Dump memory settings with the following commands: >>>>>>>>>> >>>>>>>>>> sudo dnf install i2c-tools-perl >>>>>>>>>> sudo modprobe eeprom >>>>>>>>>> decode-dimms >>>>>>>>>> >>>>>>>>>> If you have not done this already there is still a long way to go. >>>>>>>>>> Don't get intimidated, just do it, if you have questions just ask.... I will try to help >>>>>>>>>> >>>>>>>>>> Good luck, >>>>>>>>>> Jose. >>>>>>>>>> >>>>>>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>>>>>> On Wednesday, September 26, 2018 6:28 PM, Nico Huber <nico.h(a)gmx.de> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> On 9/26/18 9:19 AM, Jose Trujillo via coreboot wrote: >>>>>>>>>>> >>>>>>>>>>> > No, don't change it, you change the size of coreboot only if during the >>>>>>>>>>> > building process "make" complain that there is not enough space but in >>>>>>>>>>> > your case your build was already successful leave it like that. >>>>>>>>>>> >>>>>>>>>>> this advice seems very weird to me. I'm not experienced with Bay Trail. >>>>>>>>>>> But unless there is a bug in the Bay Trail code, you should always set >>>>>>>>>>> the correct ROM_SIZE (to the full flash chip size). Otherwise you may >>>>>>>>>>> introduce bugs in code that relies on this setting (e.g. saving the >>>>>>>>>>> MRC cache might fail and so would S3 resume). >>>>>>>>>>> >>>>>>>>>>> CBFS_SIZE however is the setting to adjust according to your needs. It >>>>>>>>>>> should be at most the size of the BIOS region. >>>>>>>>>>> >>>>>>>>>>> > In the rare circumstance that more space is required you can increase >>>>>>>>>>> > coreboot size to 4MB and istill will fit into your system 5MB of space >>>>>>>>>>> > available. >>>>>>>>>>> > "ifdtool" will inject coreboot in the top of the BYT_orig.bin and save >>>>>>>>>>> > as BYT_orig.bin.new that you can flash to your system. >>>>>>>>>>> >>>>>>>>>>> I assume this doesn't work oob if you set ROM_SIZE correctly. But it is >>>>>>>>>>> unnecessary to craft a single file by hand. You can either only flash >>>>>>>>>>> the BIOS region (recommended) or add the other regions in coreboot's >>>>>>>>>>> config (HAVE_{IFD,ME,GBE}_BIN). >>>>>>>>>>> >>>>>>>>>>> Nico >>>>> >>>>> -- >>>>> coreboot mailing list: coreboot(a)coreboot.org >>>>> https://mail.coreboot.org/mailman/listinfo/coreboot

1 0

Re: [coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by Mike Banon 05 Oct '18

05 Oct '18

> So this board may support Intel's strict security features like BootGuard and Intel ME. These security features are so strong [???] that even the top hackers in the open source community haven't fully cracked [???] Are you sure about that? Lots of vulnerabilities have been discovered at these "strong security features", and before Intel patches some vulnerability it's already in full use by some blackhat communities. Not to mention its' quite often that UEFI/BIOS updates, including those that deliver the security updates to ME, are neglected. The companies have so many servers, I'm confident the majority of them are running the outdated UEFI/BIOS versions. Also, these "strong security features" are closed source, and security through obscurity has never been a good thing On Thu, Oct 4, 2018 at 7:01 PM fightfakenews via coreboot <coreboot(a)coreboot.org> wrote: > > I came across this news today. Bloomberg says China is using a rice-sized chip to hack amazon servers. They published videos and photos here: > > https://twitter.com/business/status/1047788207557865473 > https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-u… > > They publish very limited evidence, so it leads me questioning whether the report is true. As a worker in China's hardware industry, I'm very concerned with this report. Is this true or just another fake news deliberately created to escalate the trade war between US and China? > > They did not mention the product name. But they published a gif image, then I did a little research to compare Supermicro's Microblade severs with the one in this gif file. It seems the product is the MBI-6128R-T2 https://www.supermicro.com/products/MicroBlade/module/MBI-6128R-T2.cfm > > This board has dual socket R3 (LGA 2011) that supports Intel® Xeon® processor E5-2600 v4†/ v3 family. So the processor is likely to be an intel one. So this board may support Intel's strict security features like BootGuard and Intel ME. These security features are so strong that even the top hackers in the open source community haven't fully cracked... > > The only techinical information they give is: The chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off. (It sounds like something related with the IPMI? Is this really can be done? Even this can be done, can this be used to access data?) > > > > -- > coreboot mailing list: coreboot(a)coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot

1 0

Re: [coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by Jonathan Neuschäfer 05 Oct '18

05 Oct '18

On Thu, Oct 04, 2018 at 04:00:32PM +0000, fightfakenews via coreboot wrote: [...] > The only techinical information they give is: The chips could do all > this because they were connected to the baseboard management > controller, a kind of superchip that administrators use to remotely > log in to problematic servers, giving them access to the most > sensitive code even on machines that have crashed or are turned off. > (It sounds like something related with the IPMI? Is this really can be > done? Even this can be done, can this be used to access data?) Yes, this sounds possible. Hijacking the BMC's connection to the flash memory from which it boots (which has been speculated to be the attack, by various people on the internet) can in principle let an attacker backdoor the BMC's firmware. And BMCs have a lot of control over the host system, which may include DMA. See for example this presentation, about a different BMC implementation, esp. page 72 onward, "BMC to host": https://github.com/airbus-seclab/airbus-seclab.github.io/blob/master/ilo/RE… (Side note: I used the term "BMC" (baseboard management controller) here, but BMCs are sometimes called IPMIs, after the main protocol they historically implement, IPMI.) Greetings

1 0

Re: [coreboot] Burn 2MB coreboot.rom on 8MB flash chip
by Zvi Vered 05 Oct '18

05 Oct '18

Hi Jose, Mariusz,All, The vendor's rom file size is: 5,242,880 bytes After running: dd if=coreboot.rom of=coreboot.rom.new bs=1M skip=3 I got a new file with the same size. I tried to program this new file and got the following message from the vendor's utlity: WARNING ! This Image file doesn't match current System design! Force update it will destroy the System's Activation Key. We do not recommend flashing your BIOS. Press "Y" to force update BIOS. Press "N" to quit flash. - Please select one of the options: I ignored the warning and programmed the BIOS. After reset, I got nothing. What is "System's Activation Key" ? I'm sure that FSP (and other files) for my board are not properly configured yet. But I suspect this is not the reason for the message. Thank you, Zvika On Thu, Oct 4, 2018 at 9:47 PM Zvi Vered <veredz72(a)gmail.com> wrote: > Hi Jose, > > I probably made a mistake and erased the main BIOS chip (and also the > secondary one) > Currently my target is not booting OS at all. > So I can not try Mariusz procedure. > Hope to have an identical target soon. > > Thank you very much for your help, > Zvika > > On Thu, Oct 4, 2018 at 6:31 PM Jose Trujillo <ce.autom(a)protonmail.com> > wrote: > >> Zvika: >> Doing a full flash doesn't work for you, this is what I been doing. >> Try to use flashrom from linux if you want to do the full flash (may be >> it will work). >> >> An external programmer would be the optimal choice. >> >> Did you tried what Mariusz said? >> Jose. >> >> >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Thursday, October 4, 2018 6:20 PM, Zvi Vered <veredz72(a)gmail.com> >> wrote: >> >> Hi Mariusz, Jose, All, >> >> Mariusz - Thank you very much for the solution. >> Jose - You wrote "I have never done this way...". >> Can you please suggest a better alternative ? >> >> Thank you, >> Zvika >> >> >> On Wed, Oct 3, 2018 at 8:39 PM Mariusz Szafrański via coreboot < >> coreboot(a)coreboot.org> wrote: >> >>> Hi Jose, >>> >>> In your case set: >>> ROM chip size = 8MB (your case) >>> CBFS_SIZE <= 5MB (your specific case) >>> >>> This will build 8M file. After that just cut last 5M of this 8M file >>> (using any hexeditor) or use something like below from command line: >>> >>> dd if=coreboot.rom of=corebootout.rom bs=1M skip=3 >>> >>> (before doing that double check if original vendor`s rom file size is >>> 5242880 bytes long) >>> >>> Mariusz >>> >>> >>> W dniu 03.10.2018 o 08:53, Jose Trujillo via coreboot pisze: >>> >>> You can do that but I have never done this way and I cannot help you >>> with that. >>> >>> Someone else can advise on this? >>> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> On Tuesday, October 2, 2018 9:39 PM, Zvi Vered <veredz72(a)gmail.com> >>> <veredz72(a)gmail.com> wrote: >>> >>> Hi Jose, All, >>> >>> Highly appreciate your answers. >>> It seems the vital information in your replies are not documented. >>> >>> The original vendor's rom file size is 5MB. >>> Do you think I can create a 5MB coreboot.rom ? >>> >>> It seems that AfuEfix64.efi supplied by vendor is looking for 5MB rom >>> file like the original one. For any other file size, AfuEfix64 fails. >>> >>> Thank you, >>> Zvika >>> >>> On Mon, Oct 1, 2018 at 2:08 PM Jose Trujillo <ce.autom(a)protonmail.com> >>> wrote: >>> >>>> Zvika: >>>> >>>> There are 2 ways to build coreboot: (choose one).... >>>> 1.- Including IFD, TXE, GBE etc.... inside coreboot CBFS. >>>> 2.- Using the original firmware(FW) with IFD, TXE, GBE already in flash >>>> and just rewrite coreboot on top of the BIOS block. >>>> >>>> Your original computer Firmware = Intel FW + "BIOS" >>>> >>>> Intel FW = IFD +PD+ME/TXE+GBE >>>> BIOS=AMI-Phoenix etc... >>>> >>>> IFD=Intel Firmware Descriptor Table. >>>> PD=Parameters >>>> ME=Management Engine (For "Core" kind of processors). >>>> TXE=Trusted Execution Engine (For "Atom" kind of processors). >>>> GBE=Network card firmware. >>>> >>>> Zvika said: >>>> "After creating coreboot.rom should I always use the original BIOS with >>>> ifdtool to convert rom to bin ?" >>>> Answer: >>>> No, there are other methods and tools that can do the merge.... >>>> (ifdtool and Intel's FIT are working fine for me) >>>> >>>> After the creation of the coreboot build you have 2 ways of doing the >>>> flashing for your case: (with fpt). >>>> 1.- Flash the full 8MB (Intel FW+coreboot) if the SPI flash is blank or >>>> have unknown firmware. >>>> Use IFDTool in this case to inject coreboot to Intel FW..... then >>>> flash it with fpt . >>>> 2.- Flash only the BIOS block (5MB your specific case) in this case ask >>>> someone else how to do it with fpt.... >>>> >>>> I hope this answered your questions. >>>> Jose.. >>>> >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>> On Saturday, September 29, 2018 12:24 AM, Zvi Vered <veredz72(a)gmail.com> >>>> wrote: >>>> >>>> Hi Jose, >>>> >>>> You wrote: >>>> "My recommended approach is using the original Intel FW with already >>>> included the FD, TXE". >>>> >>>> What is "original intel FW" ? >>>> What is FD, TXE ? >>>> >>>> After creating coreboot.rom should I always use the original BIOS with >>>> ifdtool to convert rom to bin ? >>>> >>>> Thank you, >>>> Zvika >>>> >>>> On Wed, Sep 26, 2018 at 7:27 PM Jose Trujillo <ce.autom(a)protonmail.com> >>>> wrote: >>>> >>>>> You are right Nico, >>>>> >>>>> I just forgot the troubles this caused me. >>>>> I am sorry Vika... My mistake. >>>>> >>>>> I can confirm with Nico: >>>>> ROM chip size = 8MB (your case) >>>>> CBFS_SIZE = 2 to 5MB (your specific case) >>>>> >>>>> My recommended approach is using the original Intel FW with already >>>>> included the FD, TXE. >>>>> >>>>> I never tested adding regions to coreboot but you can try. >>>>> >>>>> To have better chances of success you should be dumping hardware >>>>> settings booting with your original "BIOS" (look for the attached file). >>>>> >>>>> Check if the system is "Memory down"or/and ECC because it will be >>>>> needed to edit FSP (if using it). >>>>> Dump memory settings with the following commands: >>>>> >>>>> sudo dnf install i2c-tools-perl >>>>> sudo modprobe eeprom >>>>> decode-dimms >>>>> >>>>> If you have not done this already there is still a long way to go. >>>>> Don't get intimidated, just do it, if you have questions just ask.... >>>>> I will try to help >>>>> >>>>> Good luck, >>>>> Jose. >>>>> >>>>> >>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>> On Wednesday, September 26, 2018 6:28 PM, Nico Huber <nico.h(a)gmx.de> >>>>> wrote: >>>>> >>>>> > Hi, >>>>> > >>>>> > On 9/26/18 9:19 AM, Jose Trujillo via coreboot wrote: >>>>> > >>>>> > > No, don't change it, you change the size of coreboot only if >>>>> during the >>>>> > > building process "make" complain that there is not enough space >>>>> but in >>>>> > > your case your build was already successful leave it like that. >>>>> > >>>>> > this advice seems very weird to me. I'm not experienced with Bay >>>>> Trail. >>>>> > But unless there is a bug in the Bay Trail code, you should always >>>>> set >>>>> > the correct ROM_SIZE (to the full flash chip size). Otherwise you may >>>>> > introduce bugs in code that relies on this setting (e.g. saving the >>>>> > MRC cache might fail and so would S3 resume). >>>>> > >>>>> > CBFS_SIZE however is the setting to adjust according to your needs. >>>>> It >>>>> > should be at most the size of the BIOS region. >>>>> > >>>>> > > In the rare circumstance that more space is required you can >>>>> increase >>>>> > > coreboot size to 4MB and istill will fit into your system 5MB of >>>>> space >>>>> > > available. >>>>> > > "ifdtool" will inject coreboot in the top of the BYT_orig.bin and >>>>> save >>>>> > > as BYT_orig.bin.new that you can flash to your system. >>>>> > >>>>> > I assume this doesn't work oob if you set ROM_SIZE correctly. But it >>>>> is >>>>> > unnecessary to craft a single file by hand. You can either only flash >>>>> > the BIOS region (recommended) or add the other regions in coreboot's >>>>> > config (HAVE_{IFD,ME,GBE}_BIN). >>>>> > >>>>> > Nico >>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> coreboot mailing list: coreboot(a)coreboot.org >>> https://mail.coreboot.org/mailman/listinfo/coreboot >>> >> >>

1 0

Re: [coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by seclists＠boxdan.com 04 Oct '18

04 Oct '18

If there are any mailing lists which are more suitable to this discussion, please mention them so we may subscribe to them and discuss this there. > David Hendricks <david.hendricks(a)gmail.com> hat am 4. Oktober 2018 um 19:00 geschrieben: > > > On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot < > coreboot(a)coreboot.org> wrote: > > > But generally speaking: that discussion is rather off topic for this > > mailing list. > > Please look for some more suitable venue to discuss "people potentially > > tampering other people's devices (with no obvious connection to coreboot)". > > > > Patrick is right that the Bloomberg article is not particularly well-suited > for the coreboot mailing list. > > However, it's still worth pointing out that supply chain attacks are a > serious threat. This could be in the form of added hardware (like the > Bloomberg article suggests) or it could be in the form of firmware that > contains malicious code from any of the many parties involved in creating > it. > > Traditionally, firmware contains modules from the silicon vendor, a > software vendor (IBV/ISV) who packages it with their SDK and value-add > software, and ODMs/OEMs who make further product-specific additions. Modern > firmware can easily contain over a million lines (or multiple millions of > lines) of code from several parties, and this code runs at the highest > privilege level before any OS-based security mechanism comes into play. > Anyone in that part of the supply chain can slip in malicious code, and the > customer usually doesn't have any way of viewing the code or tracing where > it came from due to its closed nature. > > That is relevant to coreboot insofar as coreboot has been leading the > charge (with varying levels of success) for open and auditable firmware on > x86 platforms for nearly two decades. > -- > coreboot mailing list: coreboot(a)coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot

2 1

Re: [coreboot] Burn 2MB coreboot.rom on 8MB flash chip
by Zvi Vered 04 Oct '18

04 Oct '18

Hi Jose, I probably made a mistake and erased the main BIOS chip (and also the secondary one) Currently my target is not booting OS at all. So I can not try Mariusz procedure. Hope to have an identical target soon. Thank you very much for your help, Zvika On Thu, Oct 4, 2018 at 6:31 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: > Zvika: > Doing a full flash doesn't work for you, this is what I been doing. > Try to use flashrom from linux if you want to do the full flash (may be it > will work). > > An external programmer would be the optimal choice. > > Did you tried what Mariusz said? > Jose. > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, October 4, 2018 6:20 PM, Zvi Vered <veredz72(a)gmail.com> > wrote: > > Hi Mariusz, Jose, All, > > Mariusz - Thank you very much for the solution. > Jose - You wrote "I have never done this way...". > Can you please suggest a better alternative ? > > Thank you, > Zvika > > > On Wed, Oct 3, 2018 at 8:39 PM Mariusz Szafrański via coreboot < > coreboot(a)coreboot.org> wrote: > >> Hi Jose, >> >> In your case set: >> ROM chip size = 8MB (your case) >> CBFS_SIZE <= 5MB (your specific case) >> >> This will build 8M file. After that just cut last 5M of this 8M file >> (using any hexeditor) or use something like below from command line: >> >> dd if=coreboot.rom of=corebootout.rom bs=1M skip=3 >> >> (before doing that double check if original vendor`s rom file size is >> 5242880 bytes long) >> >> Mariusz >> >> >> W dniu 03.10.2018 o 08:53, Jose Trujillo via coreboot pisze: >> >> You can do that but I have never done this way and I cannot help you with >> that. >> >> Someone else can advise on this? >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Tuesday, October 2, 2018 9:39 PM, Zvi Vered <veredz72(a)gmail.com> >> <veredz72(a)gmail.com> wrote: >> >> Hi Jose, All, >> >> Highly appreciate your answers. >> It seems the vital information in your replies are not documented. >> >> The original vendor's rom file size is 5MB. >> Do you think I can create a 5MB coreboot.rom ? >> >> It seems that AfuEfix64.efi supplied by vendor is looking for 5MB rom >> file like the original one. For any other file size, AfuEfix64 fails. >> >> Thank you, >> Zvika >> >> On Mon, Oct 1, 2018 at 2:08 PM Jose Trujillo <ce.autom(a)protonmail.com> >> wrote: >> >>> Zvika: >>> >>> There are 2 ways to build coreboot: (choose one).... >>> 1.- Including IFD, TXE, GBE etc.... inside coreboot CBFS. >>> 2.- Using the original firmware(FW) with IFD, TXE, GBE already in flash >>> and just rewrite coreboot on top of the BIOS block. >>> >>> Your original computer Firmware = Intel FW + "BIOS" >>> >>> Intel FW = IFD +PD+ME/TXE+GBE >>> BIOS=AMI-Phoenix etc... >>> >>> IFD=Intel Firmware Descriptor Table. >>> PD=Parameters >>> ME=Management Engine (For "Core" kind of processors). >>> TXE=Trusted Execution Engine (For "Atom" kind of processors). >>> GBE=Network card firmware. >>> >>> Zvika said: >>> "After creating coreboot.rom should I always use the original BIOS with >>> ifdtool to convert rom to bin ?" >>> Answer: >>> No, there are other methods and tools that can do the merge.... (ifdtool >>> and Intel's FIT are working fine for me) >>> >>> After the creation of the coreboot build you have 2 ways of doing the >>> flashing for your case: (with fpt). >>> 1.- Flash the full 8MB (Intel FW+coreboot) if the SPI flash is blank or >>> have unknown firmware. >>> Use IFDTool in this case to inject coreboot to Intel FW..... then >>> flash it with fpt . >>> 2.- Flash only the BIOS block (5MB your specific case) in this case ask >>> someone else how to do it with fpt.... >>> >>> I hope this answered your questions. >>> Jose.. >>> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> On Saturday, September 29, 2018 12:24 AM, Zvi Vered <veredz72(a)gmail.com> >>> wrote: >>> >>> Hi Jose, >>> >>> You wrote: >>> "My recommended approach is using the original Intel FW with already >>> included the FD, TXE". >>> >>> What is "original intel FW" ? >>> What is FD, TXE ? >>> >>> After creating coreboot.rom should I always use the original BIOS with >>> ifdtool to convert rom to bin ? >>> >>> Thank you, >>> Zvika >>> >>> On Wed, Sep 26, 2018 at 7:27 PM Jose Trujillo <ce.autom(a)protonmail.com> >>> wrote: >>> >>>> You are right Nico, >>>> >>>> I just forgot the troubles this caused me. >>>> I am sorry Vika... My mistake. >>>> >>>> I can confirm with Nico: >>>> ROM chip size = 8MB (your case) >>>> CBFS_SIZE = 2 to 5MB (your specific case) >>>> >>>> My recommended approach is using the original Intel FW with already >>>> included the FD, TXE. >>>> >>>> I never tested adding regions to coreboot but you can try. >>>> >>>> To have better chances of success you should be dumping hardware >>>> settings booting with your original "BIOS" (look for the attached file). >>>> >>>> Check if the system is "Memory down"or/and ECC because it will be >>>> needed to edit FSP (if using it). >>>> Dump memory settings with the following commands: >>>> >>>> sudo dnf install i2c-tools-perl >>>> sudo modprobe eeprom >>>> decode-dimms >>>> >>>> If you have not done this already there is still a long way to go. >>>> Don't get intimidated, just do it, if you have questions just ask.... I >>>> will try to help >>>> >>>> Good luck, >>>> Jose. >>>> >>>> >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>> On Wednesday, September 26, 2018 6:28 PM, Nico Huber <nico.h(a)gmx.de> >>>> wrote: >>>> >>>> > Hi, >>>> > >>>> > On 9/26/18 9:19 AM, Jose Trujillo via coreboot wrote: >>>> > >>>> > > No, don't change it, you change the size of coreboot only if during >>>> the >>>> > > building process "make" complain that there is not enough space but >>>> in >>>> > > your case your build was already successful leave it like that. >>>> > >>>> > this advice seems very weird to me. I'm not experienced with Bay >>>> Trail. >>>> > But unless there is a bug in the Bay Trail code, you should always set >>>> > the correct ROM_SIZE (to the full flash chip size). Otherwise you may >>>> > introduce bugs in code that relies on this setting (e.g. saving the >>>> > MRC cache might fail and so would S3 resume). >>>> > >>>> > CBFS_SIZE however is the setting to adjust according to your needs. It >>>> > should be at most the size of the BIOS region. >>>> > >>>> > > In the rare circumstance that more space is required you can >>>> increase >>>> > > coreboot size to 4MB and istill will fit into your system 5MB of >>>> space >>>> > > available. >>>> > > "ifdtool" will inject coreboot in the top of the BYT_orig.bin and >>>> save >>>> > > as BYT_orig.bin.new that you can flash to your system. >>>> > >>>> > I assume this doesn't work oob if you set ROM_SIZE correctly. But it >>>> is >>>> > unnecessary to craft a single file by hand. You can either only flash >>>> > the BIOS region (recommended) or add the other regions in coreboot's >>>> > config (HAVE_{IFD,ME,GBE}_BIN). >>>> > >>>> > Nico >>>> >>>> >>>> >>> >> >> >> -- >> coreboot mailing list: coreboot(a)coreboot.org >> https://mail.coreboot.org/mailman/listinfo/coreboot >> > >

1 0

Re: [coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by David Hendricks 04 Oct '18

04 Oct '18

On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot < coreboot(a)coreboot.org> wrote: > But generally speaking: that discussion is rather off topic for this > mailing list. > Please look for some more suitable venue to discuss "people potentially > tampering other people's devices (with no obvious connection to coreboot)". > Patrick is right that the Bloomberg article is not particularly well-suited for the coreboot mailing list. However, it's still worth pointing out that supply chain attacks are a serious threat. This could be in the form of added hardware (like the Bloomberg article suggests) or it could be in the form of firmware that contains malicious code from any of the many parties involved in creating it. Traditionally, firmware contains modules from the silicon vendor, a software vendor (IBV/ISV) who packages it with their SDK and value-add software, and ODMs/OEMs who make further product-specific additions. Modern firmware can easily contain over a million lines (or multiple millions of lines) of code from several parties, and this code runs at the highest privilege level before any OS-based security mechanism comes into play. Anyone in that part of the supply chain can slip in malicious code, and the customer usually doesn't have any way of viewing the code or tracing where it came from due to its closed nature. That is relevant to coreboot insofar as coreboot has been leading the charge (with varying levels of success) for open and auditable firmware on x86 platforms for nearly two decades.

1 0

Re: [coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by Patrick Georgi 04 Oct '18

04 Oct '18

I could think of a few approaches to backdoor a system by having a very tiny chip connect to a select set of traces. But generally speaking: that discussion is rather off topic for this mailing list. Please look for some more suitable venue to discuss "people potentially tampering other people's devices (with no obvious connection to coreboot)". Patrick Am Do., 4. Okt. 2018 um 18:02 Uhr schrieb fightfakenews via coreboot < coreboot(a)coreboot.org>: > I came across this news today. Bloomberg says China is using a rice-sized > chip to hack amazon servers. They published videos and photos here: > > https://twitter.com/business/status/1047788207557865473 > > https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-u… > > They publish very limited evidence, so it leads me questioning whether the > report is true. As a worker in China's hardware industry, I'm very > concerned with this report. Is this true or just another fake news > deliberately created to escalate the trade war between US and China? > > They did not mention the product name. But they published a gif image, > then I did a little research to compare Supermicro's Microblade severs with > the one in this gif file. It seems the product is the MBI-6128R-T2 > https://www.supermicro.com/products/MicroBlade/module/MBI-6128R-T2.cfm > > This board has dual socket R3 (LGA 2011) that supports Intel® Xeon® > processor E5-2600 v4†/ v3 family. So the processor is likely to be an intel > one. So this board may support Intel's strict security features like > BootGuard and Intel ME. These security features are so strong that even the > top hackers in the open source community haven't fully cracked... > > The only techinical information they give is: The chips could do all this > because they were connected to the baseboard management controller, a kind > of superchip that administrators use to remotely log in to problematic > servers, giving them access to the most sensitive code even on machines > that have crashed or are turned off. (It sounds like something related with > the IPMI? Is this really can be done? Even this can be done, can this be > used to access data?) > > > > -- > coreboot mailing list: coreboot(a)coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

1 0

Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.
by fightfakenews 04 Oct '18

04 Oct '18

I came across this news today. Bloomberg says China is using a rice-sized chip to hack amazon servers. They published videos and photos here: https://twitter.com/business/status/1047788207557865473 https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-u… They publish very limited evidence, so it leads me questioning whether the report is true. As a worker in China's hardware industry, I'm very concerned with this report. Is this true or just another fake news deliberately created to escalate the trade war between US and China? They did not mention the product name. But they published a gif image, then I did a little research to compare Supermicro's Microblade severs with the one in this gif file. It seems the product is the MBI-6128R-T2 https://www.supermicro.com/products/MicroBlade/module/MBI-6128R-T2.cfm This board has dual socket R3 (LGA 2011) that supports Intel® Xeon® processor E5-2600 v4†/ v3 family. So the processor is likely to be an intel one. So this board may support Intel's strict security features like BootGuard and Intel ME. These security features are so strong that even the top hackers in the open source community haven't fully cracked... The only techinical information they give is: The chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off. (It sounds like something related with the IPMI? Is this really can be done? Even this can be done, can this be used to access data?)

1 0

Re: [coreboot] Burn 2MB coreboot.rom on 8MB flash chip
by Jose Trujillo 04 Oct '18

04 Oct '18

Zvika: Doing a full flash doesn't work for you, this is what I been doing. Try to use flashrom from linux if you want to do the full flash (may be it will work). An external programmer would be the optimal choice. Did you tried what Mariusz said? Jose. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, October 4, 2018 6:20 PM, Zvi Vered <veredz72(a)gmail.com> wrote: > Hi Mariusz, Jose, All, > > Mariusz - Thank you very much for the solution. > Jose - You wrote "I have never done this way...". > Can you please suggest a better alternative ? > > Thank you, > Zvika > > On Wed, Oct 3, 2018 at 8:39 PM Mariusz Szafrański via coreboot <coreboot(a)coreboot.org> wrote: > >> Hi Jose, >> >> In your case set: >> ROM chip size = 8MB (your case) >> CBFS_SIZE <= 5MB (your specific case) >> >> This will build 8M file. After that just cut last 5M of this 8M file (using any hexeditor) or use something like below from command line: >> >> dd if=coreboot.rom of=corebootout.rom bs=1M skip=3 >> >> (before doing that double check if original vendor`s rom file size is 5242880 bytes long) >> >> Mariusz >> >> W dniu 03.10.2018 o 08:53, Jose Trujillo via coreboot pisze: >> >>> You can do that but I have never done this way and I cannot help you with that. >>> >>> Someone else can advise on this? >>> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> On Tuesday, October 2, 2018 9:39 PM, Zvi Vered [<veredz72(a)gmail.com>](mailto:veredz72@gmail.com) wrote: >>> >>>> Hi Jose, All, >>>> >>>> Highly appreciate your answers. >>>> It seems the vital information in your replies are not documented. >>>> >>>> The original vendor's rom file size is 5MB. >>>> Do you think I can create a 5MB coreboot.rom ? >>>> >>>> It seems that AfuEfix64.efi supplied by vendor is looking for 5MB rom file like the original one. For any other file size, AfuEfix64 fails. >>>> >>>> Thank you, >>>> Zvika >>>> >>>> On Mon, Oct 1, 2018 at 2:08 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: >>>> >>>>> Zvika: >>>>> >>>>> There are 2 ways to build coreboot: (choose one).... >>>>> 1.- Including IFD, TXE, GBE etc.... inside coreboot CBFS. >>>>> 2.- Using the original firmware(FW) with IFD, TXE, GBE already in flash and just rewrite coreboot on top of the BIOS block. >>>>> >>>>> Your original computer Firmware = Intel FW + "BIOS" >>>>> >>>>> Intel FW = IFD +PD+ME/TXE+GBE >>>>> BIOS=AMI-Phoenix etc... >>>>> >>>>> IFD=Intel Firmware Descriptor Table. >>>>> PD=Parameters >>>>> ME=Management Engine (For "Core" kind of processors). >>>>> TXE=Trusted Execution Engine (For "Atom" kind of processors). >>>>> GBE=Network card firmware. >>>>> >>>>> Zvika said: >>>>> "After creating coreboot.rom should I always use the original BIOS with ifdtool to convert rom to bin ?" >>>>> Answer: >>>>> No, there are other methods and tools that can do the merge.... (ifdtool and Intel's FIT are working fine for me) >>>>> >>>>> After the creation of the coreboot build you have 2 ways of doing the flashing for your case: (with fpt). >>>>> 1.- Flash the full 8MB (Intel FW+coreboot) if the SPI flash is blank or have unknown firmware. >>>>> Use IFDTool in this case to inject coreboot to Intel FW..... then flash it with fpt . >>>>> 2.- Flash only the BIOS block (5MB your specific case) in this case ask someone else how to do it with fpt.... >>>>> >>>>> I hope this answered your questions. >>>>> Jose.. >>>>> >>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>> On Saturday, September 29, 2018 12:24 AM, Zvi Vered <veredz72(a)gmail.com> wrote: >>>>> >>>>>> Hi Jose, >>>>>> >>>>>> You wrote: >>>>>> "My recommended approach is using the original Intel FW with already included the FD, TXE". >>>>>> >>>>>> What is "original intel FW" ? >>>>>> What is FD, TXE ? >>>>>> >>>>>> After creating coreboot.rom should I always use the original BIOS with ifdtool to convert rom to bin ? >>>>>> >>>>>> Thank you, >>>>>> Zvika >>>>>> >>>>>> On Wed, Sep 26, 2018 at 7:27 PM Jose Trujillo <ce.autom(a)protonmail.com> wrote: >>>>>> >>>>>>> You are right Nico, >>>>>>> >>>>>>> I just forgot the troubles this caused me. >>>>>>> I am sorry Vika... My mistake. >>>>>>> >>>>>>> I can confirm with Nico: >>>>>>> ROM chip size = 8MB (your case) >>>>>>> CBFS_SIZE = 2 to 5MB (your specific case) >>>>>>> >>>>>>> My recommended approach is using the original Intel FW with already included the FD, TXE. >>>>>>> >>>>>>> I never tested adding regions to coreboot but you can try. >>>>>>> >>>>>>> To have better chances of success you should be dumping hardware settings booting with your original "BIOS" (look for the attached file). >>>>>>> >>>>>>> Check if the system is "Memory down"or/and ECC because it will be needed to edit FSP (if using it). >>>>>>> Dump memory settings with the following commands: >>>>>>> >>>>>>> sudo dnf install i2c-tools-perl >>>>>>> sudo modprobe eeprom >>>>>>> decode-dimms >>>>>>> >>>>>>> If you have not done this already there is still a long way to go. >>>>>>> Don't get intimidated, just do it, if you have questions just ask.... I will try to help >>>>>>> >>>>>>> Good luck, >>>>>>> Jose. >>>>>>> >>>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>>>>> On Wednesday, September 26, 2018 6:28 PM, Nico Huber <nico.h(a)gmx.de> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> On 9/26/18 9:19 AM, Jose Trujillo via coreboot wrote: >>>>>>>> >>>>>>>> > No, don't change it, you change the size of coreboot only if during the >>>>>>>> > building process "make" complain that there is not enough space but in >>>>>>>> > your case your build was already successful leave it like that. >>>>>>>> >>>>>>>> this advice seems very weird to me. I'm not experienced with Bay Trail. >>>>>>>> But unless there is a bug in the Bay Trail code, you should always set >>>>>>>> the correct ROM_SIZE (to the full flash chip size). Otherwise you may >>>>>>>> introduce bugs in code that relies on this setting (e.g. saving the >>>>>>>> MRC cache might fail and so would S3 resume). >>>>>>>> >>>>>>>> CBFS_SIZE however is the setting to adjust according to your needs. It >>>>>>>> should be at most the size of the BIOS region. >>>>>>>> >>>>>>>> > In the rare circumstance that more space is required you can increase >>>>>>>> > coreboot size to 4MB and istill will fit into your system 5MB of space >>>>>>>> > available. >>>>>>>> > "ifdtool" will inject coreboot in the top of the BYT_orig.bin and save >>>>>>>> > as BYT_orig.bin.new that you can flash to your system. >>>>>>>> >>>>>>>> I assume this doesn't work oob if you set ROM_SIZE correctly. But it is >>>>>>>> unnecessary to craft a single file by hand. You can either only flash >>>>>>>> the BIOS region (recommended) or add the other regions in coreboot's >>>>>>>> config (HAVE_{IFD,ME,GBE}_BIN). >>>>>>>> >>>>>>>> Nico >> >> -- >> coreboot mailing list: coreboot(a)coreboot.org >> https://mail.coreboot.org/mailman/listinfo/coreboot

1 0

← Newer
1
...
9
10
11
12
13
14
15
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

coreboot October 2018