coreboot February 2018

coreboot@coreboot.org

49 participants
79 discussions

Optiplex 790 now has preliminary support by coreboot
by Taiidan＠gmx.com 15 Jan '20

15 Jan '20

https://review.coreboot.org/21774 In case anyone else didn't notice - It is a sandy/ivy system with IOMMU. This is great and should help get coreboot in to the corporate user world.

2 1

Lenovo T410 Coreboot
by A. Veek 14 Dec '18

14 Dec '18

2 1

FOSDEM Hardware Enablement Devroom
by Paul Kocialkowski 04 Dec '18

04 Dec '18

A Hardware Enablement devroom will be taking place at FOSDEM this year, on Sunday 10 December 2017. This newly-created devroom is the result of 3 proposals that were merged together. It is co-organized by several individuals. The devroom covers all aspects related to hardware enablement and support with free software, including aspects related to boot software, firmwares, drivers and userspace tools and adaptation. Proposals for talks related to these topics are welcome and can be submitted until Sunday 26 November 2017 via the pentabarf interface. Short talks are encouraged over longer ones in order to cover a wide range of topics. The announcement for the devroom, that contains all the useful information, was published at: https://lists.fosdem.org/pipermail/fosdem/2017-October/002649.html Cheers and see you at FOSDEM! -- Paul Kocialkowski, developer of free digital technology and hardware support Website: https://www.paulk.fr/ Coding blog: https://code.paulk.fr/ Git repositories: https://git.paulk.fr/ https://git.code.paulk.fr/

3 3

When does AMD release the fam15 spectre microcode updates?
by Taiidan＠gmx.com 25 Apr '18

25 Apr '18

They said they would be releasing opteron microcode updates in a few weeks but it has been over a month and I am wondering when this is going to happen or if it already has and I should re-compile coreboot? https://www.amd.com/en/corporate/speculative-execution "We expect to make updates available for our previous generation products over the coming weeks." Thanks!

6 10

Re: [coreboot] Asus AM1I-A
by Elisenda Cuadros 16 Apr '18

16 Apr '18

Hi Gergely, Thank you for your config. Now I have coreboot + SeaBIOS perfectly working. Console speed is now "normal" :-) These are the changes between the two configs: ------------- diff config_original.txt config_Gergely.txt 23c23 < # CONFIG_USE_BLOBS is not set --- > CONFIG_USE_BLOBS=y 101c101 < CONFIG_UART_FOR_CONSOLE=0 --- > CONFIG_UART_FOR_CONSOLE=1 150c150 < CONFIG_POST_DEVICE=y --- > # CONFIG_POST_DEVICE is not set 210c210 < CONFIG_TTYS0_BASE=0x3f8 --- > CONFIG_TTYS0_BASE=0x2f8 428,429d427 < # CONFIG_PCI_OPTION_ROM_RUN_REALMODE is not set < # CONFIG_PCI_OPTION_ROM_RUN_YABEL is not set 431d428 < # CONFIG_VGA_TEXT_FRAMEBUFFER is not set 556c553 < # Serial port base address = 0x3f8 --- > # Serial port base address = 0x2f8 581,583d577 < CONFIG_POST_DEVICE_NONE=y < # CONFIG_POST_DEVICE_LPC is not set < # CONFIG_POST_DEVICE_PCI_PCIE is not set -------------- I made some tweaks to the configuration, added VGA output before payload, a nice bootsplash, etc.. Other considerations: VGA Device PCI IDs are 1002,9830 (The default 1002,9836 does not get output). Memory has to be located firstly on second slot (yellow DIMM_A2). If not you get AGESA_FATAL_ERROR. I only have one module. Please, find attached a working config.txt and console.log. Coreboot revision is 4.7-294-g2db6fbc47b. If you verify these changes are working for you is it possible to change the defaults in Kconfig? Thank you very much. Best regards, -- Eli On 11/02/18 00:07, Gergely Kiss wrote: > Strange, the log you shared looked less verbose to me than expected > but seems like I was wrong. Anyway, you might find an example on a > full debug log here [1]. > > I have a small build script I use to build coreboot for my board, > please find it attached. > > The version currently running on my box is 4.6-2554-ga1b4c94. > > [1] https://www.coreboot.org/Board:asus/am1i-a#Bootlog > > On 10 February 2018 at 23:18, Elisenda Cuadros <lists(a)e4l.es > <mailto:lists@e4l.es>> wrote: > > Thank you for your kind reply Gergely. > > I think the cable is not the problem, I have been using it for > years and it's intact. > > I am using a usb dongle but not a cheap one. Tomorrow I will try > with another cable and a real COM port. Just to be 100% sure. > > Console is fast at the very first time (just the "normal") but > after two seconds it becomes extremely slow. > > Please, can you say me which is the git revision you are using? > > The console log I attached is from a SPEW debug level, not > corresponding with the config.. I tried several configs today :-) . > > Is it possible to share your config with me? > > Best regards, > > Eli > > > On 10/02/18 21:44, Gergely Kiss wrote: >> Hi Eli, >> >> I've been using Coreboot on my board for several weeks, it is >> serving as an HTPC running 24/7 and it's working perfectly stable >> which suggests the firmware should be free of bugs. It is likely >> that you are facing some configuration or hardware issue here. >> >> I didn't see any issues with the serial output while working with >> the board once the SuperIO chip started to work. Make sure the >> cable you use is intact and try to attach it to another machine. >> At the time I was working with my board, I used a Dell Port >> Replicator with a native COM port so I could use a standard >> null-modem cable and it was working flawlessly. In case you use a >> USB serial adapter, try replacing it or attach the serial cable >> directly to a COM port if you have one available. >> >> Also, please enable debug_level=Spew as it seems the console log >> you attached comes from a less verbose setting and therefore it's >> not as useful as it should be. >> >> Note that the VBIOS image is executed by SeaBIOS which means you >> won't see anything on your display until the payload is executed. >> >> If all else fails, you can still attach a POST debug module to >> the LPC header of the board [1] which can help a lot to find out >> where the boot process hangs. >> >> Feel free to contact me if you need some more help or >> information, I'm happy to assist! >> >> Regards, >> Gergely >> >> [1] https://www.youtube.com/watch?v=aGGqsWx3-1c >> <https://www.youtube.com/watch?v=aGGqsWx3-1c> >> >> On 10 February 2018 at 18:17, Elisenda Cuadros <lists(a)e4l.es >> <mailto:lists@e4l.es>> wrote: >> >> Hello, >> >> I'm trying to use Coreboot in an Asus AM1I-A board recently >> ported by Gergely Kiss (thank you!). >> >> I am using the default config settings and added vga rom >> extracted with UEFITool from the vendor bios. >> >> After flashing and booting I get no output from vga. >> >> Serial console is extremely slow too (30 minutes to write the >> log) >> >> I attach the coreboot console log, config and cbfs.txt. >> >> Any hints? >> >> Thanks in advance. >> >> Best regards, >> >> -- Eli >> >> >> > > > >

3 5

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?
by Rudolf Marek 12 Apr '18

12 Apr '18

Hi, What do you want to protect? If you want to protect the kernel, retpolines are OK on AMD. And you don't need any microcode update. Your CPU needs to have SMEP, otherwise you would need to clear RSB on CPL change (the paper on mentined page says that you need to do that always, but at least on Ryzen, the attack using RSB is not working (we tried that out, maybe it works only on some circumstances). If you want to protect userspace, the RSB will be clear by IBPB (which you would need if you don't have userspace compiled with retpolines). I don't know if intel clears RSB on IBPB... probably not To sum it up on AMD: kernel: retpolines, RSB clear on CPL change on CPU without SMEP (see above) userspace: retpolines, RSB clear on context switch necessary or IBPB (needs microcode update). Plus make sure you enable "LFENCE is dispatch serializing" - perhaps coreboot can do that :) it is simple MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE is dispatch serilizing. Besides that, you don't need any microcode update. Plus of course there is a spectre variant 1, which is more difficult to mitigate, basically you need to check all the software and look for any pattern like array_x[array_z[untrusted_index] * any transformation]. The first access would leak just address (ASLR defated), second will leak data. The variant 1 works on user/user attack and as well as user/kernel. As far I know there are no automated tools to check for this. Thanks Rudolf Dne 18.2.2018 v 12:48 Mike Banon napsal(a): > Maybe its' a good idea to write to AMD support regarding this question > - please share a reply if you would get an answer. I'm curious about > other fam15 CPUs as well, e.g. A10-5750M microcode update would be > nice, maybe a request could be more general, e.g. : what is the > estimated release date for the microcode updates for fam15 AMD CPUs > (so a request is not about "opterons only") > > On Sun, Feb 18, 2018 at 2:47 PM, Mike Banon <mikebdp2(a)gmail.com> wrote: >> Maybe its' a good idea to write to AMD support regarding this question >> - please share a reply if you would get an answer. I'm curious about >> other fam15 CPUs as well, e.g. A10-5750M microcode update would be >> nice, maybe a request could be more general, e.g. : what is the >> estimated release date for the microcode updates for fam15 AMD CPUs >> (so a request is not about "opterons only") >> >> On Sun, Feb 18, 2018 at 4:30 AM, Taiidan(a)gmx.com <Taiidan(a)gmx.com> wrote: >>> They said they would be releasing opteron microcode updates in a few weeks >>> but it has been over a month and I am wondering when this is going to happen >>> or if it already has and I should re-compile coreboot? >>> >>> https://www.amd.com/en/corporate/speculative-execution >>> "We expect to make updates available for our previous generation products >>> over the coming weeks." >>> >>> Thanks! >>> >>> >>> -- >>> coreboot mailing list: coreboot(a)coreboot.org >>> https://mail.coreboot.org/mailman/listinfo/coreboot >

3 4

Re: [coreboot] Server systems shipped with coreboot
by Piotr Kubaj 26 Mar '18

26 Mar '18

There's no "pure coreboot" systems. You need some payload. Also, while Talos is truly awesome, the OP asked about coreboot specifically and Talos doesn't run coreboot :) At the moment, the best coreboot-supported server motherboard is ASUS KGPE-D16. You can also get libre BMC with OpenBMC port for it. If you just want a libre motherboard, Talos is the best you can get. On 18-01-17 12:00:01, coreboot-request(a)coreboot.org wrote: >Message: 2 >Date: Tue, 16 Jan 2018 19:29:18 +0100 >From: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006(a)gmx.net> >To: Coreboot <coreboot(a)coreboot.org> >Subject: [coreboot] Server systems shipped with coreboot >Message-ID: <d5d6d8ee-77ee-4232-a89a-e5158140b065(a)gmx.net> >Content-Type: text/plain; charset=UTF-8 > >Hi, > >does anyone have a list of server systems which are shipped with >coreboot? I'm interested in coreboot+UEFI systems, coreboot+Linux >systems, coreboot+SeaBIOS systems, pure coreboot systems. > >At 34C3 I was told by someone that a major vendor has been shipping >servers with coreboot without announcing this, and I unfortunately >neither remember the server model nor who told me about this. If said >person could remind contact me, I'd be thankful. > >Regards, >Carl-Daniel > > > >------------------------------ > >Message: 3 >Date: Wed, 17 Jan 2018 00:28:23 +0300 >From: Mike Banon <mikebdp2(a)gmail.com> >To: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006(a)gmx.net>, > coreboot(a)coreboot.org >Subject: Re: [coreboot] Server systems shipped with coreboot >Message-ID: > <CAK7947nVZptQEhiRzfPQpt_KqVFERXzFNrppeb_NTVhEGxSLQQ(a)mail.gmail.com> >Content-Type: text/plain; charset="UTF-8" > >Hi friend ! I just googled "coreboot servers" and found this: > >https://store.vikings.net/the-server-1u , and >https://www.siliconmechanics.com/i7045/opteron-server.php >(Installation of coreboot is available with certain configurations; >contact Sales for details.) > >And, of course, Talos II POWER9 servers which are already available >for pre-orders. >They are the future of libre server computing : >https://www.raptorcs.com/TALOSII/prerelease.php > >So basically there are two options: >1) use one of a few coreboot-supported boards with AMD Opterons (which >are also a bit outdated) >you can even build such a server by yourself, just get the supported >hardware and flash coreboot to it >2) preorder Talos II and wait for shiny new server to come ;) > >Mike > > >On Tue, Jan 16, 2018 at 9:29 PM, Carl-Daniel Hailfinger ><c-d.hailfinger.devel.2006(a)gmx.net> wrote: >> Hi, >> >> does anyone have a list of server systems which are shipped with >> coreboot? I'm interested in coreboot+UEFI systems, coreboot+Linux >> systems, coreboot+SeaBIOS systems, pure coreboot systems. >> >> At 34C3 I was told by someone that a major vendor has been shipping >> servers with coreboot without announcing this, and I unfortunately >> neither remember the server model nor who told me about this. If said >> person could remind contact me, I'd be thankful. >> >> Regards, >> Carl-Daniel >> >> -- >> coreboot mailing list: coreboot(a)coreboot.org >> https://mail.coreboot.org/mailman/listinfo/coreboot > > > >------------------------------ > >Subject: Digest Footer > >_______________________________________________ >coreboot mailing list >coreboot(a)coreboot.org >https://mail.coreboot.org/mailman/listinfo/coreboot > >------------------------------ > >End of coreboot Digest, Vol 155, Issue 24 >***************************************** > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >

4 3

Re: [coreboot] Server systems shipped with coreboot
by Timothy Pearson 23 Mar '18

23 Mar '18

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 4 cores, SMT4. There's an 8-core available for $190 more, and AFAIK there are plans to start offering an 18-core server chip very shortly. These are the OpenPOWER machines, so there is hardware virtualization support (including I/O passthrough) that works well with kvm and QEMU. I haven't really heard anything referred to as "LPAR" on these newer POWER8/POWER9 machines outside of legacy documents. On 01/23/2018 12:47 PM, ron minnich wrote: > how many cores is that? Does it come with LPAR? > > On Mon, Jan 22, 2018 at 9:48 PM Taiidan(a)gmx.com <mailto:Taiidan@gmx.com> > <Taiidan(a)gmx.com <mailto:Taiidan@gmx.com>> wrote: > > In case anyone wants to know the (non-coreboot) libre firmware TALOS 2 > single CPU/board combo is now only 2.5K. > > I still can't figure out how they managed to make it so affordable, this > is seriously great. > > -- > coreboot mailing list: coreboot(a)coreboot.org > <mailto:coreboot@coreboot.org> > https://mail.coreboot.org/mailman/listinfo/coreboot > - -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJaZ4U2AAoJEK+E3vEXDOFbBUEIAKxL6cD2L27yZh63OhM0TD8h BZD2r0nYF/NLfGi50KuMZPNzb2lpzgLHc06ZHZmJBU0sFUbTdI3WrYibDPtY4lva 1uG3gedN2u+sUCzTKrLILOyrstlJ2lQ4+8jxyO8PncK9Zx3LtgbSlGVGq+pvxsXI Ac8Yqm+de6Is8aaAHMMzaT9UNxcjXCAs/zZm3iWcPkA2B0CVVUoKnsFuhtGG1cGd j4bukGJrojkUMEFxIG93qphcurdP2AjuvOaUdZVuoC0uxdVL2az77SgRUH8Vmxdd SFhAzG7j4LsqGMwiZBkubBZpSMPj6kPyRQUIxwwAk/vRLpOxoPdaEbrI/9wyIaM= =PFaf -----END PGP SIGNATURE-----

2 1

Microcode updates for slightly older intel CPU's re: meltdown/spectre
by Taiidan＠gmx.com 21 Mar '18

21 Mar '18

I am curious of any intel insiders know if there will be microcode updates released for older intel CPU's (ex: sandy/ivybridge) and failing that, what can be done in regards to securing them from meltdown/spectre. I believe this is a relevant coreboot topic considering how many coreboot boards have these and older CPU's....without a fix there will be only one coreboot compatible laptop with open source hardware initiation that is remotely secure (lenovo g505s as has a pre-PSP AMD CPU) and theoretically owner controllable (as the previous C2D/C2Q's such as the X200 are now permanently insecure without intervention from intel apparently) At this point even a massive performance loss is better than having to throw out so much now-useless hardware.

10 20

[PATCH 0/5] coreboot table bus and framebuffer driver
by Samuel Holland 14 Mar '18

14 Mar '18

On many systems, coreboot[1] firmware can initialize graphics hardware and set up a high-resolution linear framebuffer. It exports information about this framebuffer, along with various other information, in a table discoverable via ACPI or a device tree. coreboot also supports booting Linux directly from flash as a "payload". Projects such as Heads[2], u-root[3], and petitboot[4] provide a minimal userland that can then be used to chainload (via kexec) into a full Linux system loaded from disk or over the network. Fitting even a minimal Linux system on an SPI flash chip is challenging. Reusing the framebuffer setup from coreboot provides an enormous benefit to these projects by allowing them to omit full graphics drivers from their kernel builds. It also speeds up boot times by avoiding duplicated effort, and because coreboot's graphics initialization is often much faster than the Linux driver. Patch 1 of this series expands coreboot table support into an enumerable bus that devices can hang off of. Patches 2-3 convert the existing drivers to use the new bus structure instead of ad-hoc platform devices, and patch 4 removes the old coreboot_table_find function. Finally, patch 5 adds a new driver for the coreboot-initialized framebuffer. It improves on earlier work[5] by being architecture- independent and not needing to scan through low memory. This patchset has been tested on a Lenovo ThinkPad X220, and earlier versions of these patches have been tested by various members of the coreboot community on other hardware. [1]: https://www.coreboot.org/Welcome_to_coreboot [2]: https://github.com/osresearch/heads [3]: https://github.com/u-root/u-root [4]: https://www.kernel.org/pub/linux/kernel/people/geoff/petitboot/petitboot.ht… [5]: https://mail.coreboot.org/pipermail/coreboot/2014-September/078551.html Samuel Holland (5): firmware: coreboot: Expose the coreboot table as a bus firmware: memconsole: Probe via coreboot bus firmware: vpd: Probe via coreboot bus firmware: coreboot: Remove unused coreboot_table_find firmware: coreboot: Add coreboot framebuffer driver drivers/firmware/google/Kconfig | 8 ++ drivers/firmware/google/Makefile | 1 + drivers/firmware/google/coreboot_table-acpi.c | 2 +- drivers/firmware/google/coreboot_table-of.c | 2 +- drivers/firmware/google/coreboot_table.c | 130 ++++++++++++++++++------- drivers/firmware/google/coreboot_table.h | 72 +++++++++++--- drivers/firmware/google/framebuffer-coreboot.c | 115 ++++++++++++++++++++++ drivers/firmware/google/memconsole-coreboot.c | 49 ++++------ drivers/firmware/google/vpd.c | 43 +++----- 9 files changed, 313 insertions(+), 109 deletions(-) create mode 100644 drivers/firmware/google/framebuffer-coreboot.c -- 2.13.6

3 7

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

coreboot February 2018