-----BEGIN PGP SIGNED MESSAGE-----
Hi @ all,
is there a Coroboot for the Lenovo T410 Laptop?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
A Hardware Enablement devroom will be taking place at FOSDEM this year,
on Sunday 10 December 2017. This newly-created devroom is the result of
3 proposals that were merged together. It is co-organized by several
The devroom covers all aspects related to hardware enablement and
support with free software, including aspects related to boot software,
firmwares, drivers and userspace tools and adaptation.
Proposals for talks related to these topics are welcome and can be
submitted until Sunday 26 November 2017 via the pentabarf interface.
Short talks are encouraged over longer ones in order to cover a wide
range of topics.
The announcement for the devroom, that contains all the useful
information, was published at:
Cheers and see you at FOSDEM!
Paul Kocialkowski, developer of free digital technology and hardware
Coding blog: https://code.paulk.fr/
Git repositories: https://git.paulk.fr/https://git.code.paulk.fr/
They said they would be releasing opteron microcode updates in a few
weeks but it has been over a month and I am wondering when this is going
to happen or if it already has and I should re-compile coreboot?
"We expect to make updates available for our previous generation
products over the coming weeks."
Thank you for your config. Now I have coreboot + SeaBIOS perfectly working.
Console speed is now "normal" :-)
These are the changes between the two configs:
diff config_original.txt config_Gergely.txt
< # CONFIG_USE_BLOBS is not set
> # CONFIG_POST_DEVICE is not set
< # CONFIG_PCI_OPTION_ROM_RUN_REALMODE is not set
< # CONFIG_PCI_OPTION_ROM_RUN_YABEL is not set
< # CONFIG_VGA_TEXT_FRAMEBUFFER is not set
< # Serial port base address = 0x3f8
> # Serial port base address = 0x2f8
< # CONFIG_POST_DEVICE_LPC is not set
< # CONFIG_POST_DEVICE_PCI_PCIE is not set
I made some tweaks to the configuration, added VGA output before
payload, a nice bootsplash, etc..
VGA Device PCI IDs are 1002,9830 (The default 1002,9836 does not get
Memory has to be located firstly on second slot (yellow DIMM_A2). If not
you get AGESA_FATAL_ERROR. I only have one module.
Please, find attached a working config.txt and console.log. Coreboot
revision is 4.7-294-g2db6fbc47b.
If you verify these changes are working for you is it possible to change
the defaults in Kconfig?
Thank you very much.
On 11/02/18 00:07, Gergely Kiss wrote:
> Strange, the log you shared looked less verbose to me than expected
> but seems like I was wrong. Anyway, you might find an example on a
> full debug log here .
> I have a small build script I use to build coreboot for my board,
> please find it attached.
> The version currently running on my box is 4.6-2554-ga1b4c94.
>  https://www.coreboot.org/Board:asus/am1i-a#Bootlog
> On 10 February 2018 at 23:18, Elisenda Cuadros <lists(a)e4l.es
> <mailto:email@example.com>> wrote:
> Thank you for your kind reply Gergely.
> I think the cable is not the problem, I have been using it for
> years and it's intact.
> I am using a usb dongle but not a cheap one. Tomorrow I will try
> with another cable and a real COM port. Just to be 100% sure.
> Console is fast at the very first time (just the "normal") but
> after two seconds it becomes extremely slow.
> Please, can you say me which is the git revision you are using?
> The console log I attached is from a SPEW debug level, not
> corresponding with the config.. I tried several configs today :-) .
> Is it possible to share your config with me?
> Best regards,
> On 10/02/18 21:44, Gergely Kiss wrote:
>> Hi Eli,
>> I've been using Coreboot on my board for several weeks, it is
>> serving as an HTPC running 24/7 and it's working perfectly stable
>> which suggests the firmware should be free of bugs. It is likely
>> that you are facing some configuration or hardware issue here.
>> I didn't see any issues with the serial output while working with
>> the board once the SuperIO chip started to work. Make sure the
>> cable you use is intact and try to attach it to another machine.
>> At the time I was working with my board, I used a Dell Port
>> Replicator with a native COM port so I could use a standard
>> null-modem cable and it was working flawlessly. In case you use a
>> USB serial adapter, try replacing it or attach the serial cable
>> directly to a COM port if you have one available.
>> Also, please enable debug_level=Spew as it seems the console log
>> you attached comes from a less verbose setting and therefore it's
>> not as useful as it should be.
>> Note that the VBIOS image is executed by SeaBIOS which means you
>> won't see anything on your display until the payload is executed.
>> If all else fails, you can still attach a POST debug module to
>> the LPC header of the board  which can help a lot to find out
>> where the boot process hangs.
>> Feel free to contact me if you need some more help or
>> information, I'm happy to assist!
>>  https://www.youtube.com/watch?v=aGGqsWx3-1c
>> On 10 February 2018 at 18:17, Elisenda Cuadros <lists(a)e4l.es
>> <mailto:firstname.lastname@example.org>> wrote:
>> I'm trying to use Coreboot in an Asus AM1I-A board recently
>> ported by Gergely Kiss (thank you!).
>> I am using the default config settings and added vga rom
>> extracted with UEFITool from the vendor bios.
>> After flashing and booting I get no output from vga.
>> Serial console is extremely slow too (30 minutes to write the
>> I attach the coreboot console log, config and cbfs.txt.
>> Any hints?
>> Thanks in advance.
>> Best regards,
>> -- Eli
What do you want to protect? If you want to protect the kernel, retpolines are OK on AMD.
And you don't need any microcode update. Your CPU needs to have SMEP, otherwise
you would need to clear RSB on CPL change (the paper on mentined page says that you need to do that
always, but at least on Ryzen, the attack using RSB is not working (we tried that out, maybe it works
only on some circumstances).
If you want to protect userspace, the RSB will be clear by IBPB (which you would need if you don't have userspace compiled
with retpolines). I don't know if intel clears RSB on IBPB... probably not
To sum it up on AMD:
retpolines, RSB clear on CPL change on CPU without SMEP (see above)
retpolines, RSB clear on context switch necessary or IBPB (needs microcode update).
Plus make sure you enable "LFENCE is dispatch serializing" - perhaps coreboot can do that :) it is simple
MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE is dispatch serilizing.
Besides that, you don't need any microcode update.
Plus of course there is a spectre variant 1, which is more difficult to mitigate, basically you need to check all the software
and look for any pattern like array_x[array_z[untrusted_index] * any transformation].
The first access would leak just address (ASLR defated), second will leak data.
The variant 1 works on user/user attack and as well as user/kernel.
As far I know there are no automated tools to check for this.
Dne 18.2.2018 v 12:48 Mike Banon napsal(a):
> Maybe its' a good idea to write to AMD support regarding this question
> - please share a reply if you would get an answer. I'm curious about
> other fam15 CPUs as well, e.g. A10-5750M microcode update would be
> nice, maybe a request could be more general, e.g. : what is the
> estimated release date for the microcode updates for fam15 AMD CPUs
> (so a request is not about "opterons only")
> On Sun, Feb 18, 2018 at 2:47 PM, Mike Banon <mikebdp2(a)gmail.com> wrote:
>> Maybe its' a good idea to write to AMD support regarding this question
>> - please share a reply if you would get an answer. I'm curious about
>> other fam15 CPUs as well, e.g. A10-5750M microcode update would be
>> nice, maybe a request could be more general, e.g. : what is the
>> estimated release date for the microcode updates for fam15 AMD CPUs
>> (so a request is not about "opterons only")
>> On Sun, Feb 18, 2018 at 4:30 AM, Taiidan(a)gmx.com <Taiidan(a)gmx.com> wrote:
>>> They said they would be releasing opteron microcode updates in a few weeks
>>> but it has been over a month and I am wondering when this is going to happen
>>> or if it already has and I should re-compile coreboot?
>>> "We expect to make updates available for our previous generation products
>>> over the coming weeks."
>>> coreboot mailing list: coreboot(a)coreboot.org
There's no "pure coreboot" systems. You need some payload.
Also, while Talos is truly awesome, the OP asked about coreboot specifically and Talos doesn't run coreboot :)
At the moment, the best coreboot-supported server motherboard is ASUS KGPE-D16. You can also get libre BMC with OpenBMC port for it.
If you just want a libre motherboard, Talos is the best you can get.
On 18-01-17 12:00:01, coreboot-request(a)coreboot.org wrote:
>Date: Tue, 16 Jan 2018 19:29:18 +0100
>From: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006(a)gmx.net>
>To: Coreboot <coreboot(a)coreboot.org>
>Subject: [coreboot] Server systems shipped with coreboot
>Content-Type: text/plain; charset=UTF-8
>does anyone have a list of server systems which are shipped with
>coreboot? I'm interested in coreboot+UEFI systems, coreboot+Linux
>systems, coreboot+SeaBIOS systems, pure coreboot systems.
>At 34C3 I was told by someone that a major vendor has been shipping
>servers with coreboot without announcing this, and I unfortunately
>neither remember the server model nor who told me about this. If said
>person could remind contact me, I'd be thankful.
>Date: Wed, 17 Jan 2018 00:28:23 +0300
>From: Mike Banon <mikebdp2(a)gmail.com>
>To: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006(a)gmx.net>,
>Subject: Re: [coreboot] Server systems shipped with coreboot
>Content-Type: text/plain; charset="UTF-8"
>Hi friend ! I just googled "coreboot servers" and found this:
>https://store.vikings.net/the-server-1u , and
>(Installation of coreboot is available with certain configurations;
>contact Sales for details.)
>And, of course, Talos II POWER9 servers which are already available
>They are the future of libre server computing :
>So basically there are two options:
>1) use one of a few coreboot-supported boards with AMD Opterons (which
>are also a bit outdated)
>you can even build such a server by yourself, just get the supported
>hardware and flash coreboot to it
>2) preorder Talos II and wait for shiny new server to come ;)
>On Tue, Jan 16, 2018 at 9:29 PM, Carl-Daniel Hailfinger
>> does anyone have a list of server systems which are shipped with
>> coreboot? I'm interested in coreboot+UEFI systems, coreboot+Linux
>> systems, coreboot+SeaBIOS systems, pure coreboot systems.
>> At 34C3 I was told by someone that a major vendor has been shipping
>> servers with coreboot without announcing this, and I unfortunately
>> neither remember the server model nor who told me about this. If said
>> person could remind contact me, I'd be thankful.
>> coreboot mailing list: coreboot(a)coreboot.org
>Subject: Digest Footer
>coreboot mailing list
>End of coreboot Digest, Vol 155, Issue 24
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
-----BEGIN PGP SIGNED MESSAGE-----
4 cores, SMT4. There's an 8-core available for $190 more, and AFAIK
there are plans to start offering an 18-core server chip very shortly.
These are the OpenPOWER machines, so there is hardware virtualization
support (including I/O passthrough) that works well with kvm and QEMU.
I haven't really heard anything referred to as "LPAR" on these newer
POWER8/POWER9 machines outside of legacy documents.
On 01/23/2018 12:47 PM, ron minnich wrote:
> how many cores is that? Does it come with LPAR?
> On Mon, Jan 22, 2018 at 9:48 PM Taiidan(a)gmx.com <mailto:Taiidan@gmx.com>
> <Taiidan(a)gmx.com <mailto:Taiidan@gmx.com>> wrote:
> In case anyone wants to know the (non-coreboot) libre firmware TALOS 2
> single CPU/board combo is now only 2.5K.
> I still can't figure out how they managed to make it so affordable, this
> is seriously great.
> coreboot mailing list: coreboot(a)coreboot.org
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
I am curious of any intel insiders know if there will be microcode
updates released for older intel CPU's (ex: sandy/ivybridge) and failing
that, what can be done in regards to securing them from meltdown/spectre.
I believe this is a relevant coreboot topic considering how many
coreboot boards have these and older CPU's....without a fix there will
be only one coreboot compatible laptop with open source hardware
initiation that is remotely secure (lenovo g505s as has a pre-PSP AMD
CPU) and theoretically owner controllable (as the previous C2D/C2Q's
such as the X200 are now permanently insecure without intervention from
At this point even a massive performance loss is better than having to
throw out so much now-useless hardware.
On many systems, coreboot firmware can initialize graphics hardware
and set up a high-resolution linear framebuffer. It exports information
about this framebuffer, along with various other information, in a table
discoverable via ACPI or a device tree.
coreboot also supports booting Linux directly from flash as a "payload".
Projects such as Heads, u-root, and petitboot provide a minimal
userland that can then be used to chainload (via kexec) into a full
Linux system loaded from disk or over the network.
Fitting even a minimal Linux system on an SPI flash chip is challenging.
Reusing the framebuffer setup from coreboot provides an enormous benefit
to these projects by allowing them to omit full graphics drivers from
their kernel builds. It also speeds up boot times by avoiding duplicated
effort, and because coreboot's graphics initialization is often much
faster than the Linux driver.
Patch 1 of this series expands coreboot table support into an enumerable
bus that devices can hang off of. Patches 2-3 convert the existing
drivers to use the new bus structure instead of ad-hoc platform devices,
and patch 4 removes the old coreboot_table_find function.
Finally, patch 5 adds a new driver for the coreboot-initialized
framebuffer. It improves on earlier work by being architecture-
independent and not needing to scan through low memory.
This patchset has been tested on a Lenovo ThinkPad X220, and earlier
versions of these patches have been tested by various members of the
coreboot community on other hardware.
Samuel Holland (5):
firmware: coreboot: Expose the coreboot table as a bus
firmware: memconsole: Probe via coreboot bus
firmware: vpd: Probe via coreboot bus
firmware: coreboot: Remove unused coreboot_table_find
firmware: coreboot: Add coreboot framebuffer driver
drivers/firmware/google/Kconfig | 8 ++
drivers/firmware/google/Makefile | 1 +
drivers/firmware/google/coreboot_table-acpi.c | 2 +-
drivers/firmware/google/coreboot_table-of.c | 2 +-
drivers/firmware/google/coreboot_table.c | 130 ++++++++++++++++++-------
drivers/firmware/google/coreboot_table.h | 72 +++++++++++---
drivers/firmware/google/framebuffer-coreboot.c | 115 ++++++++++++++++++++++
drivers/firmware/google/memconsole-coreboot.c | 49 ++++------
drivers/firmware/google/vpd.c | 43 +++-----
9 files changed, 313 insertions(+), 109 deletions(-)
create mode 100644 drivers/firmware/google/framebuffer-coreboot.c