On 31 Aug 2018, at 12:07, Nico Huber
Am 29.08.18 um 04:02 schrieb John Keates:
Thank you for your reply! Sadly, Boot Guard is
enabled in Verified Boot
mode. I’ll ask if Qotom can spin up a batch without any public key
burned into the CPU, or perhaps share the private key. (which is
obviously unlikely — but one can try)
there are other alternatives; BootGuard has not a single key but a
key hierarchy (probably for more profitable licensing schemes). So
you could try to get your own certificate signed by Qotom. But...
I can only advice against using BootGuard at all. If you don't have
one, you'd be looking forward to an NDA with Intel*. Also, you'd have
to integrate Intel's BootGuard ACM (piece of software that runs be-
fore host firmware) into your coreboot image and might also have to
adapt the early boot process of coreboot itself.
I thought the ACM was part of the ME or part of the Microcode itself, but I can be wrong.
From what I’ve read, the CPU has the hash of a public key burned in using fuses, but that
can only be done during manufacturing with the PCH attached.
This was because the fuses are blown using the ME, and the ME has control over the first
address the CPU will start executing code from. So the CPU has some minimal code besides
the microcode, both is signed by Intel. That code is also used to verify with the ME that
the SPI flash has signed contents and because the check is done super early, only the
result is taken, not the action that might follow from the result; so good signature/bad
signature only stops the CPU if the ME is active and a (signed) Boot Guard policy exists
to do anything about this.
That is why the exploit with the older Gigabyte motherboards worked where you remove the
BootGuard DXE (or was it a PEI module?) and then the Boot Guard init still works and lets
the CPU run, but the follow-up (halting/continuing) is never executed.
The same was with a TXE bug where you can drop the ME into debug mode and access it’s JTAG
via USB3, which can also be replaced in existing firmwares. When using JTAG, you can store
permanent changes in the ME firmware using the ME CPU itself to disable Boot Guard
pre-flash and also-post flash.
Another thing is the manufacturing mode PCH hard strap which puts the ME in insecure/BUP
only mode, but I haven’t found any reference to what that does to Boot Guard. It would be
fine for me if that disables Boot Guard follow-up (it still runs the init checks), because
I can permanently bridge the ME mode pads to keep it in manufacturing mode. (this board
has in fact two options, one is ME1 which is a jumper, and puts it in Jumper Security
Override mode, another is a GPOP33 pin strap which either does ‘more’ or something
I suppose I could check this by flipping a few bits in the SPI flash and checking if it
still boots, and then pull the jumper and check again.
About the port itself. There is another pitfall: Intel
FSP for Broad-
well is not integrated into upstream coreboot. What is integrated are
Google's blobs that do about the same as FSP but seem to be only licen-
sable as part of Chromebooks. IANAL, but I assume you could get into
trouble if you'd sell these blobs as part of your own product (not sure
if you want to sell anything). If you just want to use it in-house, that
might be possible, but again IANAL. (Welcome to the blob mess, btw.)
The alternative (with a much better license situation now) would be to
use Intel FSP. It does exist for Broadwell, it's "just" not integrated
So first try, I’d have to use google blobs just to get it running (is that that Purism
does as well?),
and when I get that running I can try the bare Intel FSP instead. I did know about the
license changes, that was good news indeed (much more liberal and easier to interpret).
I’m probably not going to publicly sell the stuff (but I will share it for free), so the
commercial part and distribution aspect won’t affect me there.
And some comments to your original mail:
- gpio.h is probably depending on the PCH used?
Seems to be generic for
this PCH as well
No, GPIO configuration is not generic. Never use the GPIO configuration
of another board! You might provoke short-circuits (I guess the PCH is
protected, but you never know what you break on the other side).
If you have another already working (reference) firmware for your board
(it seems so) you can dump the GPIO settings using `inteltool`.
I figured as much; I did dump all of the current data I could using the various tools,
It’s running Aptio UEFI in practically template mode with very little changes from the
demo board vs. this production board.
- romstage.c initialises the GPIOs does some PEI
data copy/memset and
then romstage_common (which probably is around or before the CAR stage?)
This code runs with CAR enabled (most C code before ramstage does). The
PEI data is passed to the Google blob. The GPIO config and what happens
in `romstage.c` are the most crucial parts to get your board booting.
Alas, I can't tell you much about PEI data for Broadwell. Some settings
are board specific, e.g. memory configuration. You have to figure the
correct settings for your board (some questions may be answered by its
Ah, so the PEI data I probably have to extract from the existing firmware and pass that to
Google’s blobs to make it work. The memory configuration/training data is regenerated at
first boot AFAIK, so as long as the Google blob or the standard Intel FSP does that, I
should be fine.
* Well, I have to admit, an NDA has become useful anyway when porting
coreboot. Mostly because Intel doesn't document what they are doing
coreboot mailing list: coreboot(a)coreboot.org
I think I’ll do some more experiments since it’s a good starter project to learn from for
me, even it in the end I can’t get past Boot Guard, I’ll still have more knowledge than I
did before. At that point I’ll probably move to ARM based boards anyway, unless I can by
the U-series CPU’s myself from a shady vendor without any blown fuses, I do have a reball
& SMT rework lab nearby where they have the equipment, steel stencils, paste and
experience to replace SoC’s, GPU’s, CPU’s and the likes. As long as they can program a
heating curve for this Intel part it should be fine, and as far as I know, they can X-Ray
larger BGA’s as well, so checking the solder joint status on the balls should be OK. This
is a stretch (and a somewhat expensive hobby project at that point), but could be fun