Am Thu, Sep 16, 2021 at 09:37:02AM -0500 schrieb Brian Milliron:
Using a hardware flasher isn't a workaround, the signature check is done in hardware by the ACM using keys fused into the ME. If Bootguard enabled and keys fused, nothing can be done unfortunately.
I checked the BIOS. There was nothing specifically listed as "Bootguard" but all the BIOS protection options were turned off, including one listed as "Checked boot block on every boot". I'm guessing that means Bootguard is installed but not enabled. Is there another place to look to get a more accurate/detailed read on this?
May I suggest the best way forward would be to compile coreboot with debug options and go ahead and flash it. You will find out quickly where the issues are. Obviously backup your current rom !
I myself am quite new to coreboot, but have been able to sucessfully flash two yet unsupported boards to coreboot (with some problems remaining).
For an initial trial, the steps I took look like this:
- read vendor bios and extract descriptor.bin and me.bin from it (util/ifdtool -x vendor.bios) - look through src/mainboard for the most similar board you can identify (for me, in retrospective, the Intel reference board was a good choice) - create a new directory and modify Kconfig* accordingly - look through devicetree.cb and all *.c files and remove code not applicable to your board. In general, be careful with Voltage settings and such. My approach was to remove them when in doubt.
If you don't have serial on the platform, the next best option is to enable flash log and read back the rom after an boot attempt.
Send me an email if you need help doing these things, I would be glad to share my experience time permitting.
FSP (which contains both the MRC and PCH refcode) also does video init, and VBIOS isn't used on modern platforms. coreboot's native display init (libgfxinit) is preferred if available. The only bit you will likely need is the VBT, which you can get from Linux (or dump from vendor firmware, but often contains multiple copies).
How would I get hold of this?
# find /sys -name "*vbt" /sys/kernel/debug/dri/0/i915_vbt
best wishes,
Andreas