Hi all Coreboot folks,

I'm a first year graduate student in CS, been hanging around on #coreboot IRC (Libera.Chat server) and was thinking if it was possible or not to port Coreboot to a Thinkpad T495 (AMD Ryzen 7 3700U PRO) manufactured in May 2019, I successfully dumped the BIOS using flashrom internally, see `flashrom_info.log` and 'flashrom_info.err.log`.

It is unclear if there is any AMD protection that does the same as Intel BootGuard on Ryzen 3rd gen (there is for sure this since the 1st gen of Ryzen which is the equivalent to Intel Management Engine).

AMD has a whitepaper stating that from Ryzen 5000s mobile generation, AMD PSB (Platform Secure Boot) is activated, and it looks like kind of the same as Intel BootGuard if I'm not mistaken here.

I know so far that the BIOS SPI chip is operating at 1.8v, and is a Winbond flash chip "W25Q128.W" (16384 kB, SPI), will be useful in case I need to externally flash the SPI ROM to unbrick the laptop.

I still have to :
- Test whether there is a protection that checks if the firmware was changed or not by patching the original bios ROM, I was told for this to change a copyright string or changing the logo :
    - it is a gif file and has a sha2-256 signature in its properties, which isn't the sha256sum of the file.
    - I've attached the `identify -verbose logo.gif` output) and trying to boot could allow checking for any tamper protection on the ROM flash (bricking intentionally the device if there is).
- Understand if the EC RAM is something I can make out of or not (so far there is a lot of FF and 00 in it, the last line shows the version of the embedded firmware), so far I'm not too sure I can make sense of it right now.
- Get the model of the EC and try to find datasheets online.

I have at my disposal:
- A kind of cheap 16 channel logic analyzer with a software available on Linux/Windows with a few decoders for most known serial protocols such as SMBUS, I2C, SPI and more.
- Raspberry Pi 3 model B+ (will be used as an external programmer, but I still need to find out how I could pull down the power to 1.8v since the VCC is 3.3v).
- SOIC clip 8 pins (will be delivered to me in 2 weeks), I took the best one from this guide.
- A cheap multimeter with basic probes, capable of continuity test.
And possibly more such as FPGAs by going to hackerspaces in my vicinity.

I have built Coreboot for qemu with the Seabios payload as the documentation for GSoC recommended, see coreboot-serial.log output attached as a text file.

In the case where there is indeed a protection, maybe a solution could be found by using a flash emulator (spispy ?) but I need more details on this.

I am also aware that a complete port will not be feasible under the time period of GSoC hence I need to know what should be the basics that needs to be covered for a Coreboot port to be considered minimally working first ? USB should work ? Charging is made using a USB-C port, this might be partly handled by the EC Embedded Controller.

Finally, if nothing could be done on this Thinkpad because it is too recent, I also have an older Intel Thinkpad a T450, that has Intel BootGuard but that I'm looking try to port Coreboot to it too, using a flash emulator and possibly this attack.

Thanks for the time taken to read this lengthy mail, I hope the goal of this mail is clear.

Kind regards,
Lahfa Samy