I checked the M720q image with the Convered Security Suite: Even though it has a BPM and KM FIT entry (which is necessary for Bootguard), both have the size 0, and I am not able to extract those properly. KM's normally have a __KEYM__ string in it - I can not find those in the M720Q image.

All that would lead me to the assumption that at least the image I checked for the M720Q does not have Bootguard enabled - but I could be wrong ;)


On 3/17/24 02:03, mr gadha via coreboot wrote:
I have a Lenovo m710q and also a m720q (b360 south bridge) According to the tool, looks like neither have BootGuard enabled.

However inteltool didn’t identify (by name) the northbridges.  Not yet sure if this is a bad omen…

I don’t have a serial port or SOIC clip, but was thinking of getting them.

Does anyone ever use the existing PEI code and boot coreboot with that?  Or is going all the way on a new platform practical ?

On Mar 15, 2024, at 11:46 PM, Nicholas Chin <nic.c3.14@gmail.com> wrote:

On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy?
I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here: https://felixsinger.github.io/bootguard-status/

There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).

By the way, which system are you looking into?

The flash image has BootGuard signatures,  but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc).   I’m wondering if the DXE area is even protected at all…
Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.

coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-leave@coreboot.org
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-leave@coreboot.org
Christian Walter
Head of Firmware Development / Cyber Security

9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany
Email:  christian.walter@9elements.com
Phone:  +49 234 68 94 188
Mobile:  +49 176 70845047

Sitz der Gesellschaft: Bochum
Handelsregister: Amtsgericht Bochum, HRB 17519
Geschäftsführung: Sebastian Deutsch, Eray Basar

Datenschutzhinweise nach Art. 13 DSGVO