I have a Lenovo m710q and also a m720q (b360 south bridge) According to the tool, looks like neither have BootGuard enabled.
However inteltool didn’t identify (by name) the northbridges. Not yet sure if this is a bad omen…
I don’t have a serial port or SOIC clip, but was thinking of getting them.
Does anyone ever use the existing PEI code and boot coreboot with that? Or is going all the way on a new platform practical ?
On Mar 15, 2024, at 11:46 PM, Nicholas Chin nic.c3.14@gmail.com wrote:
On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy? I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here: https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all… Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org