Hi there!
As you probably all know the procedure to relieve the coreboot- supported thinkpads from their proprietary firmware is not completely trivial[1]. The main problem is that the vendor has locked down the available SPI opcodes that we are allowed to use and this hinders current flashrom to identify the flash chip.
Carl-Daniel has started to work on a patch that allows flashrom to use a lower-quality identifying opcode (RES) on such locked down computers without spoiling flashrom use on other devices. I have continued that and we now have a patch that allows probing and reading on the thinkpads. Erase (and hence write in practice) does not work yet, because the available erase opcodes are also limited, but that will be dealt with shortly(-ish :).
The current version of the patch can be found here: http://patchwork.coreboot.org/patch/3726/
I would like to request the help of at least one volunteer who is able to recover from failed flash attempts and is willing to revert to the vendor firmware temporarily and spend some time testing patches we sent him.
This will of course not make the coreboot conversion foolproof and is quite late... but i am pretty sure it will still be welcomed by newbies :)
Also, i would like to see a flashrom -V log of any affected machine that is not a T60 (2007-GCG)[2] and is running the vendor firmware.
[1]: http://www.coreboot.org/Lenovo_x60x [2]: http://paste.flashrom.org/view.php?id=635
* Stefan Tauner stefan.tauner@student.tuwien.ac.at [120826 21:31]:
As you probably all know the procedure to relieve the coreboot- supported thinkpads from their proprietary firmware is not completely trivial[1]. The main problem is that the vendor has locked down the available SPI opcodes that we are allowed to use and this hinders current flashrom to identify the flash chip.
Have you guys considered SMI cache poisoning attacks to work around those restrictions?
It would pretty much be a per bios version or per machine based workaround, but if we can provide known good coreboot images, that might be attractive for people out there...
Stefan
On Mon, 27 Aug 2012 06:18:53 +0200 Stefan Reinauer stefan.reinauer@coreboot.org wrote:
- Stefan Tauner stefan.tauner@student.tuwien.ac.at [120826 21:31]:
As you probably all know the procedure to relieve the coreboot- supported thinkpads from their proprietary firmware is not completely trivial[1]. The main problem is that the vendor has locked down the available SPI opcodes that we are allowed to use and this hinders current flashrom to identify the flash chip.
Have you guys considered SMI cache poisoning attacks to work around those restrictions?
It would pretty much be a per bios version or per machine based workaround, but if we can provide known good coreboot images, that might be attractive for people out there...
hehe, no i did not think about that. :) although it would be really cool, i dont think that it makes a lot of sense right now. adding support on a per-mainboard base can be done way easier and safer, and we are looking for a more generic way anyway (and i lack the knowledge to implement it too).
it would be very cool to see a proof of concept though... :)
Have you guys considered SMI cache poisoning attacks to work around those restrictions?
Yes we tried to break in but it did not work from SMM either. I even did a great SMM hack (using my EEE 1000HD). While waking up from suspend to ram (when linux runs in real mode after waking vector is jumped to) I triggered the SMM poison attack and redirect myself back to linux resume flow. This resumed linux but while still in SMM mode. The intention was to use flashrom "as usual" ;) only with special kernel...
I remember we tried this with T40 but for some reason it did not work even when we were in SMM.
Thanks Rudolf