Hello everyone, I know this question had been asked many times, but is it possible to have Coreboot on modern hardware? After looking at a video ([https://www.youtube.com/watch?v=Tt3bXZXsrE4%5D(https://www.youtube.com/watch...)) I learned that some people were able to put coreboot on recent thinkpads by soldering a new BIOS chip. After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry). On the other end, companies like System76 are able to ship modern processor with Coreboot. I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip?
Thanks in advance.
maxime.corne--- via coreboot wrote:
I know this question had been asked many times, but is it possible to have Coreboot on modern hardware?
The general answer is yes, it is possible under certain conditions.
What those conditions are depends both on the particular hardware platform (CPU+chipset generation) and on what decisions the system integrator (ODM and/or OEM) has made before shipping the machine.
Fairly modern consumer products are indeed supported in the coreboot master tree.
Another set of conditions determines *how* a coreboot image could be installed onto a machine which was sold without coreboot.
Regardless of those conditions, desoldering the flash chip and either reprogramming it externally or soldering a new, already programmed flash chip onto the mainboard will always work, assuming of course that the flash is a discrete component, which is not always the case.
The boot flash is sometimes part of an embedded controller - I've only seen this on some Thinkpads so far.
After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry).
Encryption (signatures actually, not encryption) isn't relevant for porting, but if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system. In that case, and a few others, the only option is to desolder the flash chip and work with external programming options.
On the other end, companies like System76 are able to ship modern processor with Coreboot.
Because they are the system integrator they are allowed to make the neccessary decisions to enable coreboot on their machines, and they are better positioned to have access to the relevant information for porting coreboot - but don't be fooled, the platform vendors (Intel, AMD) do not release the neccessary information for coreboot porting to anyone at all. Anyone who asks for it is told the same old lie: "Nobody is asking for that information so we don't make it available."
I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip?
Desolder the flash chip and create a header solution for the 5 relevant pins so that you can move the flash chip between your laptop and a programmer like a beaglebone or worst case raspberrypi, make a backup of the original contents outside your laptop, download and build coreboot, program the flash outside your laptop, connect it to the laptop, try to boot, and start debugging why the boot fails... ;)
Hope this helps
//Peter
Am 12.04.21 um 14:33 schrieb Peter Stuge:
maxime.corne--- via coreboot wrote:
After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry).
Encryption (signatures actually, not encryption) isn't relevant for porting, but if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system. In that case, and a few others, the only option is to desolder the flash chip and work with external programming options.
This seems a bit misleading. BootGuard is independent of the flash chip and write access to it. BootGuard reads the BIOS (more accurately the bootblock) and acts on what it sees. If it is configured in verifi- cation mode, it will deny to boot if the BIOS' signature isn't valid. Only the OEM who configured BootGuard can provide a valid signature. BootGuard is not tied to the flash chip but the PCH (which is part of the CPU module in ultrabooks). That's a lot more work to replace.
Older versions of BootGuard may be susceptible to a TOCTOU discrepancy, i.e. you might get around it with a flash emulator that presents a bootblock with a valid signature to BootGuard and lets the CPU execute another later. But this won't be easy if possible at all.
I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip?
Lenovo is known to set up BootGuard in verification mode on Thinkpads. Actually, Intel implemented BootGuard for OEMs like Lenovo who asked for it. I didn't watch the whole video, but what I remember: 9elements bought a rare Thinkpad with BootGuard disabled. Might have been an early prototype or a development sample. Generally not easy to get. So
TL;DR coreboot on modern hardware: no problem at all (if you "own" the hardware and accept some blobs). coreboot on modern Thinkpads: totally up to Lenovo who "owns" all modern Thinkpads even after selling them.
If it doesn't have to be a Thinkpad, please consider buying hardware that ships with coreboot ;)
If it does, you have to talk to Lenovo. We resell Thinkpads and talked to them... short version: we're selling too few to get a custom Boot- Guard configuration :-( Maybe if you take 10,000+ units, they're more interested (actually, I've no idea how much we sell). If you talk to a sales representative, they'll promising you anything; but that doesn't mean you get the deal. So it's not easy to figure out even a rough number. Also, this was some years ago. Always worth another shot to ask.
Nico
Nico Huber wrote:
if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system.
This seems a bit misleading. BootGuard is independent of the flash chip and write access to it.
You're of course correct. I didn't express my point very well.
I wanted to make clear that, as you write, BootGuard is intended to disallow any firmware other than from the integrator, and bar some bug in chipset lockdown or SMM it can be expected to indeed be effective.
BootGuard itself doesn't control flash write access, but its idea is contrary toleaving the flash chip accessible e.g. by flashrom, and by now I think it's fair to expect that machines using BootGuard will also lock down flash write access such that only correctly (as decided by the manufacturer) signed firmware can be flashed in a running system.
Whether BootGuard allows a foreign firmware to boot is the next hurdle, and if no then no soldering iron helps.
I second Nico: Do everyone a favour and buy hardware actually designed for coreboot if you want coreboot. :)
//Peter
-
maxime.corne@protonmail.com -
Nico Huber -
Peter Stuge