Are there any known tools for decoding the BootGuard policy?
I’m new to coreboot but have a system that I was interested in investigating adding support for it.
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all…
Or does one just abandon any attempt as soon as a BootGuard header is seen?
Thanks!
On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy?
I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here: https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all…
Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas
I have a Lenovo m710q and also a m720q (b360 south bridge) According to the tool, looks like neither have BootGuard enabled.
However inteltool didn’t identify (by name) the northbridges. Not yet sure if this is a bad omen…
I don’t have a serial port or SOIC clip, but was thinking of getting them.
Does anyone ever use the existing PEI code and boot coreboot with that? Or is going all the way on a new platform practical ?
On Mar 15, 2024, at 11:46 PM, Nicholas Chin nic.c3.14@gmail.com wrote:
On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy? I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here: https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all… Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Hi,
I checked the M720q image with the Convered Security Suite: Even though it has a BPM and KM FIT entry (which is necessary for Bootguard), both have the size 0, and I am not able to extract those properly. KM's normally have a __KEYM__ string in it - I can not find those in the M720Q image.
All that would lead me to the assumption that at least the image I checked for the M720Q does not have Bootguard enabled - but I could be wrong ;)
Chris
On 3/17/24 02:03, mr gadha via coreboot wrote:
I have a Lenovo m710q and also a m720q (b360 south bridge) According to the tool, looks like neither have BootGuard enabled.
However inteltool didn’t identify (by name) the northbridges. Not yet sure if this is a bad omen…
I don’t have a serial port or SOIC clip, but was thinking of getting them.
Does anyone ever use the existing PEI code and boot coreboot with that? Or is going all the way on a new platform practical ?
On Mar 15, 2024, at 11:46 PM, Nicholas Chinnic.c3.14@gmail.com wrote:
On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy? I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here:https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all… Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas _______________________________________________ coreboot mailing list --coreboot@coreboot.org To unsubscribe send an email tocoreboot-leave@coreboot.org
coreboot mailing list --coreboot@coreboot.org To unsubscribe send an email tocoreboot-leave@coreboot.org
On 3/17/24 20:00, Christian Walter wrote:
Hi,
I checked the M720q image with the Convered Security Suite: Even though it has a BPM and KM FIT entry (which is necessary for Bootguard), both have the size 0, and I am not able to extract those properly. KM's normally have a __KEYM__ string in it - I can not find those in the M720Q image.
All that would lead me to the assumption that at least the image I checked for the M720Q does not have Bootguard enabled - but I could be wrong ;)
Chris
On 3/17/24 02:03, mr gadha via coreboot wrote:
I have a Lenovo m710q and also a m720q (b360 south bridge) According to the tool, looks like neither have BootGuard enabled.
However inteltool didn’t identify (by name) the northbridges. Not yet sure if this is a bad omen…
I don’t have a serial port or SOIC clip, but was thinking of getting them.
Does anyone ever use the existing PEI code and boot coreboot with that? Or is going all the way on a new platform practical ?
I have m920q, it does not have IBG enabled. I have sent some patches [1]. I expect the m720q will be similar to the m920q, in the same way as the m700 is similar to m900. The main (only?) difference is the PCH.
[1] https://review.coreboot.org/c/coreboot/+/80609
On Mar 15, 2024, at 11:46 PM, Nicholas Chinnic.c3.14@gmail.com wrote:
On 2024-03-15 22:24, mr gadha via coreboot wrote:
Are there any known tools for decoding the BootGuard policy? I’m new to coreboot but have a system that I was interested in investigating adding support for it.
Hello! Welcome to coreboot! We look forward to any future contributions from you. There is the util/intelmetool utility in coreboot's source, which has a -b flag which is supposed to indicate the bootguard status. There's also some instructions for using it here:https://felixsinger.github.io/bootguard-status/
There's also a tool called MEInfo, which is an official tool from Intel and thus should be the most reliably accurate way of determining the BootGuard configuration. It is not supposed to be publicly available, but may or may not be possible to find on the internet anyway ;).
By the way, which system are you looking into?
The flash image has BootGuard signatures, but at least some parts of the UEFI area of the flash are modifiable (variables, logo, etc). I’m wondering if the DXE area is even protected at all… Or does one just abandon any attempt as soon as a BootGuard header is seen?
The presence of BootGuard signatures in the ROM does not necessarily mean BootGuard is actually enabled in the chipset, so no need to abandon an attempt immediately upon seeing that.
Cheers, Nicholas _______________________________________________ coreboot mailing list --coreboot@coreboot.org To unsubscribe send an email tocoreboot-leave@coreboot.org
coreboot mailing list --coreboot@coreboot.org To unsubscribe send an email tocoreboot-leave@coreboot.org
-- *Christian Walter* *Head of Firmware Development / Cyber Security *
9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany Email: christian.walter@9elements.com Phone: _+49 234 68 94 188 tel:+492346894188_ Mobile: _+49 176 70845047 tel:+4917670845047_
Sitz der Gesellschaft: Bochum Handelsregister: Amtsgericht Bochum, HRB 17519 Geschäftsführung: Sebastian Deutsch, Eray Basar
Datenschutzhinweise nach Art. 13 DSGVO https://9elements.com/privacy
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org