Hi
I have a mini PC with Intel N5105 processor (Jasper Lake) and 6-port NIC (Intel i225-V B3). Device is chinese brand TOPTON, inside Changwang CW-11 motherboard delivered with AMI 5.19 BIOS. There isn't much details about this device in Internet. I'm planning to use it as a firewall box utilizing OPNsense which I've already running virtualized on NAS but wanted to move it to separate box. Before I start with it I thought about porting Coreboot BIOS. Coreboot is actually new to me but I found it can be benefitial in terms of security especially in my case where I'm planning to run firewall on it. It also my tech curiousity whether I could manage that to port BIOS with benefit to other people who owns this device.
I read some posts on Reddit and found that first obstacle is Intel Boot Guard technology which Intel N5105 CPU supports. In dmesg I can find mei_me module entry related log:
[ 5.936057] mei_me 0000:00:16.0: enabling device (0000 -> 0002)
Using intelmetool I wanted to find out if I can get more details but I got following output. I'm running those commands on Fedora with iomem=relaxed GRUB option set.
./intelmetool -b
Can't find ME PCI device Can't find ME PCI device
./intelmetool -m
Can't find ME PCI device
Next I tried to use fwupdtool to gather security details and result is following. In HSI-2 section main 'Intel BootGuard' entry shows 'Enabled' but other 3 detailed entries shows 'Invalid'. I'm not sure whether it's valid result or can be kind of false-positive and I shouldn't consider it as sure result.
FuPluginUefiCapsule skipping device that failed coldplug: ESRT GUID
'00000000-0000-0000-0000-000000000000' was not valid Host Security ID: HSI:0! (v1.8.6)
HSI-1 ✔ CSME override: Locked ✔ Platform Debugging: Disabled ✔ SPI write: Disabled ✔ Supported CPU: Valid ✔ UEFI platform key: Valid ✘ CSME manufacturing mode: Unlocked ✘ CSME v0:13.50.15.1436: Invalid ✘ SPI BIOS region: Unlocked ✘ SPI lock: Disabled ✘ TPM v2.0: Not found
HSI-2 ✔ Intel BootGuard: Enabled ✔ Platform Debugging: Locked ✘ IOMMU: Not found ✘ Intel BootGuard ACM protected: Invalid ✘ Intel BootGuard OTP fuse: Invalid ✘ Intel BootGuard verified boot: Invalid
HSI-3 ✔ Pre-boot DMA protection: Enabled ✘ Intel BootGuard error policy: Invalid ✘ Intel CET Enabled: Not supported ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled
HSI-4 ✔ Intel SMAP: Enabled ✘ Encrypted RAM: Not supported Runtime Suffix -! ✔ Linux kernel: Untainted ✔ Linux swap: Encrypted ✔ fwupd plugins: Untainted ✘ Linux kernel lockdown: Disabled ✘ UEFI secure boot: Disabled
My question is based on above details can you tell me if there is an ability to port Coreboot into this device? If that details aren't enough, can you tell me what tools I should use to be 100% sure? Currently I don't have BIOS programmer, I was planning to buy it after I confirm possibilities for this device, otherwise it's probably useless to me and I won't need it. Anyway I can get it if this may be required to confirm possibilities. As it's chinese device from minor manufacturer I doubt it may be as secured as devices from big companies on market.
Kind regards Mateusz