Hi. I've watched a television broadcast where a hacker or security expert suspected that the BIOS of ThinkPads has a backdoor. Therefore, he said he uses OpenBIOS or coreboot.
I read on Wikipedia that OpenBIOS works in interaction with coreboot on Intel machines.
I read https://www.openfirmware.info/OpenBIOS as well as https://www.coreboot.org/OpenBIOS.
1. Please tell me whether a user without knowledge in programming or Linux command lines in Terminal is able to install OpenBIOS and/or coreboot.
2. Would you provide step by step instructions (especially for my case) how to install OpenBIOS and/or coreboot on my system?
Regards,
bernd1-1@web.de:
Hi. I've watched a television broadcast where a hacker or security expert suspected that the BIOS of ThinkPads has a backdoor. Therefore, he said he uses OpenBIOS or coreboot.
I read on Wikipedia that OpenBIOS works in interaction with coreboot on Intel machines.
I read https://www.openfirmware.info/OpenBIOS as well as https://www.coreboot.org/OpenBIOS.
Please tell me whether a user without knowledge in programming or Linux command lines in Terminal is able to install OpenBIOS and/or coreboot.
Would you provide step by step instructions (especially for my case) how to install OpenBIOS and/or coreboot on my system?
It's good to be aware of security, but BIOS is just one of several areas to consider. Be aware there are only certain models of Thinkpads supported for coreboot. Don't need programming experience, but familiarity with Linux goes a long way. Build with https://doc.coreboot.org/tutorial/part1.html. You will likely need an external hardware flasher to write the resulting image to BIOS.
There are a couple places where you can purchase Thinkpads with coreboot already flashed. A couple more where you can find laptops with the HAP bit set, which purportedly disables portions of Intel ME, but may or may not use coreboot. Suggest doing more research of these options before making a decision.
Hi _______________________________________________ (hmmm, I don't think this is your name),
On Tue, Nov 2, 2021 at 11:19 AM bernd1-1@web.de bernd1-1@web.de wrote:
Hi. I follow these instructions:
https://doc.coreboot.org/tutorial/part1.html
I'm on Step 5 - Configure the build > Check your configuration (optional step):
I did
$ make savedefconfig $ cat defconfig
The instructions say:
"There should only be two lines (or 3 if you’re using the system toolchain):
CONFIG_PAYLOAD_ELF=y CONFIG_PAYLOAD_FILE="payloads/coreinfo/build/coreinfo.elf""
I'm not using the system toolchain. There are the following 9 lines (instead of only two):
CONFIG_CBFS_SIZE=0x00040000 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_UART_PCI_ADDR=0x0 CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402 CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_ELF=y CONFIG_PAYLOAD_FILE="payloads/coreinfo/build/coreinfo.elf"
Why do I get 9 lines (instead of only two) and is that a problem or could I go on with the instructions?
Extra lines appear in defconfigs because of a recent regression, if I recall correctly. In any case, your config looks correct, you can go on with the instructions.
Regards,_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Best regards, Angel
Hi Bernd,
On Tue, Nov 2, 2021 at 12:08 PM bernd1-1@web.de bernd1-1@web.de wrote:
Hi. Just to ensure I don't go in the wrong direction: If I follow these instructions https://doc.coreboot.org/tutorial/part1.html do I install coreboot with OpenBIOS (because I've read something with SeaBIOS or so)?
These instructions build a coreboot image with coreinfo as a payload and run it on the QEMU virtual machine. They're a guide to get started with coreboot. If your goal is to install coreboot on an x86 system while keeping it simple, don't go with OpenBIOS. The simplest configuration is coreboot with the SeaBIOS payload. Feel free to try SeaBIOS with QEMU, experiment without any risks.
Installing coreboot on actual hardware is more complex. Unlike operating systems (Windows, Linux...), coreboot is tightly coupled to the hardware it runs on, so it's not possible to simply "install coreboot" on any computer using a generic procedure. Instead, coreboot needs to be flashed to a flash chip on the mainboard, and the best flashing procedure is mainboard-dependent. For example, the X220 can easily be flashed externally with a SPI programmer and a SOIC-8 chip clip, but applying the same procedure on an X230 is very likely to cause problems (and recovery is even more complicated).
Regards,
Bernd_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Best regards, Angel
On 02.11.21 14:49, bernd1-1@web.de wrote:
Thanks for your reply and preventing me to go any further in the wrong direction.
I've made it absolutely clear from the very start of the thread (see email subject lines) that I'd like to install coreboot with OpenBIOS.
Well, I hope you are sure that you need OpenBIOS. The way I read your initial message, I interpreted it as somebody has called their firmware an "open bios", and maybe didn't mean the OpenBIOS project specifically.
OpenBIOS is an implementation of a very specific firmware standard (I think it was called Open Firmware?). It didn't get any attention within the coreboot community in the last years, FWIW. If you are sure you need an IEEE 1275-1994 compliant firmware, you can try to build it manually[1] (it's not hooked up to the coreboot build process). However, if that page is up-to-date it doesn't seem like you can easily get it to run outside an emulator. Which again makes me believe that it's not what you actually want.
With the link https://doc.coreboot.org/tutorial/part1.html I've obviously been led in the wrong direction.
No, it's still a very valuable lesson. If you want to build your own firmware based on coreboot, no matter the payload, you should start with such experiments.
Nico
bernd1-1@web.de:
What do you recommend to use instead if I'd like to replace my current BIOS? Should I install coreinfo and carry on with https://doc.coreboot.org/tutorial/part1.html? Should I use SeaBIOS and is there a tutorial for SeaBIOS, too?
Continuing with the tutorial link and choosing SeaBIOS will result in the most likely to work firmware. If you do a web search for "x220 coreboot" (without quotes and replacing x220 with your model if that's not it), you should find several step by step guides on how to go about it. The pictures they have are useful when performing the external flashing step towards the end.
Hi,
On 02.11.21 12:19, bernd1-1@web.de wrote:
The instructions say:
"There should only be two lines (or 3 if you’re using the system toolchain):
CONFIG_PAYLOAD_ELF=y CONFIG_PAYLOAD_FILE="payloads/coreinfo/build/coreinfo.elf""
I'm not using the system toolchain. There are the following 9 lines (instead of only two):
CONFIG_CBFS_SIZE=0x00040000 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 CONFIG_UART_PCI_ADDR=0x0 CONFIG_SUBSYSTEM_VENDOR_ID=0x0000 CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402 CONFIG_POST_IO_PORT=0x80 CONFIG_PAYLOAD_ELF=y CONFIG_PAYLOAD_FILE="payloads/coreinfo/build/coreinfo.elf"
Why do I get 9 lines (instead of only two) and is that a problem or could I go on with the instructions?
it's a Kconfig bug. Not sure if anyone is working on it yet. You can go on.
Nico
-
Angel Pons -
awokd -
bernd1-1@web.de -
Nico Huber