Dear all,
Now with Coreboot version 4.9, is it still recommended to manually update AMD microcodes for Lenovo G505s as described here? Or is Coreboot 4.9 up-to-date for using a G505s as a Qubes station? http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#AMD_microcode_updat...
How do you handle the AMD GPU AtomBIOS blobs? https://github.com/g505s-opensource-researcher/g505s-atombios#corebootrom-op... may be very clear to experts, but I don't get it. It reads "use one of these commands:" 1) Adding VGABIOS to coreboot.rom 2) Removing VGABIOS from coreboot.rom 3) Printing coreboot.rom memory map
Which one should I use? Probably No.1. But there are 2 files for my G505S with discrete HD-8570M (pci1002,990b.rom and pci1002,6663.rom). Which one should I add? Both, separated by space? Then the command would look like that? ./util/cbfstool/cbfstool ~/coreboot.rom add -f ~/pci1002,990b.rom pci1002,6663.rom -n pci****,****.rom -t optionrom That looks odd. Doesn't it?
What about TPM? Qubes recommends TPM in their system requirements since it is required for 'Anti Evil Maid'. But Coreboot configuration (make nconfig) does not allow to activate TPM. Am I doing something wrong or is TPM just really not an option?
Best regards and thank you! Anac
Still recommended to manually update AMD microcodes for Lenovo G505s as described here? http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#AMD_microcode_updat...
Yes, and it wouldn't be recommended only after my 28273 and 28370 changes will be merged. They haven't been merged yet because AMD haven't released them to the opensource community. I think Martin Roth has been communicating with AMD regarding this matter, but maybe didn't get any reply yet. So we could either wait few years until the official release or just start using it now. By the way I'm quite confident that coreboot won't get any DMCA requests regarding these blobs even if they'll be merged, also because platomav's famous repositories are fine.
How do you handle the AMD GPU AtomBIOS blobs?
There are two options: either you add the integrated GPU pci1002,990b.rom blob at coreboot's menuconfig setting ( CONFIG_VGA_BIOS / CONFIG_VGA_BIOS_FILE options ) and the second one later with cbfstool after your coreboot.rom build completes, or just build your coreboot without it and add both blobs using cbfstool. I'm usually following the first approach. And your commands should look like ./util/cbfstool/cbfstool $COREBOOT_ROM_PATH add -f $VGABIOS_PATH -n pci1002,990b.rom -t optionrom ./util/cbfstool/cbfstool $COREBOOT_ROM_PATH add -f $VGABIOS_PATH -n pci1002,6663.rom -t optionrom ^ two commands, you can't merge them into one.
However, adding the dGPU blob is useless at the moment because the set of patches by HJK required to make dGPU working haven't been submitted to coreboot yet. Sorry it's my fault, but I'm working on so many things in parallel that not enough free time to complete everything in time, but I'll try my best to help these patches in the near future.
What about TPM?
G505S doesn't have a hardware TPM module, and I don't know if it could be attached there at all. Also I haven't heard of any TPMs with 100% opensource implementation, which is very important. It seems that Free Software Foundation doesn't have a good opinion about the currently available TPMs - judging by the articles at their site. https://www.gnu.org/philosophy/can-you-trust.en.html
On 1/16/19 7:53 AM, Mike Banon wrote:
Still recommended to manually update AMD microcodes for Lenovo G505s as described here? http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#AMD_microcode_updat...
Yes, and it wouldn't be recommended only after my 28273 and 28370 changes will be merged. They haven't been merged yet because AMD haven't released them to the opensource community. I think Martin Roth has been communicating with AMD regarding this matter, but maybe didn't get any reply yet. So we could either wait few years until the official release or just start using it now. By the way I'm quite confident that coreboot won't get any DMCA requests regarding these blobs even if they'll be merged, also because platomav's famous repositories are fine.
Hi Mike, Thank you so much for your kind explanation! Without your contribution and the according pages on dangerousprototypes.com it would be completely impossible to flash the G505s. Please tell me in case I can contribute anything (except coding and big money :-)
It seems there are some relevant changes in current Coreboot. Its configuration menu doesn't have a "Chipset ---> Include CPU microcode in CBFS" option. And the .config lines mentioned on http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#AMD_microcode_updat... --------------------------------------------- # CONFIG_CPU_MICROCODE_CBFS_GENERATE is not set # CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set CONFIG_CPU_MICROCODE_CBFS_NONE=y --------------------------------------------- ... can't be found in .config.
The .config file only contains these two lines with the term "MICROCODE" in it: # CONFIG_USES_MICROCODE_HEADER_FILES is not set # CONFIG_HAVE_ROMSTAGE_MICROCODE_CBFS_SPINLOCK is not set
So, I take it, it's all good and prepared for adding the Microcode that you contributed. Right?
Best regards, Anac
Huge thanks to Nico for 29934 change, now these confusing microcode options are not visible for you at "menuconfig" menu :) And thank you for your kind words :D I'm going to remove or hide this part of instruction a bit later. Yes, everything is ready, and if you have doubts about some coreboot .config options you could see my .config at the latest G505S board status report. In addition - if you'd like to have some fun - you could download KolibriOS floppy (wonderful x86 assembly OS with GUI and beautiful apps which fits on a floppy) , add it to your coreboot.rom build with the following command:
./build/cbfstool build/coreboot.rom add -f ./build/kolibri.img -n floppyimg/kolibri.lzma -t raw -c lzma
and then this wonderful OS will be always available for you as Ramdisk entry at SeaBIOS boot menu ;) Because would be a waste to just leave > 3MB of empty space inside your 4MB flash chip - unlike fat proprietary closed source UEFI for this laptop, coreboot occupies less than 1MB , so it makes sense to fill this space with something beautiful . By the way I've submitted a patch to SeaBIOS for adding the multiple floppies support (right now only the last added floppy will be visible), it hasn't been merged yet because I need to improve it, but it is already working and you could apply it to your SeaBIOS master if you would like more than one cool floppy. If you're interested, please check the SeaBIOS mailing list archives for December 2018, there'll be a .patch file attached to my message, it could be applied with patch -p1 < $PATH_TO_YOU_PATCH while at ./coreboot/payloads/external/SeaBIOS/seabios/ directory after your SeaBIOS has been cloned
Please tell me in case I can contribute anything (except coding and big money :-)
You could help us in the following ways: * test important new coreboot changes, especially AMD and G505S related (could see them at review coreboot website) * contribute board status reports sometimes, just remove the personally identifying info such as MAC addresses before sending * answer the people at mailing lists , reddit's /r/coreboot , 4chan's /g/ and other tech sites after you'd accumulate the knowledge * there are "low hanging fruit" opportunities; if you'd look at my recent Gerrit history there are 8 merged "add the rest of >=1MB X manufacturer SPI flash chips" changes (i.e. 30744) which I did just by synchronizing with flashrom's flashchips.c/h sources, as you could see such changes were very simple and just a matter of time for anyone careful and patient to complete them . Contributing these simple-enough-for-us changes could help highly experienced coreboot developers to allocate more time for their advanced changes * maybe there would be some crowdfunding opportunities, e.g. for liberating the remaining G505S blobs, although we should try to complete as much as possible by ourselves and of course improve the existing open source code
Best regards, Mike Banon
-
Anac -
Mike Banon