Awesome Thanks!
Can you tell me what the state is with vboot for a x220 is (as an example)?
I did ask in the IRC and someone told me, that there is some work done on this topic. Also that no code contribution are necessary, but rather review (and testing I guess).
From what I have seen in the code only google based laptop are supported
for vboot. More might be possible, but I wasn't able to quickly identify them all.
From what I have seen on the review pages, most changes there for vboot
should not affect the x220, or do I get it wrong?
Thank you everyone for reading, best regards akendo
On 06/29/2018 08:20 PM, David Hendricks wrote:
On Fri, Jun 29, 2018 at 8:34 AM, Akendo akendo@akendo.eu wrote:
Hey everyone,
I'm reading through the source code and found vboot. It should standing for verified boot. However I can't find any documentation(except the source code). Can anyone provide me with some explanation how to get it going or to make a little more sense of it?
As far as I understand it needs to verify the signature against a Key/CA. This key should be located within the TPM. But how should the key/CA look like? Will be a classic x509 be enough?
Hi Akendo, Here is some more background on vboot: https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot https://www.chromium.org/chromium-os/chromiumos-design-docs/firmware-boot-an...
In this schema usually the public key is stored in a write-protected region of the firmware ROM. You can store it anywhere you want so long as you can guarantee that it can't be tampered with in an undesirable way.
On Fri, Jul 6, 2018 at 8:21 AM, Akendo akendo@akendo.eu wrote:
Awesome Thanks!
Can you tell me what the state is with vboot for a x220 is (as an example)?
I did ask in the IRC and someone told me, that there is some work done on this topic. Also that no code contribution are necessary, but rather review (and testing I guess).
From what I have seen in the code only google based laptop are supported for vboot. More might be possible, but I wasn't able to quickly identify them all.
From what I have seen on the review pages, most changes there for vboot should not affect the x220, or do I get it wrong?
Although vboot is agnostic to CPU/SoC, it has a few system requirements. Off the top of my head: - There must be a read-only copy of the firmware stored on the boot ROM. This requires a write-protection mechanism (present in SPI flash parts) and enough capacity to store both read-only and rewriteable copies. - There are some variables (inputs) which vboot needs to read at runtime, such as write-protect enabled/disabled and which mode (normal/dev) you're in. These can come reading GPIOs, from querying an EC, etc.
I don't know off-hand if anybody has put serious effort into using vboot on the x220 or similar laptops. Chromebooks are designed with the necessary capabilities in mind, so you may need to get creative to find substitutes on hardware that was not designed with vboot in mind. It would be a really neat project to try if you have time :-)
-
Akendo -
David Hendricks