[coreboot] Dualbios on GA-MA770-UD3

Patrick Georgi patrick at georgi-clan.de
Sat Apr 24 20:26:45 CEST 2010


Am 24.04.2010 19:43, schrieb xdrudis:
> What I don't understand is how is this supposed to work.
> 
> From what you say and what I asked sales cotact staff at gigabyte (no
> very useful insights) , there are two bios roms. One has the ability
> to check the other and run it only if it detects it's ok. If it
> doesn't it flashes itself to it.
> 
> So if you use one of the BIOS for coreboot it will either be rewriten 
> by the original BIOS or it will boot, depending on which ROM boots 
> first and which ROM you put coreboot in. 
> 
> If you flash the ROM that boots first you can try coreboot, but in case 
> it doesn't work how are you going to jump to the original BIOS ? 
They might just use a watchdog:
- BIOS 1 sets a flag
- BIOS 1 configures the watchdog to trigger when it's not touched within
2 seconds (or whatever). watchdog would reboot the system then
- BIOS 1 jumps in BIOS 2
- BIOS 2 does whatever it needs to do to consider itself "safe"
- Meanwhile, BIOS 2 touches the watchdog every so often
- BIOS 2 deactivates the watchdog

In this scenario, coreboot would have to know how to tell the watchdog
to reset its countdown, and how to disable the watchdog, to safely use
the Dual BIOS feature.

> If you flash the other ROM then apparently the original BIOS will boot
> and do what it pleases, possibly overwrite coreboot, or assuming you can trick
> it to believe coreboot is a correct BIOS then maybe jump to it after 
> some initialisation, but will coreboot then have a chance to work from the
> same state it would in case it had booted first ? 
> 
> Tricking the original BIOS to believe coreboot is a correct image may be hard.
> In the worst case you may have to break a digital signature without the private key.
> This is not directly related, but gives an idea of how hard it could be
The feature supposedly shouldn't just guard against non-Gigabyte images,
but against issues with their own images, too - and those would have the
right signature, and thus would pass any such test.

I'd be really amazed if they'd add another chip (that actually costs
money) and then only implement an incomplete protection scheme with it.


Regards,
Patrick Georgi




More information about the coreboot mailing list