[coreboot] Official builds for EoL Chromebooks

Matt DeVillier matt.devillier at gmail.com
Fri Oct 14 00:41:19 CEST 2016 

I don't mean to speak on behalf of the project, just letting you know some
of the obstacles of trying to distribute or validate firmware images.

If I were better organized, I'd post hashes of my firmware images as well
as the hashes of all the blobs used, which is probably as good as you can
get ATM

On Thu, Oct 13, 2016 at 3:58 PM, Emilian Bold <emilian.bold at gmail.com>
wrote:

> Sad to hear Coreboot cannot provide this info. Is there some downstream
> project I don't know about that could provide this?
>
> Maybe Google will take pity on the poor Chromebooks and provide some kind
> of firmware update themselves after the EoL.
>
>
> --emi
>
> On Thu, Oct 13, 2016 at 10:35 PM, Matt DeVillier <matt.devillier at gmail.com
> > wrote:
>
>> but then you get into the situation where coreboot (org) is providing
>> hashes for binary firmware it didn't build / isn't providing / can't easily
>> validate.  And pulling that from a live system like is done with board
>> status isn't easily done, for multiple reasons.  That's one of the reasons
>> for the "rom-o-matic" GSoC project (where users would provide the blobs,
>> and a firmware image would be build in real-time using a known good commit
>> hash, config, etc), but I'm not sure the status on that
>>
>> Funny you mention the C710, as I'll be releasing updated firmware for it,
>> both UEFI and Legacy versions, supporting both SB/IVB variants, in the next
>> few days.  You will be able to reproduce it yourself using my posted
>> sources, build scripts, and the blobs extracted from my firmware.
>>
>> On Thu, Oct 13, 2016 at 2:22 PM, Emilian Bold <emilian.bold at gmail.com>
>> wrote:
>>
>>> Just listing SHA hashes of the recommended ROMs for a given Chromebook
>>> would be an improvement.
>>>
>>> The hash is sufficient to verify a build / download. But it has to come
>>> from Coreboot.
>>>
>>> Actually, this would be a nice project for someone from Google.
>>>
>>> I can only volunteer testing a build on my Acer C710 (which is probably
>>> the only Chromebook with upgradeable RAM and disk).
>>>
>>>
>>>
>>> --emi
>>>
>>> On Thu, Oct 13, 2016 at 6:49 PM, Matt DeVillier <
>>> matt.devillier at gmail.com> wrote:
>>>
>>>> well, in order for that to happen, someone would have to take ownership
>>>> of that - are you volunteering?  =)
>>>>
>>>> There's also the issue of blobs that can't be redistributed, which is
>>>> AIUI one of the reasons why coreboot doesn't offer compiled firmware.
>>>> Additionally, some models (ie, Chomeboxes) require persistence of parts of
>>>> the stock firmware in order to maintain their unique ethernet MAC address,
>>>> so having users simply download and manually flash a compiled firmware
>>>> manually is highly suboptimal.  This is why I implemented the flashing
>>>> script (well that, and to provide some basic sanity checks that users
>>>> weren't flashing the wrong firmware, had write-protect disabled, etc)
>>>>
>>>> On Thu, Oct 13, 2016 at 10:14 AM, Emilian Bold <emilian.bold at gmail.com>
>>>> wrote:
>>>>
>>>>> I think EoL Chromebooks are a good opportunity for Coreboot to present
>>>>> itself to end users.
>>>>>
>>>>> Right now Chromebooks use Coreboot but nobody knows that.
>>>>>
>>>>> But once a Chromebook reaches EoL people will either throw it away or
>>>>> use it with the insecure and outdated browser version they have until it
>>>>> breaks.
>>>>>
>>>>> People would appreciate that it's possible to keep the device and use
>>>>> a modern Linux with up-to-date browser by only installing a dedicated
>>>>> Coreboot ROM.
>>>>>
>>>>> A per-device wiki page would be great! Something to show how to
>>>>> install it, etc.
>>>>>
>>>>> A ROM sha-256 (and a link) is also essential to know what to grab (or
>>>>> if your build was good).
>>>>>
>>>>> I'm actually the one that started the reproducible builds thread last
>>>>> time precisely because I could not get the same ROM image as the ones
>>>>> posted online and I was wondering what I did wrong and if I would brick my
>>>>> laptop or not.
>>>>>
>>>>>
>>>>>
>>>>> --emi
>>>>>
>>>>> On Thu, Oct 13, 2016 at 5:53 PM, Matt DeVillier <
>>>>> matt.devillier at gmail.com> wrote:
>>>>>
>>>>>> Emi,
>>>>>>
>>>>>> I think this is what you're looking for: https://www.coreboot.org/
>>>>>> Supported_Motherboards
>>>>>> It contains the commit hash, build config, and a few other logs for
>>>>>> each device/commit.  It is user submitted though, since there doesn't exist
>>>>>> a test setup for every supported device.
>>>>>>
>>>>>> Right now, I'm the main builder/distributor of upstream coreboot
>>>>>> firmware for ChromeOS devices; I support all Haswell, Broadwell, and some
>>>>>> Baytrail devices, the former with both UEFI and Legacy Boot variants. When
>>>>>> time permits, I'll expand that to cover the rest of the Baytrail devices,
>>>>>> then move on to adding support for Skylake.  No plans for Braswell support
>>>>>> unless I acquire a device on which to test.
>>>>>>
>>>>>> John Lewis has some upstream firmware for the older
>>>>>> SandyBridge/IvyBridge models, but his Haswell firmware is build from
>>>>>> Google's tree/branches not upstream.  He also has no plans for any future
>>>>>> upstream firmware.
>>>>>>
>>>>>> cheers,
>>>>>> Matt
>>>>>>
>>>>>> On Thu, Oct 13, 2016 at 6:49 AM, Emilian Bold <emilian.bold at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Now that Coreboot has reproducible builds, could you provide a list
>>>>>>> of build hashes for Chromebooks that are or will soon reach End of Life?
>>>>>>>
>>>>>>> I see on https://support.google.com/chrome/a/answer/6220366?hl=en that
>>>>>>> 2 Chromebooks will reach End of Life in 2016 and 3 more in 2017 then 7 in
>>>>>>> 2018. I assume the number will increase each year.
>>>>>>>
>>>>>>> I know that Coreboot does not distribute builds, but the little
>>>>>>> Custom roms section on https://www.coreboot.org/users.html seems
>>>>>>> insufficient.
>>>>>>>
>>>>>>> It's easy making a build, you just need to have the certainty you
>>>>>>> did it well. Or that the one you are downloading is correct.
>>>>>>>
>>>>>>> Posting an official SHA-256 hash for a ROM would solve this.
>>>>>>>
>>>>>>> --emi
>>>>>>>
>>>>>>> --
>>>>>>> coreboot mailing list: coreboot at coreboot.org
>>>>>>> https://www.coreboot.org/mailman/listinfo/coreboot
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161013/f676d11f/attachment.html>

More information about the coreboot mailing list