[coreboot] Lenovo Thinkpad X201: cannot boot encrypted Debian w/Coreboot & GRUB2

Sam Kuper sam.kuper at uclmail.net
Wed Mar 22 17:03:28 CET 2017

Steps followed:

- Switch off X201; disconnect X201 PSU and battery.

- Flash X201 using Bus Pirate, with OEM BIOS that has had its ME
neutralised with me_cleaner, noting that Flashrom reported "VERIFIED".

- Disconnect Bus Pirate from X201.

- Reconnect X201 PSU.

- Press power button, then F12 to select CD-ROM as boot media.

- Boot Debian Jessie AMD64 NetInstall CD-ROM.

- Install Debian Jessie to X201's SSD, using guided install (full disk
with encrypted LVM, and GRUB2 on the SSD).

- Eject CD.

- Boot X201 from SSD; everything works as expected.

- Boot X201 from SSD again; again, everything works as expected.

- Switch off X201 and disconnect X201 PSU.

- On spare PC, in Coreboot directory:

-- make distclean && make nconfig

-- Choose "Lenovo" as mainboard vendor.

-- Choose "ThinkPad X201 / X201s / X201t" as mainboard.

-- Choose "Add Intel descriptor.bin file".

-- Choose "Add Intel ME/TXE firmware".

-- Choose "GRUB2" as payload.

-- make

- Flash resulting build/coreboot.rom to X201 with Bus Pirate, noting
that Flashrom reported "VERIFIED".

- Disconnect Bus Pirate from X201.

- Reconnect X201 PSU, confirming that "plugged in" LED indicator turns
on, just beneath the X201's display.

- Press power switch on X201.

- The X201's fan spins up, and the following LED indicators light up,
in addition to the power "plugged in" indicator: NumLock, CapsLock,
On, and Sleep.

- After about 1 second, the NumLock and Sleep LEDs turn off, and the
fan starts to spin down.

- After about 1 more second, the CapsLock LED turns off, leaving just
the "on" and "plugged in" LEDs lit.

- Nothing further happens for some time. The backlight doesn't turn
on, and the screen stays blank.

- After about 10 minutes, the fan spins up for a few seconds, then
spins back down. This repeats roughly every 10 minutes.

N.B. with the same X201, a day or two ago, I was able to use a
Coreboot build with a SeaBIOS payload to boot a non-encrypted Debian
installation from the SSD. Oddly, when I did that, there was no
SeaBIOS menu displayed, nor any GRUB2 menu displayed, even though the
unencrypted Debian install had placed a GRUB2 instance on the SSD: it
was as though Coreboot skipped both its own SeaBIOS payload in the
flash chip, AND the Debian-installed GRUB2 on the SSD, and somehow
went straight to the Debian login prompt.

Anyhow, I didn't want a non-encrypted Debian installation, I wanted an
encrypted one: hence the attempt above. I guess maybe what's happening
is that Coreboot is somehow this time skipping its GRUB2 payload much
as it previously seemed to skip its SeaBIOS payload, and likewise
skipping the Debian-installed GRUB2 instance on the SSD as it did
previously. Only this time, instead of finding an unencrypted drive
with a Debian kernel that it knows how to boot, Coreboot is instead
finding an encrypted partition that it doesn't know how to do anything

Is my interpretation plausible? In any case, how would more
experienced Corebooters suggest I proceed?

I certainly would have expected, based on the Coreboot wiki's GRUB2
page,[1] at least a GRUB2 console.

In case it is useful, I have attached my .config file.

Many thanks in advance!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: .config
Type: application/octet-stream
Size: 20702 bytes
Desc: not available
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20170322/ecb5cd8b/attachment.obj>

More information about the coreboot mailing list