[coreboot] lenovo x220, tool to extract binary blobs from BIOS update

Mat vibrysec at gmail.com
Tue Apr 24 21:27:27 CEST 2018


> not sure what you are looking for, but I guess this is what you need,

> (microcode updates are publicly available and gfx init is
> open source)

I'd like to have system updated against spectre, and other possible
vulnerabilities as much as possible.

If lenovo (or any other vendor) releases updates, which in this case
address spectre vulnerability,

then I'd need to get binary blobs from this update, compare them
against previous BIOS version blobs
 and in case they differ, bundle them into coreboot BIOS, then save
coreboot onto x220. The extra step I do is intel ME neutralization.

That's why I (believe I) need the blobs from the newest update. Is the
reasoning correct, or I could do it more wise?

blobs I've initially taken are:
flashregion_0_flashdescriptor.bin
flashregion_2_intel_me.bin
flashregion_3_gbe.bin

but:

1. If I neutralize me.bin, then maybe updating it does not make sense?
    Otherwise, maybe I could use MEanalyzer + its database to get
newest ME, then neutralize it?

2. as I know spectre fixes reside in CPU microcodes. If so, then maybe
coreboot can be compiled with
   newest CPU microcode for given CPUID (I've found one on
CPUmicrocodes @ github). Or maybe the only

   place where fixes are possible to appear is CPU microcode?

3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where
to get it from?

4. gbe.bin - the same questions here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180424/bf4f5b79/attachment.html>


More information about the coreboot mailing list