[coreboot] lenovo x220, tool to extract binary blobs from BIOS update

Mat vibrysec at gmail.com
Thu Apr 26 22:17:00 CEST 2018 

In the meantime I've decided to go in the following direction:
1. install intel microcode onto my ubuntu box
    the result is:
     x220$ $ dmesg | grep microcode
     [    0.000000] microcode: microcode updated early to revision 0x2d,
date = 2018-02-07
     [    0.881361] microcode: sig=0x206a7, pf=0x10, revision=0x2d
     [    0.881406] microcode: Microcode Update Driver: v2.2.

     this version is exactly the same as the newest one from CPU microcodes.

2. shrink my current version of  me.bin (year 2011) to 80kb + set disable
bit. There are newer me.bin, but I've decided not to use them.
3. update coreboot git repo and build it.

I experience some slight problem with it, but this does not affect qhestion
from this thread, tus I'll open a new one.

thank You for the help
regards,



On Thu, Apr 26, 2018 at 12:17 PM, diffusae via coreboot <
coreboot at coreboot.org> wrote:

> Hi!
>
> On 24.04.2018 21:27, Mat wrote:
>
> > I'd like to have system updated against spectre, and other possible
> vulnerabilities as much as possible.
>
> With the retpoline option in the Linux kernel, it should be usually safe
> (see attachment).
>
> "IBPB is considered as a good addition to retpoline for Variant 2
> mitigation, but your CPU microcode doesn't support it"
>
> > 1. If I neutralize me.bin, then maybe updating it does not make sense?
> >     Otherwise, maybe I could use MEanalyzer + its database to get newest
> ME, then neutralize it?
>
> Maybe not, don't think that there is a new ME version availabe? Wasn't
> it version 9?
>
> >    place where fixes are possible to appear is CPU microcode?
>
> See above. Did you found the matching microcode?
>
> > 3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where
> to get it from?
>
> I guess, that's only possible, if you fetch it from the flashed vendor
> bios.
>
> > 4. gbe.bin - the same questions here.
>
> Isn't that the firmware of the gigabit ethernet card? I think so.
>
> Regards,
> Reiner
>
> --
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180426/4cce80e2/attachment.html>

More information about the coreboot mailing list