CINXE.COM

Libreboot – Jobs that need doing

<!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8"> <meta name="generator" content="pandoc"> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes"> <!-- anti-social media tags --> <meta property="og:title" content="Libreboot – Jobs that need doing"> <meta property="og:type" content="article" /> <meta property="og:image" content="https://av.vimuser.org/bootmenu.jpg"> <meta property="og:url" content="https://libreboot.org/tasks/"> <meta name="twitter:card" content="summary_large_image"> <meta property="og:description" content="Libreboot – Jobs that need doing"> <meta property="og:site_name" content="Libreboot – Jobs that need doing"> <meta name="twitter:image:alt" content="Libreboot – Jobs that need doing"> <title>Libreboot – Jobs that need doing</title> <link rel="stylesheet" href="/global.css"> <link rel="stylesheet" href=""> <link rel="alternate" type="application/rss+xml" title="RSS Feed" href="/feed.xml"/> </head> <body> <div class="page"> <header> <div class="title"> <p class="title-logo"> <img loading="lazy" class="title-logo" alt="Libreboot logo" src="/favicon.ico" /> </p> <h1 class="title">Jobs that need doing</h1> </div> <ul> <li><a href="/">Home</a></li> <li><a href="/faq.html">FAQ</a></li> <li><a href="/download.html">Download</a></li> <li>-</li> <li style="font-size:1.3em;"><em><strong><a href="https://minifree.org/">Buy Libreboot preinstalled</a></strong></em></li> <li>-</li> <li><a href="/docs/install/">Install</a></li> <li><a href="/docs/">Docs</a></li> <li><a href="/news/">News</a></li> <li><a href="https://codeberg.org/libreboot/lbmk/issues">Bugs</a></li> <li><a href="/tasks/">TODO</a></li> <li><a href="/git.html">Send patch</a></li> <li><a href="/contact.html">Contact</a></li> <li>-</li> <li style="font-size:1.3em;"><em><strong><a href="https://www.patreon.com/libreleah">Donate</a></strong></em></li> </ul> <hr/> </header> <nav id="TOC"> <h1>Navigate this page:</h1> <ul> <li><a href="#rockchip-rk3588-socs-in-coreboot">Rockchip RK3588 SoCs in coreboot</a> <ul> <li><a href="#add-tf-a-support-to-libreboot">Add TF-A support to Libreboot</a></li> </ul></li> <li><a href="#general-auditing">general auditing</a></li> <li><a href="#port-vendor-scripts-to-heads">Port vendor scripts to Heads</a></li> <li><a href="#interesting-board-ports">Interesting board ports</a> <ul> <li><a href="#boards">Boards</a></li> <li><a href="#thinkpad-t430s-and-t431s">ThinkPad T430s and T431s</a></li> <li><a href="#g2-possible-820-g2">840 G2 (possible 820 G2)</a></li> <li><a href="#blobless-boards">Blobless boards</a></li> <li><a href="#dell-latitudeprecision">Dell Latitude/Precision:</a></li> <li><a href="#broadwell-dell">Broadwell Dell</a></li> <li><a href="#skylake-dell">Skylake Dell</a></li> <li><a href="#dell-latitude-e7240">Dell Latitude E7240</a></li> <li><a href="#dell-precision-m4800-and-m6800">Dell Precision M4800 and M6800</a></li> <li><a href="#e4200-spd">E4200 SPD</a></li> <li><a href="#other-dells-ivybridge-and-sandybridge">Other Dells (Ivybridge and Sandybridge)</a></li> <li><a href="#arm-based-cros-devices">ARM-based CrOS devices</a></li> <li><a href="#opensil-and-amd-ryzen">OpenSIL and AMD Ryzen</a></li> <li><a href="#amd-family16-boards">AMD Family16 boards</a></li> <li><a href="#lenovo-g505s">Lenovo G505s</a></li> <li><a href="#risc-v-hardware">RISC-V hardware</a></li> </ul></li> <li><a href="#uefi-payload">UEFI payload</a> <ul> <li><a href="#mrchromebox-distribution">MrChromebox distribution</a></li> <li><a href="#chromebooks-x86">Chromebooks (x86)</a></li> <li><a href="#u-boot-spl-and-uefi-on-x86">U-Boot SPL and UEFI on x86</a></li> <li><a href="#rockpro64">RockPro64</a></li> <li><a href="#uefistub">uefistub</a></li> <li><a href="#videos-plus-riscv">Videos (plus RISCV)</a></li> </ul></li> <li><a href="#linuxboot">Linuxboot</a> <ul> <li><a href="#ideas-for-how-to-implement-in-lbmk">Ideas for how to implement in lbmk</a></li> <li><a href="#flash-size-limitations">Flash size limitations</a></li> <li><a href="#why-linux-in-flash">Why Linux in flash?</a></li> <li><a href="#x86-implementation">x86 implementation</a></li> <li><a href="#arm-implementation">ARM implementation</a></li> <li><a href="#netboot.xyz">Netboot.xyz</a></li> <li><a href="#zfsbootmenu">Zfsbootmenu</a></li> </ul></li> <li><a href="#seek-qubes-endorsement">Seek QUBES endorsement</a></li> <li><a href="#grub-vga-modes">GRUB VGA modes</a></li> <li><a href="#grub-configs-menu">GRUB configs menu</a></li> <li><a href="#document-flash-write-protection">Document flash write protection</a> <ul> <li><a href="#ifd-based-method">IFD-based method</a></li> <li><a href="#flill-based-method">FLILL-based method</a></li> <li><a href="#smm-write-protection">SMM write protection</a></li> <li><a href="#pr-protected-range-registers">PR (Protected Range) registers</a></li> <li><a href="#chip-specific">Chip-specific</a></li> <li><a href="#layers">Layers!</a></li> </ul></li> <li><a href="#lbwww-document-mxm-graphics">lbwww: Document MXM graphics</a></li> <li><a href="#lbmk-c-clustered-builds">lbmk-c: clustered builds</a> <ul> <li><a href="#ccache">ccache</a></li> </ul></li> <li><a href="#fixdep">Fixdep</a></li> <li><a href="#use-crossgcc-for-seabios-and-grub">Use crossgcc for SeaBIOS and GRUB</a></li> <li><a href="#port-lbmk-to-bsd-systems">Port lbmk to BSD systems</a></li> <li><a href="#package-lbmk-in-distros">Package lbmk in distros</a></li> <li><a href="#vendor-scripts">Vendor scripts</a> <ul> <li><a href="#bruteforce-more-files">Bruteforce more files</a></li> </ul></li> <li><a href="#investigate-16mb-flash-setups">Investigate 16MB flash setups</a></li> <li><a href="#me-cleaner-status-page">ME Cleaner status page</a></li> <li><a href="#overclocking">Overclocking</a></li> <li><a href="#detect-module-changes">Detect module changes</a></li> <li><a href="#normalfallback-scheme">Normal/fallback scheme</a></li> <li><a href="#improved-payload-documentation">Improved payload documentation</a></li> <li><a href="#static-compiled-utils-in-releases">Static compiled utils in releases</a></li> <li><a href="#download-repositories-in-bulk">Download repositories in bulk</a> <ul> <li><a href="#optimisation">Optimisation</a></li> </ul></li> <li><a href="#dont-copy-src-trees">Don’t copy src trees</a></li> <li><a href="#vendor-scripts-1">Vendor scripts</a> <ul> <li><a href="#check-hashes-of-resulting-files">Check hashes of resulting files</a></li> </ul></li> <li><a href="#reproducible-builds">Reproducible builds</a> <ul> <li><a href="#tarballs">Tarballs</a></li> </ul></li> <li><a href="#vga-run-time-not-build-time">VGA: Run-time, not build-time</a></li> <li><a href="#modularise-the-coreboot-stages">Modularise the coreboot stages</a> <ul> <li><a href="#ie.-generate-cbfs-in-lbmk">ie. generate cbfs in lbmk</a></li> </ul></li> <li><a href="#macbook21-c-states-patch">Macbook21 C-states patch</a> <ul> <li><a href="#how-to-dump-c-state-config">How to dump c-state config</a></li> </ul></li> <li><a href="#check-file-ownership-in-builds">Check file ownership in builds</a> <ul> <li><a href="#sanity-checks">Sanity checks</a></li> </ul></li> <li><a href="#software-bill-of-materials">Software Bill of Materials</a></li> <li><a href="#re-use-build-artifacts">Re-use build artifacts</a> <ul> <li><a href="#partial-coreboot-re-builds">Partial coreboot re-builds</a></li> <li><a href="#notes-about-git">Notes about Git</a></li> </ul></li> <li><a href="#chinese-users-cant-run-lbmk">Chinese users can’t run lbmk</a></li> <li><a href="#me-cleaner-is-old">me cleaner is old</a> <ul> <li><a href="#also-disablement">Also: disablement</a></li> </ul></li> <li><a href="#faq-cover-usb-fuzzing-attacks">FAQ: cover USB fuzzing attacks</a></li> <li><a href="#auto-configure-ifd-region-limits">Auto-configure IFD region limits</a></li> <li><a href="#signed-commits">Signed commits</a></li> <li><a href="#secure-suspend-method-luks-setups">Secure suspend method (LUKS setups)</a></li> <li><a href="#usb-keyboard-in-secondary-payload">USB keyboard in secondary payload</a></li> <li><a href="#zstd-in-btrfs-on-grub">zstd in btrfs on grub</a></li> <li><a href="#optimise-crossgcc-space">Optimise crossgcc space</a></li> <li><a href="#t60-procacpiibmthermal">T60 /proc/acpi/ibm/thermal</a></li> <li><a href="#link-cpu-errata-pdfs">Link CPU errata PDFs</a></li> <li><a href="#macbook21-backlight-controls">Macbook2,1 backlight controls</a> <ul> <li><a href="#todo-test-other-platforms-too">TODO: test other platforms too</a></li> </ul></li> <li><a href="#document-ch341a-variants">Document CH341A variants</a> <ul> <li><a href="#e6400-vga-rom-nvidia">E6400 VGA ROM (Nvidia)</a></li> <li><a href="#test-crystalwell-cpus-on-t440p">Test Crystalwell CPUs on T440p</a></li> <li><a href="#how-to-extract-vbt-data">How to extract VBT data</a></li> </ul></li> <li><a href="#guix-use-debootstrap">Guix: use debootstrap</a></li> <li><a href="#docsbuildclean.html">docs/build/clean.html</a></li> <li><a href="#e6400-security">E6400 security</a> <ul> <li><a href="#smm-methods">SMM methods</a></li> </ul></li> <li><a href="#pci-e-rebar">PCI-E REBAR</a></li> <li><a href="#shrink-fsp-size-intel">Shrink FSP size (Intel)</a> <ul> <li><a href="#chromebooks">Chromebooks</a></li> </ul></li> <li><a href="#compare-factorydownload-neutered-me">Compare factory/download neutered ME</a></li> <li><a href="#hp-820-g2-tpm">HP 820 G2 TPM</a></li> <li><a href="#th-ssd-on-t440p">4th SSD on T440p</a></li> <li><a href="#disable-me-device-in-devicetree">Disable ME device in devicetree</a></li> <li><a href="#switchable-graphics-optimus">Switchable Graphics (Optimus)</a></li> <li><a href="#overclocking-cpu-and-ram">Overclocking (CPU and RAM)</a> <ul> <li><a href="#haswell">Haswell</a></li> </ul></li> <li><a href="#x60t60-alloc-magic-is-broken-at-0x7b1aedf0-0">X60/T60 alloc magic is broken at 0x7b1aedf0: 0</a></li> <li><a href="#intelamd-errata-pdf">Intel/AMD errata PDF</a></li> <li><a href="#interesting-video">interesting video</a></li> <li><a href="#automate-testing">Automate testing</a> <ul> <li><a href="#unit-tests">Unit tests</a></li> <li><a href="#ci">CI</a></li> </ul></li> <li><a href="#board-status">Board status</a></li> <li><a href="#haswell-board-bifircation">haswell board bifircation</a></li> <li><a href="#ec-hacking-on-lenovo-x230">ec hacking on lenovo x230</a></li> <li><a href="#dell-7th-gen">DELL 7th gen</a></li> <li><a href="#dell-3020">Dell 3020</a></li> <li><a href="#dell-3050-micro-century-byte">Dell 3050 Micro century byte</a></li> </ul> </nav> <div class="pagetext"> <p><a href="../">Return to previous index</a></p> <p>NOTE: Libreboot standardises on <a href="https://flashprog.org/wiki/Flashprog">flashprog</a> now, as of 27 January 2024, which is a fork of flashrom.</p> <p>This page contains a curated list of tasks that are to be worked on, or tasks that are being worked on. This is intended to complement the <a href="https://codeberg.org/libreboot/lbmk/issues/">issue pages</a>.</p> <p>Many of these entries will pertain to <em>lbmk</em>, which is Libreboot’s build system, but some entries may relate to documentation, or organisational changes.</p> <p>If you want to work on some of these yourself, patches are always welcome! Please read the <a href="../git.html">code review page</a>, which provides guidance on how to submit patches, and it describes the Libreboot project infrastructure.</p> <p>You may also benefit from <em>assimilating</em> all knowledge contained in the <em><a href="../docs/maintain/">lbmk maintenance manual</a>.</em></p> <div class="h"><h1 id="rockchip-rk3588-socs-in-coreboot">Rockchip RK3588 SoCs in coreboot</h1><a aria-hidden="true" href="#rockchip-rk3588-socs-in-coreboot">[link]</a></div> <p>See: <a href="https://www.collabora.com/news-and-blog/blog/2024/02/21/almost-a-fully-open-source-boot-chain-for-rockchips-rk3588/" class="uri">https://www.collabora.com/news-and-blog/blog/2024/02/21/almost-a-fully-open-source-boot-chain-for-rockchips-rk3588/</a></p> <p>Although coreboot is not mentioned (the context is TF-A), this could be added to coreboot.</p> <p>Also:</p> <div class="h"><h2 id="add-tf-a-support-to-libreboot">Add TF-A support to Libreboot</h2><a aria-hidden="true" href="#add-tf-a-support-to-libreboot">[link]</a></div> <p>Yes. We already provide other non-coreboot firmware, such as the serprog images. We even integrate U-Boot, albeit as a coreboot payload with some init steps skipped in U-Boot (handled by coreboot).</p> <p>TF-A is quite an interesting project:</p> <p><a href="https://www.trustedfirmware.org/" class="uri">https://www.trustedfirmware.org/</a></p> <p>It is essentially an analog of coreboot; coreboot even uses parts of this, on some boards.</p> <div class="h"><h1 id="general-auditing">general auditing</h1><a aria-hidden="true" href="#general-auditing">[link]</a></div> <p>Libreboot’s build system design is already extremely efficient. See: <a href="../docs/maintain/">lbmk build system documentation</a></p> <p>One of the reasons for this is auditing. The build system is regularly audited. In this context, that means reading the code to check for quality, pre-emptively fix bugs and generally think about the design of the project. Smaller is better.</p> <p>Code equals bugs, so less code yields fewer bugs. For a general idea of how audits are done in Libreboot, see:</p> <ul> <li><a href="../news/audit.html">Libreboot build system audit 1</a></li> <li><a href="../news/audit2.html">Libreboot build system audit 2</a></li> <li><a href="../news/audit3.html">Libreboot build system audit 3</a></li> </ul> <p>Auditing can often be pedantic, and seem petty. You might commit a patch that reduces the sloccount by only 1 line, maybe 3, but they all add up. Audit 3 contained hundreds of changes, small changes, that together accounted for about 1000 lines of code removed, while not affecting functionality in any way.</p> <p>This will always remain on the TODO list, because there will always be a need for auditing, as is true of any codebase. It is always possible to fix more bugs or improve a piece of code. As they say: the code is never finished.</p> <div class="h"><h1 id="port-vendor-scripts-to-heads">Port vendor scripts to Heads</h1><a aria-hidden="true" href="#port-vendor-scripts-to-heads">[link]</a></div> <p>Ironically, one of the first entries on this page pertains to a competing project.</p> <p>I promised the Heads project that I’d port Libreboot’s vendorfile download and inject scripts to the Heads build system. Libreboot provides these scripts for automatically downloading certain firmwares at build time, as and when required for a given mainboard. These are provided by the vendor, e.g. SMSC SCH5545 Environment Control (EC) firmware used for fan control on Dell Precision T1650.</p> <p>Heads has such logic, but it’s not as developed as the logic in Libreboot, which was originally inspired by the Heads logic and then greatly expanded upon.</p> <p>I’m putting this here on the Libreboot TODO page, so that I always see it. And I’m keeping it at the top of the page. This TODO entry is still relevant to Libreboot, because it concerns work that I will do in my official capacity, representing Libreboot while helping the (friendly) competition.</p> <p>See: <a href="https://osresearch.net/" class="uri">https://osresearch.net/</a></p> <p>Heads is a really cool project, offering Linux-based kexec payloads on supported hardware. It’s another coreboot distro, and their build system design even works similarly to Libreboot’s (though they heavily use Makefiles whereas Libreboot exclusively uses shell scripts and uses a much simpler design). Heads provides many advanced security features like measured boot, even things like TOTP-based authentication using secrets stored in the TPM.</p> <p>Very, very, very^2 cool project, and Libreboot has plans to integrate some of the same functionalitiys within it (see other notes on this page).</p> <div class="h"><h1 id="interesting-board-ports">Interesting board ports</h1><a aria-hidden="true" href="#interesting-board-ports">[link]</a></div> <p>Libreboot can support any board from coreboot, in principle. It would also be feasible to integrate other (libre) boot firmware, if desirable. The list below is not exhaustive, it just lists boards that are interesting to us at this time:</p> <div class="h"><h2 id="boards">Boards</h2><a aria-hidden="true" href="#boards">[link]</a></div> <ul> <li>HP EliteBook 2760p</li> <li>HP ProBook 6360b</li> <li>HP Revolve 810 G1</li> <li>HP EliteBook Folio 9480m</li> <li>HP EliteBook 8770w</li> <li>HP EliteBook 840 G2 (not in coreboot yet, but should be similar to 820 G2)</li> <li>HP Z220 CMI and SFF mainboards</li> <li>MSI PRO Z690-A mainboard (supported by Dasharo, not sure about coreboot) - also, Dasharo supports several more mainboards that aren’t in coreboot proper.</li> <li>KGPE-D16 and KCMA-D8: use the Dasharo fork of coreboot, instead of coreboot <code>4.11_branch</code>, because Dasharo’s version is much more up to date and more reliable with raminit. D8 isn’t supported by Dasharo, but it’s not much different code-wise to the D16 mainboard, so differences in coreboot <code>4.11_branch</code> could be adapted to provide a Dasharo port.</li> </ul> <div class="h"><h2 id="thinkpad-t430s-and-t431s">ThinkPad T430s and T431s</h2><a aria-hidden="true" href="#thinkpad-t430s-and-t431s">[link]</a></div> <p>These are interesting; the T431s in particular has soldered RAM, so we’d need to take care of SPDs (not done automatically yet, in coreboot). The schematics will show GPIO straps that could be used to glean which SPD data is correct, if we wanted to scan it automatically at boot time (we’d have to include SPD data for all known modules, it might be possible to extract it from vendor updates, otherwise we’d have to dump it from multiple variants of the same machine).</p> <p>Both are supported by coreboot.</p> <div class="h"><h2 id="g2-possible-820-g2">840 G2 (possible 820 G2)</h2><a aria-hidden="true" href="#g2-possible-820-g2">[link]</a></div> <p>These notes are based on a chat on Libreboot IRC.</p> <p>The TPM is Infineon SLB9660 and does TPM 1.2. We could maybe upgrade firmware to that of SLB9665. It would no longer work with the HP BIOS but maybe coreboot could be used, and then we could have newer TPM version - SLB9665 firmware can meet TPM 2.0 specification.</p> <p>(we do not yet use the TPM in any meaningful way on Libreboot machines)</p> <div class="h"><h2 id="blobless-boards">Blobless boards</h2><a aria-hidden="true" href="#blobless-boards">[link]</a></div> <p>Not yet supported, but interesting for the project. Separated thus:</p> <p>already supported by coreboot:</p> <ul> <li><a href="https://doc.coreboot.org/mainboard/asus/p5q.html">ASUS P5Q mainboard</a> (ICH10 / i82801jx), known variants, e.g.: Pro, C, L-Pro, SE</li> <li>Scan coreboot code for ICH9/ICH10 systems, or boards with x4x/gm45 based northbridges. Many of these can boot blobless.</li> </ul> <div class="h"><h2 id="dell-latitudeprecision">Dell Latitude/Precision:</h2><a aria-hidden="true" href="#dell-latitudeprecision">[link]</a></div> <ul> <li>Dell Latitude laptops: E4200, E4300, E5400, E5500, E6500, Precision M4400,</li> </ul> <p>Also E6440 (Haswell machine) - also E6540, 5540, E5440, E3540, E3440, E7440, and E7240 also - Nicholas says only the E6x40 models here have socked CPUs. The rest are soldered.</p> <p>E7440: https://review.coreboot.org/c/coreboot/+/46540</p> <p>E7240: https://review.coreboot.org/c/coreboot/+/40300 (original) and rebased to main: https://review.coreboot.org/c/coreboot/+/79746</p> <p>These typically use MEC5045 or compatible EC. Some may use MEC5035.</p> <p>SuperIO: at least M6500 is known to use ECE5028. I have a bunch of these Dells at my lab, they are high priority for porting because they would be easily flashable.</p> <div class="h"><h2 id="broadwell-dell">Broadwell Dell</h2><a aria-hidden="true" href="#broadwell-dell">[link]</a></div> <p>E5450 uses MEC5085, currently untested for dell-flash-unlock.</p> <div class="h"><h2 id="skylake-dell">Skylake Dell</h2><a aria-hidden="true" href="#skylake-dell">[link]</a></div> <p><a href="https://en.wikipedia.org/wiki/Dell_Latitude#Exx70_Models_(2016)" class="uri">https://en.wikipedia.org/wiki/Dell_Latitude#Exx70_Models_(2016)</a></p> <p>Non-E models don’t have the MEC ECs. The E models have MEC5085.</p> <p>Nicholas isn’t sure whether these have bootguard. TODO: test, and also test with dell-flash-unlock.</p> <div class="h"><h2 id="dell-latitude-e7240">Dell Latitude E7240</h2><a aria-hidden="true" href="#dell-latitude-e7240">[link]</a></div> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/79746" class="uri">https://review.coreboot.org/c/coreboot/+/79746</a></p> <p>Haswell latitude, works with <code>dell-flash-unlock</code>, uses MEC5055 EC. Documentation is included with that patch. It should be possible to re-use the existing MRC extraction logic. It will have to be backported to the branch used for libremrc in lbmk.</p> <p>NOTE: Iru Cai is the person working on this.</p> <div class="h"><h2 id="dell-precision-m4800-and-m6800">Dell Precision M4800 and M6800</h2><a aria-hidden="true" href="#dell-precision-m4800-and-m6800">[link]</a></div> <p>Also M6800, though no port is available yet. 17.3 inch display.</p> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/79755" class="uri">https://review.coreboot.org/c/coreboot/+/79755</a></p> <p>Another haswell machine. However, according to Nicholas Chin, at least on 1 January 2024, this patch (on patchset 4), there were problems with code quality and libgfxinit didn’t work yet - also, the ACPI code seemed to be a dump of the vendor, which is of low quality and likely not suitable for entry into coreboot due to copyright reasons.</p> <p>This port is worth looking at. When the issues are fixed, this will make a fine addition to lbmk.</p> <div class="h"><h2 id="e4200-spd">E4200 SPD</h2><a aria-hidden="true" href="#e4200-spd">[link]</a></div> <p>NOTE: Some of this may be inaccurate, because it’s copied from handwritten notes that were written very hastily and are barely legible.</p> <p>The SPD EEPROM is on the back of the board, between the CPU backplate and the RAM chips. SOIC-8 chip labelled U2. It’s a 24XX IC, should be possible to dump using a 3.3v-modded CH341A (on the 24xx socket).</p> <p>or</p> <pre><code>modprobe eeprom</code></pre> <p>look in e.g. 0-0058 or 0-0052 in <code>/sys/bus/i2c/devices</code></p> <p>May need other modules like at25 and i2c-i801</p> <p>The eeprom file in these should contain the SPD data. Just look through a bunch of them until the file is found and seems to be correct.</p> <p>decode-dimms (utility) can also read eeprom and decode SPD data but doesn’t dump the ram eeprom (dumping it in a ch341a as above would do so)</p> <p>see <a href="https://unix.stackexchange.com/questions/92037/how-to-view-rams-spd-timings-table#92044" class="uri">https://unix.stackexchange.com/questions/92037/how-to-view-rams-spd-timings-table#92044</a></p> <p>(yes, that url was also handwritten)</p> <p>modprobe i2c-dev and sudo i2cdump 0 0x50 works in libreboot, but not the vendor bios.</p> <div class="h"><h2 id="other-dells-ivybridge-and-sandybridge">Other Dells (Ivybridge and Sandybridge)</h2><a aria-hidden="true" href="#other-dells-ivybridge-and-sandybridge">[link]</a></div> <p>Nicholas Chin is interested in these:</p> <ul> <li>6430u</li> <li>E5520m</li> <li>E5420m</li> </ul> <p>Many others have been added, of Intel 2nd and 3rd gen.</p> <p>Most/all of these should be easily flashable, with the <code>dell-flash-unlock</code> utility, and many could be ported using autoport as a guide. Nicholas is working on these. They are left here for reference. If you have one of these, please contact <code>nic3-14159</code> on the <a href="../contact.html">Libreboot IRC channel</a>.</p> <p>Look at the page: <a href="https://en.wikipedia.org/wiki/Dell_Latitude#Exx50_Models_(2015)" class="uri">https://en.wikipedia.org/wiki/Dell_Latitude#Exx50_Models_(2015)</a></p> <p>It lists Dell Latitude models, though “Precision” brand is also available on some models that may be Libreboot-feasible.</p> <div class="h"><h2 id="arm-based-cros-devices">ARM-based CrOS devices</h2><a aria-hidden="true" href="#arm-based-cros-devices">[link]</a></div> <p>Alper Nebi Yasak ported several of these to Libreboot, but only the <code>gru_bob</code> and <code>gru_kevin</code> machines are known to be stable.</p> <p>It would be nice to re-add veyron-based platforms, e.g. <code>veyron_speedy</code> - old, but still very useful.</p> <p>The <code>nyan</code>, <code>peach</code> and <code>daisy</code> platforms were initially added to lbmk, but prematurely. They are talked about here:</p> <p><a href="https://libreboot.org/docs/install/#removed-boards" class="uri">https://libreboot.org/docs/install/#removed-boards</a></p> <p>It would be nice in general to support more ARM platforms in Libreboot. None of these machines are as decent as the Apple silicon machines (m1/m2/m3 etc), but they’re still decent enough for most computing tasks (and the Apple machines do not currently have coreboot support).</p> <p>The actual coreboot code for these machines is thought to be reliable. The problem is that the U-Boot port is not yet stable across all these machines. Libreboot has Alper’s proof of concept which works well on <code>gru</code> chromebooks.</p> <p>Caleb is interested in the <code>krane</code> chromebooks, but has had problems with vboot, getting it to boot reliably on custom firmware builds.</p> <div class="h"><h2 id="opensil-and-amd-ryzen">OpenSIL and AMD Ryzen</h2><a aria-hidden="true" href="#opensil-and-amd-ryzen">[link]</a></div> <p>Coreboot is importing OpenSIL code from AMD, to support Epyc Genoa (server platform).</p> <p>There are also chromebooks now with AMD Ryzen CPUs.</p> <p><a href="https://github.com/coreboot/coreboot/commit/a859057db8d2eaf59a7575e303d7af35979d12d7" class="uri">https://github.com/coreboot/coreboot/commit/a859057db8d2eaf59a7575e303d7af35979d12d7</a></p> <p><a href="https://github.com/coreboot/coreboot/commit/9e45e32420eda750afea9f6e4a3e6de42ba4152b" class="uri">https://github.com/coreboot/coreboot/commit/9e45e32420eda750afea9f6e4a3e6de42ba4152b</a></p> <p>NOTE:</p> <p>9elements seems to be the main entity working on OpenSIL integration in coreboot, under the direction of Arthur Heymans.</p> <p>also <a href="https://www.youtube.com/watch?v=gAZw0fTKdYg" class="uri">https://www.youtube.com/watch?v=gAZw0fTKdYg</a></p> <div class="h"><h2 id="amd-family16-boards">AMD Family16 boards</h2><a aria-hidden="true" href="#amd-family16-boards">[link]</a></div> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/71607" class="uri">https://review.coreboot.org/c/coreboot/+/71607</a></p> <p>This is part of a patch series, from 9 September 2023 onward, re-adding AMD Family 16 platform to coreboot, most notably enabling use of the new allocator and other things in coreboot.</p> <p>AMD AGESA-based platforms were removed from coreboot, because they weren’t being maintained anymore, so they were dropped. Some of those boards are still quite decent today. Various efforts here and there have revived some of them, e.g. the Dasharo project.</p> <p>Also referenced there: Biostar A68N-5200 mainboard. Check coreboot <code>4.18_branch</code> for these boards. Coreboot started removing the AGESA boards after release 4.11.</p> <div class="h"><h2 id="lenovo-g505s">Lenovo G505s</h2><a aria-hidden="true" href="#lenovo-g505s">[link]</a></div> <p>Old board, removed from coreboot ages ago, but one of the fastest pre-PSP AMD laptops, has full init in coreboot - it does require a VGA ROM for graphics. Anyway: <a href="http://dangerousprototypes.com/docs/Lenovo_G505S_hacking" class="uri">http://dangerousprototypes.com/docs/Lenovo_G505S_hacking</a></p> <p>This page was linked to me ages ago by Mike Banon. It contains instructions for how to configure the machine. It might be worth integrating into lbmk.</p> <div class="h"><h2 id="risc-v-hardware">RISC-V hardware</h2><a aria-hidden="true" href="#risc-v-hardware">[link]</a></div> <p>See: <a href="https://github.com/oreboot/oreboot" class="uri">https://github.com/oreboot/oreboot</a></p> <p>Oreboot is a re-written fork based on coreboot, re-written in Rust instead of C, and it has a strong focus on RISC-V platforms. We should start integrating this into lbmk - although <a href="https://drewdevault.com/2019/03/25/Rust-is-not-a-good-C-replacement.html">Rust has several disadvantages</a>, oreboot is still a good project.</p> <p>(though, whenever possible, lbmk should stick to coreboot, to keep things simpler - are there efforts to implement oreboot ports in coreboot/C?)</p> <div class="h"><h1 id="uefi-payload">UEFI payload</h1><a aria-hidden="true" href="#uefi-payload">[link]</a></div> <p>A UEFI payload in Libreboot is highly desirable, because it would basically enable any distro or BSD to Just Work.</p> <div class="h"><h2 id="mrchromebox-distribution">MrChromebox distribution</h2><a aria-hidden="true" href="#mrchromebox-distribution">[link]</a></div> <p>MrChromebox is another coreboot distro, similar in spirit to Libreboot.</p> <p>Of interest: Mrchromebox provides Tianocore-based UEFI setups on chromebooks, and we could probably integrate some of that in Libreboot. Tianocore is essentially bloatware, and really a liability for the Libreboot project due to its complexity, though MrChromebox targets a very different audience.</p> <div class="h"><h2 id="chromebooks-x86">Chromebooks (x86)</h2><a aria-hidden="true" href="#chromebooks-x86">[link]</a></div> <p>Start supporting x86 chromebooks in Libreboot. We don’t support any. There is already MrChromebox, we could just track that, but use our own payloads instead of Tianocore.</p> <p>Specifically: lbmk could have a feature added to it where it re-uses configs from MrChromebox, with logic to automatically disable the payload. In lbmk, coreboot configs do not enable payloads at all, because payloads are compiled by lbmk and added after the fact - this is why we have <code>elf/</code> containing coreboot images without payloads, and <code>bin/</code> which contains the full ROMs, with payloads inside. This design is much more flexible, and permits builds to be re-used more efficiently so as to reduce overall build time, when compiling for multiple mainboards.</p> <div class="h"><h2 id="u-boot-spl-and-uefi-on-x86">U-Boot SPL and UEFI on x86</h2><a aria-hidden="true" href="#u-boot-spl-and-uefi-on-x86">[link]</a></div> <p>Simon Glass has been working extensively on x86 support for U-Boot, to be used as a coreboot payload. This work is of interest to the Libreboot project, because we provide UEFI on ARM but not on x86.</p> <p>U-Boot also provides SPL which can be used to execute other software in the flash, and it’s often used to boot a Linux kernel; since U-Boot provides a UEFI implementation, it’s perfect.</p> <p>U-Boot is the preferred choice of UEFI implementation on x86, for Libreboot purposes, because U-Boot uses a coding style similar to Linux and can more easily import Linux drivers which are high quality, and Linux functionality in general, for anything that we need.</p> <p>Since we already provide U-Boot on ARM (thanks to the continued work done by Alper Nebi Yasak), U-Boot on x86 would then create a situation whereby Libreboot is consistent across platforms, at least for UEFI-based setups.</p> <div class="h"><h2 id="rockpro64">RockPro64</h2><a aria-hidden="true" href="#rockpro64">[link]</a></div> <p>Another interesting board that coreboot supports. We could add this.</p> <div class="h"><h2 id="uefistub">uefistub</h2><a aria-hidden="true" href="#uefistub">[link]</a></div> <p>Currently <a href="https://review.coreboot.org/c/coreboot/+/78913">under review</a> in the coreboot project, this provides an <em>incomplete</em> UEFI implementation, but much more minimalist than the U-Boot one. It doesn’t really <em>do</em> anything except provide the most minimal code possible, and then you can jump to a Linux payload in the flash.</p> <p>For UEFI purposes, U-Boot seems more mature, and it offers other features like SPL. As already stated, this is the preferred UEFI implementation for Libreboot, but uefistub is listed too because it’s interesting.</p> <div class="h"><h2 id="videos-plus-riscv">Videos (plus RISCV)</h2><a aria-hidden="true" href="#videos-plus-riscv">[link]</a></div> <p>The <em>Open Source Firmware Conference</em> (OSFC) in 2023 had several interesting talks pertaining to ARM, secureboot, linuxboot, UEFI and everything in between. Also RISCV/oreboot. Here are some videos, some of which contain info already alluded to on this page:</p> <ul> <li><a href="https://www.osfc.io/2023/talks/enabling-coreboot-for-open-system-firmware-on-arm-servers/" class="uri">https://www.osfc.io/2023/talks/enabling-coreboot-for-open-system-firmware-on-arm-servers/</a></li> <li><a href="https://www.osfc.io/2023/talks/u-boot-as-a-coreboot-payload/" class="uri">https://www.osfc.io/2023/talks/u-boot-as-a-coreboot-payload/</a></li> <li><a href="https://www.osfc.io/2023/talks/aligned-on-risc-v/" class="uri">https://www.osfc.io/2023/talks/aligned-on-risc-v/</a></li> </ul> <p>In general, there are many interesting talks:</p> <ul> <li><a href="https://www.osfc.io/archive/2023/" class="uri">https://www.osfc.io/archive/2023/</a></li> </ul> <p>The talks go all the way back to 2018. They’re all worth watching.</p> <div class="h"><h1 id="linuxboot">Linuxboot</h1><a aria-hidden="true" href="#linuxboot">[link]</a></div> <p>See for inspiration: <a href="https://osresearch.net/">Heads project</a> and <a href="https://sr.ht/~amjoseph/ownerboot/">Ownerboot project</a>, these are other coreboot distros similar to Libreboot, but they provide Linux-based payloads. Also see more in general, the <a href="https://www.linuxboot.org/">Linuxboot</a> project.</p> <p>Libreboot’s build system is documented, see: <a href="../docs/maintain/">lbmk documentation</a>.</p> <p>It’s possible to provide a Linux system that runs from the flash. Linux can execute another Linux kernel, using the <code>kexec</code> feature. There are bootloaders that can make use of it, for example the <a href="https://github.com/u-root/u-root">u-root</a> project.</p> <p>Libreboot’s current choice of coreboot payloads are:</p> <ul> <li>SeaBIOS (x86 only), provides a traditional PC BIOS implementation</li> <li>GNU GRUB (x86 only), provides a multiboot implementation, can boot Linux and BSD. This is the preferred default payload on x86, especially for Linux distros, because it provides many security features like GPG signature checking on Linux kernels, and password protection.</li> <li>U-Boot (ARM only), provides several boot methods, we typically use the UEFI implementation but it also provides many different boot methods; the one that is most interesting is the SPL (secondary program loader) feature, which is essentially the same concept as loading a coreboot payload - together with something like the minimal <a href="https://review.coreboot.org/c/coreboot/+/78913">uefistub</a> payload, can provide a complete setup.</li> </ul> <p>U-Root in particular (not to be confused with U-boot has parsers in it for GRUB and Syslinux config files. GRUB also has a parser for syslinux configs. This makes it a useful drop-in replacement for the GNU GRUB payload that Libreboot currently uses. Linux has much better drivers than GRUB, especially for things like LUKS2 and networking.</p> <div class="h"><h2 id="ideas-for-how-to-implement-in-lbmk">Ideas for how to implement in lbmk</h2><a aria-hidden="true" href="#ideas-for-how-to-implement-in-lbmk">[link]</a></div> <p>Look at the <a href="../docs/maintain/">lbmk documentation</a> for context. The most logical way to implement Linux payloads in Libreboot’s build system, lbmk, might be:</p> <ul> <li>Re-use the current crossgcc handling in <code>script/update/trees</code>, which is used for coreboot and u-boot. Coreboot’s cross compiler isn’t very useful for general applications e.g. utilities, but it could compile the Linux kernel easily.</li> <li>Separately to crossgcc, use <a href="https://github.com/richfelker/musl-cross-make">musl-cross-make</a> for the programs inside initramfs. Use this to provide musl libc, busybox and all of the userland applications in general. Musl-cross-make itself would not be used as-is, but adapted and integrated into the lbmk build system. The design of musl-cross-make is largely compatible with that of lbmk, because both build systems are written in shell scripts and with the same minimalist mentality. 72 source lines! At least as of musl-cross-make git revision <code>fe915821b652a7fa37b34a596f47d8e20bc72338</code>.</li> <li>In each package defined under <code>config/git/</code> in lbmk, use the current design but support specifying, for each one, whether or not to use musl-cross-make. The current design in lbmk already permits use of make and cmake, for simple projects, otherwise for more complicated setups, a dedicated script is written, e.g. <code>script/build/grub</code> for building the grub images (which runs automake in the grub build system), or <code>script/build/roms</code> which builds rom images.</li> <li>A script, <code>script/build/linuxboot</code> would build the entire payload with u-root in it, but <code>script/update/trees</code> would actually build each package.</li> </ul> <p>BONUS: the musl-cross-make logic could also be used to provide static linked utilities, so as to provide compiled utilities in Libreboot releases, reliably. We currenty only provide source code for utilities, which is not always convenient for users, especially for utilities needed alongside vendor scripts.</p> <p>If done in the way described above, the current code size in the Libreboot build system would not increase much. It’s mainly the addition of musl-cross-make. Most of the generic build logic already exists in lbmk, for projects that use cmake and/or make. It could be done with minimal complexity.</p> <div class="h"><h2 id="flash-size-limitations">Flash size limitations</h2><a aria-hidden="true" href="#flash-size-limitations">[link]</a></div> <p>With a stripped down kernel, and sensible configuration, about 6-8MB of flash space would be required in this setup. The Heads setup is just under 8MB.</p> <div class="h"><h2 id="why-linux-in-flash">Why Linux in flash?</h2><a aria-hidden="true" href="#why-linux-in-flash">[link]</a></div> <p>Linux has better drivers than GRUB, has netboot, and it’s much more practical when you want to control the boot process. For example, you could more easily implement measured boot and make use of TPM-based security mechanisms.</p> <p>For the everyday user, it probably doesn’t make much difference if they’re already happy with SeaBIOS, GRUB or SeaBIOS.</p> <div class="h"><h2 id="x86-implementation">x86 implementation</h2><a aria-hidden="true" href="#x86-implementation">[link]</a></div> <p>Coreboot can directly execute it as a payload, but we would also execute it from the GRUB payload - if running from the GRUB payload, we could just provide it as a vmlinuz and initramfs file.</p> <div class="h"><h2 id="arm-implementation">ARM implementation</h2><a aria-hidden="true" href="#arm-implementation">[link]</a></div> <p>We already standardise on U-Boot, for ARM machines. It’s debateable whether Linuxboot is even desirable here, U-Boot is quite competent, but the SPL mode in U-Boot could be used to provide the Linux payload setup, OR:</p> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/78913">uefistub</a></p> <p>Although currently only under review, not yet merged anywhere, uefistub seems like a useful way to provide just the most minimal UEFI implementation, required on Linux distros, but all it does it then boot a Linux payload. This is probably what should be used, on ARM platforms, instead of U-Boot, if Linux is to be provided in flash, but the uefistub will use a lot less space than U-Boot. That being said, uefistub does not seem to provide a complete, or even fully correct UEFI implementation.</p> <p>(then again, linux on bare metal providing kexec as main bootloader method is also quite non-standard, at least on x86 and ARM).</p> <div class="h"><h2 id="netboot.xyz">Netboot.xyz</h2><a aria-hidden="true" href="#netboot.xyz">[link]</a></div> <p>It’s unlikely that this will actually be used in lbmk, but this provides a really nice way to boot Linux distros over the network:</p> <p><a href="https://github.com/netbootxyz" class="uri">https://github.com/netbootxyz</a></p> <p>It uses iPXE, whereas we would be using Linux and kexec.</p> <div class="h"><h2 id="zfsbootmenu">Zfsbootmenu</h2><a aria-hidden="true" href="#zfsbootmenu">[link]</a></div> <p>See: <a href="https://docs.zfsbootmenu.org/en/v2.3.x/" class="uri">https://docs.zfsbootmenu.org/en/v2.3.x/</a></p> <p>Similar in concept to netboot.xyz, but this actually does use Linux. It can boot many distros. We could provide something similar to this in Libreboot.</p> <p>This was briefly documented on the Libreboot website, before <a href="../news/argon2.html">argon2 kdf support</a> was merged in Libreboot GRUB.</p> <div class="h"><h1 id="seek-qubes-endorsement">Seek QUBES endorsement</h1><a aria-hidden="true" href="#seek-qubes-endorsement">[link]</a></div> <p>Libreboot is compatible with Qubes, on several supported mainboards. This could be audited, to provide a complete list. Qubes has a page on their website which lists compatible devices.</p> <p>It would be a nice way to promote the Libreboot project, and promote Qubes at the same time, which is an excellent project. We could host a page specifically for it, saying what works on our end, and basically copy that to their wiki.</p> <div class="h"><h1 id="grub-vga-modes">GRUB VGA modes</h1><a aria-hidden="true" href="#grub-vga-modes">[link]</a></div> <p>VGA support is not universal in Libreboot. We typically rely on GRUB to start in console mode (<code>GRUB_TERMINAL=console</code>), which means GRUB won’t change modes, it’ll just use whatever mode we started in.</p> <p>We do not currently modify GRUB’s video handling, so some distro setups will try to use VGA modes, or some syslinux configs (that GRUB can parse) will, causing weird behaviour on many Libreboot systems.</p> <p>TODO: modify GRUB to only have behaviour matching <code>GRUB_TERMINAL=console</code>. See: <a href="https://www.gnu.org/software/grub/manual/grub/html_node/Simple-configuration.html" class="uri">https://www.gnu.org/software/grub/manual/grub/html_node/Simple-configuration.html</a></p> <p>This will prevent the need for modification. In some cases, it is necessary to modify <code>GRUB_TERMINAL</code> in distro grub configs. The way Libreboot’s GRUB menu works is, it scans for GRUB and Syslinux/Extlinux configs on the user’s HDD/SSD, switching to the first one found.</p> <div class="h"><h1 id="grub-configs-menu">GRUB configs menu</h1><a aria-hidden="true" href="#grub-configs-menu">[link]</a></div> <p>Libreboot systematically scans for GRUB/Syslinux/Extlinux configs provided by the user’s operating system, by scanning partitions. It can also scan encrypted partitions (asking for the user to type their LUKS passphrase).</p> <p>However, Libreboot switches to the first one found. In some cases, a user may have multiple configurations.</p> <p>TODO: Keep the current behaviour, for performance reasons, but offer a mode where instead a new menu appears, with menuentries generated, where each one just switches to one of the detected configurations.</p> <p>This would enable Libreboot to work more seemlessly on dualboot setups, where it is currently assumed that the user would modify <code>grub.cfg</code> in the flash.</p> <p>This pertains to the GRUB <em>payload</em> provided in the flash, by Libreboot. It is currently the preferred payload in Libreboot, at least for x86 machines.</p> <div class="h"><h1 id="document-flash-write-protection">Document flash write protection</h1><a aria-hidden="true" href="#document-flash-write-protection">[link]</a></div> <div class="h"><h2 id="ifd-based-method">IFD-based method</h2><a aria-hidden="true" href="#ifd-based-method">[link]</a></div> <p>Already covered, but could be documented more prominently. Use <code>ifdtool --lock libreboot.rom</code> to lock the IFD.</p> <p>This method is easily circumvented, by enabling the Flash Descriptor Override, which varies from trivial to physically difficult depending on the board.</p> <p>On some platforms, such as the Dell Latitude E6400, this method is entirely useless; on the E6400, the EC firmware can be instructed to override the IFD settings, by enabling the Flash Descriptor Override (in fact, this is part of what the <code>dell-flash-unlock</code> utility does).</p> <div class="h"><h2 id="flill-based-method">FLILL-based method</h2><a aria-hidden="true" href="#flill-based-method">[link]</a></div> <p>We already vaguely mention Intel Flash Descriptor settings ta enable write protection. This documentation should be expanded on.</p> <p>See: <a href="https://opensecuritytraining.info/IntroBIOS_files/Day2_02_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20Flash%20Descriptor.pdf" class="uri">https://opensecuritytraining.info/IntroBIOS_files/Day2_02_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20Flash%20Descriptor.pdf</a></p> <p>Actually, look at that site in general:</p> <ul> <li><a href="https://web.archive.org/web/20190104155418/http://opensecuritytraining.info/IntroBIOS.html" class="uri">https://web.archive.org/web/20190104155418/http://opensecuritytraining.info/IntroBIOS.html</a></li> <li><a href="https://opensecuritytraining.info/IntroBIOS.html" class="uri">https://opensecuritytraining.info/IntroBIOS.html</a></li> <li><a href="https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch4001_x86-64_RVF+2021_v1/course/" class="uri">https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch4001_x86-64_RVF+2021_v1/course/</a></li> </ul> <p>Anyway:</p> <p>Universal across all currently known IFD versions, the FLILL section can be used to define <em>invalid</em> opcodes when the flash is used, and this could be used to define <em>write</em> and/or <em>erase</em> opcodes. Up to 4 can be defined.</p> <p>This could be used to complement existing flash-based write protection. Of particular interest is the fact that the FLILL config <em>cannot</em> be overridden. Setting <code>HDA_SDO</code> (newer platforms) or <code>HDA_DOCK_EN</code> (GPIO33) to enable Flash Descriptor Override, will not affect FLILL entries.</p> <p>We could document this on the Libreboot website.</p> <div class="h"><h2 id="smm-write-protection">SMM write protection</h2><a aria-hidden="true" href="#smm-write-protection">[link]</a></div> <p>system management mode can also be used, to implement flash write protection.</p> <div class="h"><h2 id="pr-protected-range-registers">PR (Protected Range) registers</h2><a aria-hidden="true" href="#pr-protected-range-registers">[link]</a></div> <p>Differing per platform but defined by Intel datasheets, the Protected Range registers can be set, to enable flash write protection. Once written, these cannot be changed until a reboot. Anything can set them.</p> <p>This is the preferred method and should be the default (enabled by default), because it can be done from GRUB. So, it could be provided on GRUB setups.</p> <p>We could make it so that all menuentries in the default Libreboot GRUB menu enable this, when possible on a given mainboard. The GRUB <em>shell</em> would not enable it, and special menuentries that don’t enable it could be provided (or an entirely separate GRUB config, e.g. <code>grub_unprotected.cfg</code>).</p> <p>With the PRx-based method, the user can easily circumvent it when they want to update their firmware. Combined with a passphrase in GRUB, for menuentries and the shell, this would prevent an unauthorised user from updating the system; boot password alone cannot protect against malicious code in the user’s operating system, but this method would <em>require</em> a boot password.</p> <p>It could also be done earlier, in coreboot, but then there’s no way to turn it off. Doing it from GRUB (or Linux, when a payload for that is added) seems wiser.</p> <p>In practise, this should probably not be the default. Libreboot’s current default is <em>no write protection</em>, though most Linux distros and BSDs enable protecting <code>/dev/mem</code> by default, that the user can turn off at boot time when they want to flash (e.g. cmdline option <code>iomem=relaxed</code> in Linux, or <code>kern.securelevel=-1</code> in OpenBSD).</p> <div class="h"><h2 id="chip-specific">Chip-specific</h2><a aria-hidden="true" href="#chip-specific">[link]</a></div> <p>Some flash chips support their own write protection scheme, covered in their datasheets, but this is usually unreliable or inconsistent. This method is not to be relied upon.</p> <div class="h"><h2 id="layers">Layers!</h2><a aria-hidden="true" href="#layers">[link]</a></div> <p>Security is all about layers. When you want to lock down the flash, use every method available to you.</p> <div class="h"><h1 id="lbwww-document-mxm-graphics">lbwww: Document MXM graphics</h1><a aria-hidden="true" href="#lbwww-document-mxm-graphics">[link]</a></div> <p>MXM graphics modules are present, on some laptops that we do not yet support, because certain functionality is needed on them that we do not implement yet.</p> <p>See: <a href="https://codeberg.org/libreboot/lbmk/issues/112" class="uri">https://codeberg.org/libreboot/lbmk/issues/112</a></p> <p>Unlike on several other setups, many of these modules require certain data tables to be present, provided by a BIOS interrupt, which the VGA ROMs then use. These tables essentially contain config for things like ports, and power management. More information, including links to PDF files containing the specs for it, are provided for in the above linked issue page.</p> <p>Several more high-end HP EliteBook machines use MXM graphics modules, e.g. HP EliteBook 8560w.</p> <div class="h"><h1 id="lbmk-c-clustered-builds">lbmk-c: clustered builds</h1><a aria-hidden="true" href="#lbmk-c-clustered-builds">[link]</a></div> <p>I had an idea on IRC when we were talking about how to optimise the build speed in Libreboot. Most of the time is spent simply compiling the ROM images, and this will become especially true when we support hundreds of boards; almost none of the time, by percentage, will be spent on payloads and cross compilers anymore.</p> <p>So my idea was: what if we had a cluster setup where multiple machines have their own clone of lbmk, but they all stay in sync, re-using the same builds, for example the same crossgcc builds, but each dividing up tasks between each other.</p> <p>For example, if you have 100 boards and 10 machines, those 10 machines in the cluster would build 10 rom sets each. They would tell each other when they’re all done, and then at the end, there would be a process where they’re all copied.</p> <p>This could probably be done using an NFS share, for things like the bin/ directory on the release/ directory. We really will need something like this in the future, because Libreboot’s goal is to support literally every coreboot board, providing automated configurations for all of them.</p> <p>distcc is probably useful here:</p> <p><a href="https://www.distcc.org/scenarios.html" class="uri">https://www.distcc.org/scenarios.html</a></p> <div class="h"><h2 id="ccache">ccache</h2><a aria-hidden="true" href="#ccache">[link]</a></div> <p>not directly related, but this can speed up coreboot builds</p> <div class="h"><h1 id="fixdep">Fixdep</h1><a aria-hidden="true" href="#fixdep">[link]</a></div> <p>This would be something to implement in coreboot’s build system, but could also benefit lbmk. Currently, any changes to the coreboot’s config results in Make recompiling all objects, even if <code>make clean</code> wasn’t run or if the change shouldn’t have an effect. This is because the build system force includes the generated config.h header into every source, thus making it a prerequisite of every object. This file contains C macro definitions for the value of all visible Kconfig options, allowing code to reference these values for various purposes. Since all of them are contained in this file alone, any change to the config will cause config.h to be updated, forcing all object targets to be out of date.</p> <p>Linux solves this using a utility called fixdep (scripts/basic in the kernel sources), which parses all source files and their included headers to determine which configs, if any, an object actually depends on. The config.h prerequisite is replaced with dependencies on the appropriate config options, allowing make to skip rebuilding objects that do not have any config dependencies or where the config has not changed in value.</p> <p>This may make it possible to avoid running distclean in lbmk between boards, allowing existing objects to be reused if the new board’s config does not affect the object. This would reduce the complexity of the build from O(n*m) to the order of O(m), where n is the number of configs and m is the number of source files. For maximum effectiveness using fixdep alone, boards would need to be built in an order that minimizes the differences in configs between sequential builds, otherwise Make may end up rebuilding an object that was built previously but overwritten with a new build due to a change in the config.</p> <p>Consider:</p> <ul> <li>Board A, which sets CONFIG_TEST=y</li> <li>Board B, which sets CONFIG_TEST=n</li> <li>Board C, which sets CONFIG_TEST=y</li> <li>test.c, which uses the value of CONFIG_TEST</li> </ul> <p>An order such as A-&gt;C-&gt;B would be most efficient:</p> <ol type="1"> <li>A: test.c compiled for the first time with CONFIG_TEST=y</li> <li>C: CONFIG_TEST hasn’t changed, so test.o can be reused from step 1</li> <li>B: test.c recompiled, since CONFIG_TEST changed back to n</li> </ol> <p>An order such as A-&gt;B-&gt;C would be least efficient:</p> <ol type="1"> <li>A: test.c compiled for the first time with CONFIG_TEST=y</li> <li>B: test.c recompiled, since CONFIG_TEST changed to n</li> <li>C: test.c recompiled again, since CONFIG_TEST changed back to y, even though this configuration was previously built in step 1.</li> </ol> <p>Given the number of possible configs, the ideal order is likely impractical to determine, and some files may necessarily have to be built multiple times with the same Kconfigs applied. However, the use of ccache would help mitigate this issue, as it would return cached object files when it detects that the sources for the object being built are the same as a previous compile.</p> <p>All of this should be carefully implemented to ensure that the resulting output is the same as if each file was compiled from scratch each time.</p> <p>The following article describes the function of fixdep in more detail, under the header “Dependency tracking”: <a href="https://opensource.com/article/18/10/kbuild-and-kconfig" class="uri">https://opensource.com/article/18/10/kbuild-and-kconfig</a></p> <p>Nicholas Chin is looking at this in coreboot.</p> <div class="h"><h1 id="use-crossgcc-for-seabios-and-grub">Use crossgcc for SeaBIOS and GRUB</h1><a aria-hidden="true" href="#use-crossgcc-for-seabios-and-grub">[link]</a></div> <p>We currently use hostcc for the SeaBIOS and GRUB payloads. This, among other things, means lbmk is currently only supported for amd64 machines.</p> <p>See other notes on this page about Linuxboot. When that work is done, we will have better infrastructure for cross compilation, which could also be used for this purpose.</p> <p>In particular, GRUB’s build system requires you to build certain utilities first. We use <code>grub-mkstandalone</code> to then provide the coreboot payload. For GRUB specifically, we should therefore use musl-cross-make. SeaBIOS can be built using crossgcc.</p> <div class="h"><h1 id="port-lbmk-to-bsd-systems">Port lbmk to BSD systems</h1><a aria-hidden="true" href="#port-lbmk-to-bsd-systems">[link]</a></div> <p>In particular, FreeBSD is of interest.</p> <p>We probably don’t need to natively port it, because FreeBSD has Linux ABI compatibility in its kernel, using <em>linuxlator</em>, and you can bootstrap a Debian system under it.</p> <p>See: <a href="https://docs.freebsd.org/en/books/handbook/linuxemu/" class="uri">https://docs.freebsd.org/en/books/handbook/linuxemu/</a></p> <p>See: <a href="https://docs.freebsd.org/en/books/handbook/linuxemu/#linuxemu-debootstrap" class="uri">https://docs.freebsd.org/en/books/handbook/linuxemu/#linuxemu-debootstrap</a></p> <p>We may still need certain build system modifications anyway, but this would probably be mostly just documenting how to use lbmk that way.</p> <p>FreeBSD specifically offers many advantages, such as really good OpenZfs integration (better than ZFS-On-Linux setups), which it can do natively because the licensing in BSD is compatible; Linux can’t merge ZFS due to CDDL licensing.</p> <p>An actual native port to FreeBSD is also feasible, and coreboot itself already has some support for that, as does GRUB. If using crossgcc to build all payloads, this could be even easier.</p> <p>Building a Linux kernel might be slightly more challenging, but again: crossgcc.</p> <p>Adapting musl-cross-make for use in FreeBSD could be interesting. Other notes on this TODO page talk about using musl-cross-make to provide static linked utilities in releases, but this has only Linux in mind. Doing them for FreeBSD may also be desirable.</p> <p>Libreboot already has excellent support for booting all of the BSDs. Having the build system be compatible would just be another great boon.</p> <div class="h"><h1 id="package-lbmk-in-distros">Package lbmk in distros</h1><a aria-hidden="true" href="#package-lbmk-in-distros">[link]</a></div> <p>Providing binaries of Libreboot in distros wouldn’t make sense, because we do that anyway, on Libreboot RSYNC, but having ports of the build system on various Linux distros and BSDs might be desirable.</p> <p>Distro package managers could check when changes are made to a given board, and if the system you’re on matches that given board, the package manager could provide you with an option to <em>flash</em> it.</p> <p>This would probably only be provided on systems where that is extremely safe, specifically that those systems have been well-tested. Some ports in Libreboot are a bit flaky and would require extra work.</p> <p>It’s unlikely that this job will ever be done, but it’s on the TODO page anyway. Distro package managers concern themselves with OS applications, kernel, libc, bootloaders and so on; Libreboot is a step below them, earlier on in the boot process.</p> <p>But then again, there are things like <a href="https://github.com/fwupd/fwupd">fwupd</a> that provide firmware updates in distros, so there’s no reason Libreboot couldn’t do something equivalent - we could even do binaries, though I’m mostly thinking of the Libreboot build system itself. A distro could package lbmk to build for a specific Libreboot version, and handle all of the dependencies and everything.</p> <div class="h"><h1 id="vendor-scripts">Vendor scripts</h1><a aria-hidden="true" href="#vendor-scripts">[link]</a></div> <div class="h"><h2 id="bruteforce-more-files">Bruteforce more files</h2><a aria-hidden="true" href="#bruteforce-more-files">[link]</a></div> <p>We bruteforce extract IME but some other firmwares are more or less hardcoded in config.</p> <p>In particular, VGA ROM extraction could be improved. We could modify the <code>romheaders</code> utility to return zero status or non-zero status based on a given PCI vendor/device ID; non-zero if it’s not a match, for a given file, or it isn’t a VGA ROM. We currently extract an nvidia ROM for certain models of Dell Latitude E6400, but the logic is more or less hardcoded.</p> <p>The script at <code>script/vendor/download</code> auto-downloads vendor firmwares needed on certain mainboards, during build time. Libreboot’s build system uses the script at <code>script/vendor/inject</code> to add or remove such files after the fact, on release ROMs, because those firmwares are <em>deleted</em> at release time. This work began mostly after mid-2022, and has since been expanded to cover many types of firmwares, used on various mainboards.</p> <div class="h"><h1 id="investigate-16mb-flash-setups">Investigate 16MB flash setups</h1><a aria-hidden="true" href="#investigate-16mb-flash-setups">[link]</a></div> <p>On some ivybridge and sandybridge boards, where flash is 8MB or 12MB, it is feasible (with some soldering) to upgrade it to 16MB setups.</p> <p>The IFD is configured accordingly, but some board modification besides that may be required. For example, on the ThinkPad T440p, SPI2 is easily accessible but SPI1 requires full disassembly. One could re-wire the board, removing the Chip Select resistor for SPI1, and the SPI2 CS resistor, then re-wiring CS1 to CS2 via a resistor, so that only SPI2 is used (thanks go to Nicholas Chin for describing this idea) - then you stick one big 16MB flash on SPI2, which is easily flashable.</p> <p>These upgrades are really only recommended for advanced users. We do already provide images for them; 16MB ROM images on many GM45 thinkpads, and also the ThinkPad X230.</p> <p>A 16MB setup was attempted on the ThinkPad T440p, but didn’t boot, and I now believe it was because I didn’t insert the MRC firmware at the correct offset during that test. Libreboot’s build system now handles that correctly, in the vendorfile inject script at <code>script/vendor/inject</code>.</p> <p>In IFD-based systems, CS1 and CS2 are separate, but data lines like MOSI/MISO are shared, and the PCH/southbridge will enable or disable the given flash IC to access the region needed.</p> <div class="h"><h1 id="me-cleaner-status-page">ME Cleaner status page</h1><a aria-hidden="true" href="#me-cleaner-status-page">[link]</a></div> <p>See: <a href="https://github.com/corna/me_cleaner/issues/3" class="uri">https://github.com/corna/me_cleaner/issues/3</a></p> <p>It’s a good reference, though far from complete. People post there saying whether their hardware works with <code>me_cleaner</code>.</p> <div class="h"><h1 id="overclocking">Overclocking</h1><a aria-hidden="true" href="#overclocking">[link]</a></div> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/42547" class="uri">https://review.coreboot.org/c/coreboot/+/42547</a></p> <p>The patch, now abandoned, is a proof of concept tested on Asus P8Z77-V LX2 with i7-2600 and i5-3330. It is possible for coreboot to enable overclocking on some boards, though it’s seldom-used and not very universally supported.</p> <p>It might be useful on some machines. The research here (by Angel Pons) may be transferrable to other platforms.</p> <div class="h"><h1 id="detect-module-changes">Detect module changes</h1><a aria-hidden="true" href="#detect-module-changes">[link]</a></div> <p>When a given package is already downloaded and built in some way, lbmk currently works on the assumption that it doesn’t change. During development, it is necessary to manually delete certain build artifacts, and know what to delete.</p> <p>For example, you have to delete <code>src/grub</code> after updating the GRUb revision in lbmk. Lbmk does not, for example, detect when you updated the revision and automatically adjust to the new revision+patches by: 1) undoing all patches and 2) running git pull 3) resetting again to the new revision and applying new patches and 4) cleaning the previous builds</p> <p>In practise, revisions don’t change very often in Libreboot, and they’re normally updated all at once, when they are updated.</p> <div class="h"><h1 id="normalfallback-scheme">Normal/fallback scheme</h1><a aria-hidden="true" href="#normalfallback-scheme">[link]</a></div> <p>Libreboot currently does not handle the normal/fallback payload scheme at all. Instead, it is assumed that the user will always be booting from the fallback payload, with no normal payload provided. One single payload. This assumption is hardcoded into certain logic, in the build system.</p> <p>Coreboot supports configuring which scheme to use, at boot time, but we don’t use it. Coreboot’s default is to always load the fallback, so we use that.</p> <div class="h"><h1 id="improved-payload-documentation">Improved payload documentation</h1><a aria-hidden="true" href="#improved-payload-documentation">[link]</a></div> <p>The actual payload documentation is quite sparse in Libreboot, especially SeaBIOS but also GRUB. We don’t need to repeat what is said by upstream docs, but we also don’t link to them or cross reference them in any way.</p> <p>We should start writing about the payloads in more detail, referencing upstream documentation whenever possible.</p> <div class="h"><h1 id="static-compiled-utils-in-releases">Static compiled utils in releases</h1><a aria-hidden="true" href="#static-compiled-utils-in-releases">[link]</a></div> <p>We curerntly only provide binaries of the firmware itself, for each mainboard, but we do not provide utilities compiled. We provide only source code, and the user is expected to compile utilities from source.</p> <p>This can be inconvenient, especially if the user is running the vendorfile download scripts. This should be done alongside providing musl-cross-make for the linuxboot builds.</p> <div class="h"><h1 id="download-repositories-in-bulk">Download repositories in bulk</h1><a aria-hidden="true" href="#download-repositories-in-bulk">[link]</a></div> <p>At present, lbmk does what it needs to do, and downloads repositories only as required, upon each stage of the boot process. For example, it may download gnulib when downloading GRUb, after having maybe built 5 mainboards all with only SeaBIOS, having built SeaBIOS before those 5 - it doesn’t build SeaBIOS and GRUB before the 5.</p> <p>What this means is that the internet may work at one stage during a build, but for very long builds (ones that take hours, which some do), it may be that the user’s internet goes down, and a latter part of the build fails, where it might have succeeded if packages were downloaded much earlier and in bulk.</p> <div class="h"><h2 id="optimisation">Optimisation</h2><a aria-hidden="true" href="#optimisation">[link]</a></div> <p>So, TODO: Make lbmk determine precisely what packages would later be downloaded through various parts of a build, for a given command, and do it all at once, and then build. This is also better because, for very large amounts of modules, that take a long time to install, existing downloaded modules could be built while the download is in progress, to save on overall build time. This would be especially beneficial on slow internet connections, where a larger amount of time is spent downloading that building.</p> <p>In this context, slow internet means 20Mbps or less. Libreboot downloads a <em>lot</em> of code during the build process. For reasonable build times, it is currently recommended that you run lbmk an on internet connection that is at least 100Mbps. You can still use slower connections, it’ll just take longer.</p> <div class="h"><h1 id="dont-copy-src-trees">Don’t copy src trees</h1><a aria-hidden="true" href="#dont-copy-src-trees">[link]</a></div> <p>For multi-tree projects, lbmk currently copies the source code per tree, e.g. <code>coreboot/default</code>, <code>coreboot/dell</code>. What could be done instead is to use the existing Git history as-is, and just make a new branch, with whatever patches, at the given revision.</p> <p>At release time, to save space, the given repository would have its history re-initialised, with the code branches reset per tree, and the source code copied, then committed - <em>this</em> would actually create <em>more</em> copies than lbmk currently does, thus using the disk more heavily, but only during release time. For normal builds (from Git, or from released archives), less disk space would be used, and there would be less disk I/O. This would especially reduce wear and tear on SSDs, where Libreboot is used.</p> <p>This may have some complications, where submodules are used. A solution to this would be to define those submodule repositories under lbmk’s <code>config/git/</code> instead, and from there, define them as dependencies for a given project. Where a multi-tree project defines them, those dependencies could themselves be treated as multi-tree in the ame way as described above, even if they don’t have a configuration for that in lbmk, because they are already used as dependencies in the multi-tree projects - in this case, if no custom config is provided, they would just use whatever revision is used in the defined submodule for the main target project that lbmk is downloading for.</p> <div class="h"><h1 id="vendor-scripts-1">Vendor scripts</h1><a aria-hidden="true" href="#vendor-scripts-1">[link]</a></div> <div class="h"><h2 id="check-hashes-of-resulting-files">Check hashes of resulting files</h2><a aria-hidden="true" href="#check-hashes-of-resulting-files">[link]</a></div> <p>Libreboot extracts the files from vendor updates, and those updates are checked against known hashes, but lbmk only defines such hashes for the larger updates themselves. hashes for the files extracted could also be defined, mostly as a way to ensure that they were correctly extracted, though it could default back to current behaviour (only check the main file) if individual checksums for inside files are not defined.</p> <div class="h"><h1 id="reproducible-builds">Reproducible builds</h1><a aria-hidden="true" href="#reproducible-builds">[link]</a></div> <p>We can’t focus on this reliably, because we use hostcc extensively for many parts of the build process. Other parts of this TODO page talk about how to integrate linux as a payload, by improving our cross compiling setup.</p> <p>Cross compilation is the first step to reproducibility, because then we only have to worry about the toolchain, which is easier to control. We can start focusing specifically on reproducibility once all of that has been done.</p> <div class="h"><h2 id="tarballs">Tarballs</h2><a aria-hidden="true" href="#tarballs">[link]</a></div> <p>We already have partial reproducibility, though we currently use the <code>-T0</code> option in xz, whereas <code>-T1</code> is more appropriate; forcing it to run on 1 core will ensure that the file is always compressed in the same way.</p> <p>See: <a href="https://reproducible-builds.org/docs/archives/" class="uri">https://reproducible-builds.org/docs/archives/</a></p> <p>We already pretty much are right on the money. The main task that we still need to work on is cross compilation; specifically, we need to actually cross compile, because most code is compiled by hostcc when we use lbmk. This is covered in another section, on this TODO page.</p> <p>Also: <a href="https://lists.debian.org/debian-dpkg/2016/10/msg00012.html" class="uri">https://lists.debian.org/debian-dpkg/2016/10/msg00012.html</a></p> <p>This post writes about the rationale for <code>-T1</code> when using xz.</p> <div class="h"><h1 id="vga-run-time-not-build-time">VGA: Run-time, not build-time</h1><a aria-hidden="true" href="#vga-run-time-not-build-time">[link]</a></div> <p>In coreboot, configuration of video initialisation is done at build time. This has several disadvantages, in that you now need multiple ROM images for multiple configurations, but it has the upside that the resulting ROM image will have fewer bytes of code within it.</p> <p>From an lbmk perspective, the upsides are largely ignored because we want to build hundreds and hundreds of ROM images, fast. That means reducing the amount of time spent to compile for each mainboard.</p> <p>We currently do this on each mainboard:</p> <ul> <li>libgfxinit with text mode startup, if possible</li> <li>libgfxinit with coreboot framebuffer, if possible</li> <li>vgarom setup when desirable; usually executed by seabios, not coreboot</li> </ul> <p>This is often literally 3 different ROM images, for all of the above. It is possible to have a libgfxinit setup where SeaBIOS is the payload, so that VGA ROMs can be executed aswell, but this has several issues, covered elsewhere on this page.</p> <p>It would be nice if all of this could be runtime options instead. By “runtime”, we do mean modification of the ROM image, but not in a way that requires a full re-build. A good example of this would be the SeaBIOS runtime setup:</p> <p><a href="https://www.seabios.org/Runtime_config" class="uri">https://www.seabios.org/Runtime_config</a></p> <p>On SeaBIOS, it is not necessary to re-build for the most part (though some things are still left to build-time config). Instead, you edit files inside the coreboot file system (CBFS), that SeaBIOS will use to configure itself at boot time.</p> <p>We could take a note from SeaBIOS and do that here, but in coreboot. Why is it that we need separate ROMs just to switch between the coreboot framebuffer or classic text mode startup? Why can’t it be the same ROM?</p> <p>If we were to do it at runtime like described above, we could cut the build time in half, or even more than half; we could cut it down to about 30% of the current time. Disabling libgfxinit could also be a runtime option. It’s already possible to change the payload at runtime for instance (manually), by running cbfstool.</p> <div class="h"><h1 id="modularise-the-coreboot-stages">Modularise the coreboot stages</h1><a aria-hidden="true" href="#modularise-the-coreboot-stages">[link]</a></div> <div class="h"><h2 id="ie.-generate-cbfs-in-lbmk">ie. generate cbfs in lbmk</h2><a aria-hidden="true" href="#ie.-generate-cbfs-in-lbmk">[link]</a></div> <p>We currently use the coreboot build system which is designed to build all stages, such as the bootblock, car, ramstage, romstage etc. The coreboot build system already builds these separately, as separate binaries, and then joins them all together inside the CBFS (coreboot file system) of the target ROM image. Essentially, coreboot creates the empty file containing CBFS, and starts adding all of the files.</p> <p>The logic is already there in coreboot, but it does everything all at once.</p> <p>We might benefit from splitting this, within the coreboot build system, so that it’s possible to do one stage then another, separately, and then we could use <em>lbmk</em> to join them, initialising the CBFS and adding all of the stages.</p> <p>This could be useful when we <em>do</em> actually need a build-time configuration changed, but where many stages are identical between different build-time setups. This could then be abused, to substantially reduce the overall build time in lbmk. We want to build hundreds of ROM images in coreboot, and that takes <em>time</em> - too much time.</p> <p>This will require working with upstream, and in practise require that they accept such proposals. The build system design in coreboot is already ready for this sort of thing, and it could be done with minimal complexity - the current behaviour would be retained as a default.</p> <p>We might have to backport to some older revisions, because lbmk uses certain older revisions on some machines, e.g. AMD AGESA platforms.</p> <div class="h"><h1 id="macbook21-c-states-patch">Macbook21 C-states patch</h1><a aria-hidden="true" href="#macbook21-c-states-patch">[link]</a></div> <p>See: <a href="https://review.coreboot.org/c/coreboot/+/63587" class="uri">https://review.coreboot.org/c/coreboot/+/63587</a></p> <p>We currently re-use the same ROM image for macbook21 on the imac52, but it is now believed that the C-state config there is not suitable on imac52. See patch.</p> <p>TODO: test on imac52 and macbook21. If confirmed (again, see patch, the problem is described there), we can expand it to configure c-states differently on imac52. This config is used to enable efficient power management, on these machines.</p> <div class="h"><h2 id="how-to-dump-c-state-config">How to dump c-state config</h2><a aria-hidden="true" href="#how-to-dump-c-state-config">[link]</a></div> <pre><code>i2cdump 0x69</code></pre> <p>dump the c-state config from apple efi firmware</p> <p>imac5,2 breaks with the current c-state patch used in libreboot, according to <code>f_</code> on IRC.</p> <p>powertop can give info about available c-states</p> <p>also: don’t use efi grub or anything efi on non-macos operating systems on these machines, doesn’t work well in apple’s firmware. mentioned by avph in the gerrit link (see above)</p> <div class="h"><h1 id="check-file-ownership-in-builds">Check file ownership in builds</h1><a aria-hidden="true" href="#check-file-ownership-in-builds">[link]</a></div> <p>When lbmk is running, it is assumed that the current user has ownership of the files. If lbmk is operated on a clone that is under different ownership, it might fail in strange ways; for example if you had read access but not write access. There is already general error management all over lbmk, where a given command returning non-zero status will result in lbmk pretty reliably exiting, and printing the error on screen for the user.</p> <p>However, we do not specifically check permissions/ownership of files. For example, the user might have cloned lbmk as root to run the dependencies script, and then they want to run lbmk. We already make lbmk exit, with non zero status, if it’s run as root, for safety reasons, but this does not apply when lbmk is run on a clone that is owned by another user.</p> <p>Lbmk could specifically check for this at startup, and provide a specific warning message to the user, so that they know what to do to fix it. Lbmk would also then exit earlier, rather than trying to run something, which might result in very unpredictable behaviour.</p> <div class="h"><h2 id="sanity-checks">Sanity checks</h2><a aria-hidden="true" href="#sanity-checks">[link]</a></div> <p>We basically should have startup sanity checks in general, such as checking whether all the right dependencies are installed on the host system - similar to autoconf setups used by many GNU projects, though we don’t want to use autoconf, it’s bloat.</p> <p>If a sanity check is passed, a configuration file can then be provided, which can be used to control how lbmk runs. For example, if a certain version of a library is installed that behaves differently from a newer version, lbmk might have logic implemented that makes it behave differently depending on which library is installed. The general goal of lbmk is to be as portable as possible, but without introducing too much complexity into its design, so this TODO item will have to be handled with a lot of core.</p> <p>Remember the mantra: code equals bugs.</p> <p>We are running lbmk on extremely buggy systems, such as Linux. We do not yet have native support for running on BSD systems for example. This TODO entry is basically the same thing as the other entry on this page about porting to BSD. So tackle both.</p> <div class="h"><h1 id="software-bill-of-materials">Software Bill of Materials</h1><a aria-hidden="true" href="#software-bill-of-materials">[link]</a></div> <p>Generate an SBOM for all of Libreboot, on release builds specifically; it can be skipped for performance/convenience reasons on regular development builds from git. See: <code>script/update/release</code> - it would be handled here, because this is the script that actually generates full release sets.</p> <p>SBOM is a requirement now, in many commercial contexts, depending on how software is used, or how it’s shipped. For example, if you’re providing software to certain government departments, in certain countries, they may require it.</p> <p>We can’t know where Libreboot will be used. Let’s automate this problem so that our users don’t have to. Coreboot already has some support for this, in its build system, and we could adapt the build systems of other projects, and tie it all together from lbmk.</p> <p>The way lbmk works makes it very simple to implement something like this. The SBOM is literally just a thing that says what’s included in a software release, or an aggregate distribution of software in our case. Libreboot’s build system already has to have things like repository links, revisions, lists of patches and so on, to know how each piece of software is configured.</p> <p>I’d say this would be handled in, say, <code>include/sbom.sh</code> within lbmk, with a minimal stub in <code>script/update/trees</code> that handles it. All it would do is generate an sbom file by reading everything under <code>config/</code>. This would not be used automatically, during regular development builds, but it would be used by <code>script/update/release</code>. It could output the sbom to regular <code>stdout</code>, with errors outputted to <code>stderr</code> (specifically, and deliberately - like if a certain piece of software is missing or disabled or something, write about that in stderr, though the actual sbom data would be on stdout).</p> <p>Let’s say you do it as <code>-z</code> - ok, but the script handles specific projects. So now we do:</p> <pre><code>./update trees -z coreboot</code></pre> <p>This is just one example. The <code>trees</code> script already knows how to read configs of all the projects, so that it knows how to download and build them. It would just output that in a parseable format, to stdout. Then you might do for example:</p> <pre><code>./update trees -z coreboot 1&gt;sbom.txt 2&gt;sbom.txt.err</code></pre> <p>But oh, what’s this? We already know that the trees script can handle multiple projects. For instance:</p> <pre><code>./update trees -z flashprog pico-serprog grub seabios</code></pre> <p>Then it would output for all of those. It just goes in a loop.</p> <p>This is just an idea. Anyway, this should go hand in hand with reproducible builds, which is mentioned elsewhere on this TODO page.</p> <p>This is a very unix-y way to do an sbom, in lbmk, which is already a very unix-esque build system design. Write one thing that does one thing well. We pretty much already have everything we need to implement this.</p> <p>NOTE: The above is not necessarily the best way to handle an SBOM, it’s just one possible idea off the top of my head, proposed that way because it would minimise the amount of complexity needed in lbmk, to handle that use-case.</p> <p>NOTE: the <code>-z</code> option in ./update trees is not yet implemented. Again, the above just a concept.</p> <div class="h"><h1 id="re-use-build-artifacts">Re-use build artifacts</h1><a aria-hidden="true" href="#re-use-build-artifacts">[link]</a></div> <p>Libreboot’s build system, lbmk, does not re-use artifacts well. It largely assumes that you are building everything from scratch, which is great for release builds and is very simple, but sometimes that can be annoying during development. This pretty much goes hand in hand with the other TODO item on this page, about lbmk checking itself when a given codebase or config gets updated, so that it can adapt itself.</p> <p>Most notably, lbmk runs distclean on most/all codebases before then running make-all. This is done for simplicity, and in practise usually works OK because most projects only get built once, unless they are modified (by a developer).</p> <p>This might be useful for:</p> <div class="h"><h2 id="partial-coreboot-re-builds">Partial coreboot re-builds</h2><a aria-hidden="true" href="#partial-coreboot-re-builds">[link]</a></div> <p>A lot of the time in lbmk, we are building multiple variants of the same mainboard, for different setups. We could skip a lot of the re-building. This pretty much goes hand in hand with the other entry on this TODO page, about spliting up the various stages in coreboot, and handling CBFS generation within lbmk.</p> <div class="h"><h2 id="notes-about-git">Notes about Git</h2><a aria-hidden="true" href="#notes-about-git">[link]</a></div> <p>See: <a href="https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/" class="uri">https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/</a></p> <p>This guide has some useful information about using Git, and some of it may be useful for this goal. There are many cases where we download all of the Git history for a given project, where we really only need a small part of it. We could speed up the downloads a lot, and also speed up the builds a bit (by reducing the amount of deltas that need to be resolved when cloning).</p> <p>In particular, Git Work Trees are a useful feature that we might use in lbmk.</p> <div class="h"><h1 id="chinese-users-cant-run-lbmk">Chinese users can’t run lbmk</h1><a aria-hidden="true" href="#chinese-users-cant-run-lbmk">[link]</a></div> <p>Libreboot has quite a few Chinese users, but the Chinese internet blocks access to several sites like github - and apparently the coreboot gerrit site is also blocked, where we clone coreboot from.</p> <p>We’d need to get Chinese internet users to test this, but lbmk should be modified to work on the Chinese internet, when downloading packages. China is a huge country with over 1 billion people, all of whom deserve to use coreboot.</p> <p>We could provide special branches of lbmk with patches in it, that make certain upstreams be altered. For example, download coreboot from several mirrors that are not blocked in China.</p> <p>I did toy with the idea of making a Gitee account (China’s not-invented-here copy of GitHub), but registration required a Chinese phone number, so I couldn’t make an account. I was going to set it up for Libreboot.</p> <div class="h"><h1 id="me-cleaner-is-old">me cleaner is old</h1><a aria-hidden="true" href="#me-cleaner-is-old">[link]</a></div> <p>From what I can tell, <code>me_cleaner</code> is not well-tested or supported on many newer Intel platforms. it shouldn’t affect us in Libreboot for now, because we’re not even past Haswell yet, but see for instance:</p> <div class="h"><h2 id="also-disablement">Also: disablement</h2><a aria-hidden="true" href="#also-disablement">[link]</a></div> <p>See: <a href="https://github.com/corna/me_cleaner/issues/278" class="uri">https://github.com/corna/me_cleaner/issues/278</a></p> <p>This looks interesting. It seems on some arrandale machines it’s actually possible to completely disable the ME (remove it from the nor flash), with “almost no ill effects” according to the OP on that issue page.</p> <div class="h"><h1 id="faq-cover-usb-fuzzing-attacks">FAQ: cover USB fuzzing attacks</h1><a aria-hidden="true" href="#faq-cover-usb-fuzzing-attacks">[link]</a></div> <p>We write on the FAQ that SATA devices could potentially have DMA capability, but this has still not been proven, and it’s probably not true in practise.</p> <p>USB may not have DMA, but it’s possible to perform what’s called a fuzzing attack, whereby a USB device pretends to be something such as a keyboard, a mouse, a networking device, or any number of things in quick succession. A wily attacker could program a small USB dongle, and plug it into your running machine. If your operating system is insufficiently secured or otherwise poorly configured, and attacker could then remotely control your machine, and steal data.</p> <p>You can just look up “USB fuzzing attack” online. There are several actually practical examples of it in the wild, and it’s really easy to do. Easy meaning: cheap. It’s a low-effort attack.</p> <p>So we should cover it, and talk about ways to mitigate the risk (e.g. disable USB input devices and networking devices, in the user’s operating system).</p> <div class="h"><h1 id="auto-configure-ifd-region-limits">Auto-configure IFD region limits</h1><a aria-hidden="true" href="#auto-configure-ifd-region-limits">[link]</a></div> <p>We currently configure the ME/BIOS region sizes manually, which is fine, but the way it’s configured is very complicated.</p> <p>See: <a href="../docs/install/ivy_has_common.html">Vendor file guide</a></p> <p>The way the Libreboot build system works, the Intel ME and other firmware is automatically downloaded at build time. At release time, blobs such as these are deleted, but an extra <em>insert</em> script is provided that can provide the same auto-download and auto-insert on release ROMs.</p> <p>The default Intel ME firmware is about 5MB in most setups. We use <code>me_cleaner</code> which removes a lot of the malicious features in the ME, and truncates it to a much smaller size, e.g. 96KB on ivybridge systems (down from the default 5MB).</p> <p>We currently configure this manually. We could do it automatically, though it should not be done automatically at build time, but at the time of adding a given machine to Libreboot. We could automate it like so:</p> <ul> <li>Download the vendor update, and use the bruteforce extraction method to get at <code>me.bin</code></li> <li>Run the <code>me_cleaner</code> program, and get the size of the ME.</li> <li>Pass it a factory dump, and run <code>me_cleaner</code> on that, to set all the extra bits like HAP, but don’t use truncate.</li> <li>Run the <code>--unlock</code> command in ifdtool, to unlock that ROM.</li> <li>Auto-configure the IFD region sizes in that dump, based on the truncated size.</li> <li>Extract the final IFD, and the GbE region if it exists.</li> </ul> <p>Then it can configure the config file under <code>config/vendor/</code>.</p> <p>After this, lbmk would still have static configs, not altered in any way at build time, but this would be an automated way to add new configs. Read more on the guide linked above, and read the vendor scripts themselves, to learn more; you can also read about them on the <a href="../docs/maintain/">lbmk maintenance manual</a>.</p> <div class="h"><h1 id="signed-commits">Signed commits</h1><a aria-hidden="true" href="#signed-commits">[link]</a></div> <p>Start signing commits in Git. There’s nothing more to say. Just do it.</p> <div class="h"><h1 id="secure-suspend-method-luks-setups">Secure suspend method (LUKS setups)</h1><a aria-hidden="true" href="#secure-suspend-method-luks-setups">[link]</a></div> <p>See: <a href="https://github.com/shmalebx9/luks-suspend-portable" class="uri">https://github.com/shmalebx9/luks-suspend-portable</a></p> <p>Caleb came up with a method to have suspend functionality, where the encryption keys are not stored in memory. It’s worth looking into. We might be able to provide something automated in lbmk.</p> <div class="h"><h1 id="usb-keyboard-in-secondary-payload">USB keyboard in secondary payload</h1><a aria-hidden="true" href="#usb-keyboard-in-secondary-payload">[link]</a></div> <p>We don’t use secondary payloads defined here, but see: <a href="https://ticket.coreboot.org/issues/484" class="uri">https://ticket.coreboot.org/issues/484</a></p> <p>The issue page has info about the problem, and a workaround. Listed here for reference, in case this functionality is ever used in Libreboot.</p> <div class="h"><h1 id="zstd-in-btrfs-on-grub">zstd in btrfs on grub</h1><a aria-hidden="true" href="#zstd-in-btrfs-on-grub">[link]</a></div> <p>Reported buggy by a user on IRC. TODO: test it</p> <p>zstd is the compression used in btrfs, when compression is enabled. No other information was given, other than it is “buggy”. Reported on Libreboot 20231101.</p> <div class="h"><h1 id="optimise-crossgcc-space">Optimise crossgcc space</h1><a aria-hidden="true" href="#optimise-crossgcc-space">[link]</a></div> <p>Re-use crossgcc from other coreboot trees, in other coreboot trees. We currently build several versions of it, but we probably only need one, maybe two. Audit this, across various coreboot trees. Specific coreboot trees (older ones) could just be patched if re-using crossgcc from a newer tree.</p> <div class="h"><h1 id="t60-procacpiibmthermal">T60 /proc/acpi/ibm/thermal</h1><a aria-hidden="true" href="#t60-procacpiibmthermal">[link]</a></div> <p>Reported by a user (unknown what LIbreboot version), this file is not available at all. It was later revealed that the user flashed a ROM image without microcode updates, triggering the AE18 errata. Thermal management is buggy without the updates, on that platform.</p> <div class="h"><h1 id="link-cpu-errata-pdfs">Link CPU errata PDFs</h1><a aria-hidden="true" href="#link-cpu-errata-pdfs">[link]</a></div> <p>Libreboot makes reference to CPU errata in documentation, but without actually linking to the documents themselves. Link to the PDFs for all available CPUs, on supported Libreboot hardware. AMD has them too. These are errata documents that define which bugs exist in each CPU, and which ones have been fixed by microcode updates - they also generally provide information for OS developers, to know how certain bugs should be mitigated, whenever possible.</p> <div class="h"><h1 id="macbook21-backlight-controls">Macbook2,1 backlight controls</h1><a aria-hidden="true" href="#macbook21-backlight-controls">[link]</a></div> <p>Was reported broken in linux 6.1, but works in 5.x</p> <p>Since linux 6.1, the backlight subsystem was revamped. Try one of the cmdline options:</p> <ul> <li><code>acpi_backlight=video</code></li> <li><code>acpi_backlight=vendor</code></li> <li><code>acpi_backlight=native</code></li> </ul> <p>More testing is needed on this. So far, nothing seems broken on other machines tested and no user reports have come in. The way backlight controls work on coreboot can differ a bit from the vendor firmware on some boards.</p> <p>Not really a major issue, but it does need to be addressed.</p> <div class="h"><h2 id="todo-test-other-platforms-too">TODO: test other platforms too</h2><a aria-hidden="true" href="#todo-test-other-platforms-too">[link]</a></div> <p>Test other platforms.</p> <div class="h"><h1 id="document-ch341a-variants">Document CH341A variants</h1><a aria-hidden="true" href="#document-ch341a-variants">[link]</a></div> <p>All CH341A variants are garbage for ISP-based flashing, because of weak drive strength and poor board layout, also the WP/HOLD pins are often held high via straight connections to VCC on these boards (rather than going through a pull-up resistor, as safe electrical design would dictate).</p> <p>However, Libreboot currently only documents the black and gold one, that comes with 5V logic levels by default, and it has information for how to modify it so that the logic level are 3.3v - in addition, there are 1.8V logic level adapters, that just come with logic level converters on them.</p> <p>The original green variant is 3.3v by default, and some newer variants have adjustable voltage for the logic levels.</p> <p>For socket-based flashing, they’re actually quite decent flashers. Quite convenient, because you don’t have to mess with a breadboard or anything, because they already have ZIF sockets on them for DIP-8 ICs, on which you can also use adapters for SOIC-8, SOIC-16 and WSON-8.</p> <div class="h"><h2 id="e6400-vga-rom-nvidia">E6400 VGA ROM (Nvidia)</h2><a aria-hidden="true" href="#e6400-vga-rom-nvidia">[link]</a></div> <p>See: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990662#22" class="uri">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990662#22</a></p> <p>Although we couldn’t reproduce it after testing, a redditor did report that following these steps caused nouveau to work.</p> <p>Also: <code>e6400nvidia_4mb</code> works better on that setup, nouveau is actually stable in some cases. Check the E6400 page for libreboot, it lists issues with nouveau on those machines.</p> <div class="h"><h2 id="test-crystalwell-cpus-on-t440p">Test Crystalwell CPUs on T440p</h2><a aria-hidden="true" href="#test-crystalwell-cpus-on-t440p">[link]</a></div> <p>Coreboot has support for these, but they have not been tested as far as I know, and no reports have been made for them by Libreboot users. These offer higher performance and the machine is already very nice.</p> <p>Ditto W541.</p> <div class="h"><h2 id="how-to-extract-vbt-data">How to extract VBT data</h2><a aria-hidden="true" href="#how-to-extract-vbt-data">[link]</a></div> <p>See:</p> <ul> <li><a href="https://manpages.debian.org/bullseye/intel-gpu-tools/intel_vbt_decode.1.en.html" class="uri">https://manpages.debian.org/bullseye/intel-gpu-tools/intel_vbt_decode.1.en.html</a></li> </ul> <p>Extract it from the vga rom, the vbt header is in there, and the number of bytes will be in the size field, so that one can know how many bytes to extract. One of these tools linked above prints it.</p> <p>The VBT table is needed on machines where intel libgfxinit is used. It can just be extracted and included in a coreboot port.</p> <p>Also see: intelvbttool in coreboot. How to use:</p> <pre><code>intelvbttool --inlegacy --outvbt data.vbt</code></pre> <p>Example patch (merged in coreboot) that used this: <a href="https://review.coreboot.org/c/coreboot/+/79625" class="uri">https://review.coreboot.org/c/coreboot/+/79625</a></p> <div class="h"><h1 id="guix-use-debootstrap">Guix: use debootstrap</h1><a aria-hidden="true" href="#guix-use-debootstrap">[link]</a></div> <p>GCC-Gnat is unavailable in Guix, due to the distro’s requirement for sources to be bootstrapped. GCC-Gnat is also required, for building GCC-Gnat. We build it in libreboot, to provide libgfxinit, because it’s written in Ada.</p> <p>Therefore, lbmk cannot be used reliably in Guix. It’s possible to just add a binary for Gnat to the host, and then use that, but there is another idea:</p> <p>Guix <em>does</em> have debootstrap, which could be used to bootstrap a Debian system, and install everything in that, including GCC-Gnat. Of course, we don’t need to do anything for this in lbmk, but it would be nice to document.</p> <p>In fact, it wouldn’t necessarily need to be specific to Guix, because many systems have debootstrap; FreeBSD also has it, and it’s even mentioned here on this page, though in the context of <em>porting</em> lbmk to FreeBSD.</p> <p>Perhaps this could be done:</p> <p>In the logic for <code>./build dependencies distroname</code>, add an option for Guix, but on that one, make lbmk automatically set up debootstrap if it’s being run for Guix (and it would detect whether the host actually is Guix System).</p> <div class="h"><h1 id="docsbuildclean.html">docs/build/clean.html</h1><a aria-hidden="true" href="#docsbuildclean.html">[link]</a></div> <p>Add this section, telling the user (of lbmk specifically) how to clean various directories. This isn’t handled universally, due to lbmk’s design. When updating revisions, a lot of manual intervention is needed if an existing revision was already downloaded, especially if it was built.</p> <p>For example, if you already compiled GRUB at a given revision, it will be present under <code>elf/grub/</code>. If you’re updating the revision in lbmk, you must delete <code>elf/grub</code> first. Similarly, if you’re testing out code changes, you have to know to do that and re-make GRUB.</p> <p>This section relates to another section on this page, about automatically handling such updates in lbmk when it runs. Until that is done, this section is also here. We should document how this is handled, under the current scheme. A lot of development on lbmk requires the operator to <em>know</em> how lbmk works.</p> <p>The preference however is to simplify and automate everything as much as possible. That is Libreboot’s philosophy, that the user should never have to do more than is absolutely necessary when someonething could just as easily be done in code.</p> <div class="h"><h1 id="e6400-security">E6400 security</h1><a aria-hidden="true" href="#e6400-security">[link]</a></div> <p>See other section on this page about write protection.</p> <p>Setting PR registers for write protection is a valid way to write protect on Dell E6400, and it would not be affected by the flash-unlock utilitiy.</p> <div class="h"><h2 id="smm-methods">SMM methods</h2><a aria-hidden="true" href="#smm-methods">[link]</a></div> <p>Tere are two SMM write protect methods:</p> <p>The old lock enable bit, which causes an SMI to be triggered whenever BIOS write enable is changed back to 1. Then SMM needs to change the BISO write enable back to 0. Not the best option as it is vulnerable to timing attacks where a write gets through before SMM can change it back.</p> <p>On newer chipsets (5 series and newer, basically everything newer than GM45), there’s a new bit called SMM BIOS write protection, which prevents flash from being written to unless all cores are in SMM, which is better than the other method.</p> <p>^ These notes were supplied by Nicholas Chin via IRC.</p> <div class="h"><h1 id="pci-e-rebar">PCI-E REBAR</h1><a aria-hidden="true" href="#pci-e-rebar">[link]</a></div> <p>See: <a href="https://github.com/xCuri0/ReBarUEFI" class="uri">https://github.com/xCuri0/ReBarUEFI</a></p> <p>This is <em>required</em> on some newer graphics cards, and can otherwise improve performance when supported. Support supports PCI-E REBAR - apparently some GPUs need it.</p> <p>It allows the host CPU to access all of VRAM at once, without 32-bit legacy code. The above repository is a proof of concept that shows it working, though the work there is not directly applicable to us.</p> <p>This feature is only supported commercially on much newer mainboards, and is unavailable on many older mainboards, but it can be added if the firmware is updated. This is one of the benefits of the <em>freedom</em> coreboot gives you. We could enable this on all the older desktop machines, where otherwise their factory firmware does not and will not enable it (and the above link is for UEFI systems only).</p> <div class="h"><h1 id="shrink-fsp-size-intel">Shrink FSP size (Intel)</h1><a aria-hidden="true" href="#shrink-fsp-size-intel">[link]</a></div> <p>See: <a href="https://blog.osfw.foundation/breaking-the-boundary-a-way-to-create-your-own-fsp-binary/" class="uri">https://blog.osfw.foundation/breaking-the-boundary-a-way-to-create-your-own-fsp-binary/</a></p> <p>Remove modules from FSP that coreboot doesn’t use. This will especially be useful on setups where linuxboot is to be enabled. Initially done on Alderlake but possible on other platforms.</p> <p>Thanks go to Nicholas Chin for linking this.</p> <div class="h"><h2 id="chromebooks">Chromebooks</h2><a aria-hidden="true" href="#chromebooks">[link]</a></div> <p>Especially useful here, if using the default setup. In the default setup, there are essentially three copies of the firmware in flash: a recovery image, an “A” image and a “B” image, according to Nicholas Chin.</p> <div class="h"><h1 id="compare-factorydownload-neutered-me">Compare factory/download neutered ME</h1><a aria-hidden="true" href="#compare-factorydownload-neutered-me">[link]</a></div> <p>Use tools and hexdump diffs to compare neutered Intel ME images, comparing ones neutered from factory.bin dump, and ones from the auto-downloader in lbmk.</p> <p>Probably no difference, or no differences that matter, but we never tested this (no problems so far, since mid/late 2022 when we started doing this in osboot, and heads did it for years before we did, and they never had any problems).</p> <div class="h"><h1 id="hp-820-g2-tpm">HP 820 G2 TPM</h1><a aria-hidden="true" href="#hp-820-g2-tpm">[link]</a></div> <p>TODO: check that it can be upgraded to TPM 2.0 (default is 1.2). It’s a SLB 9660 TPM</p> <p><a href="https://community.infineon.com/t5/OPTIGA-TPM/SLB-9660-TT1-2-upgrade-TPM-1-2-to-TPM-2-0/td-p/382419" class="uri">https://community.infineon.com/t5/OPTIGA-TPM/SLB-9660-TT1-2-upgrade-TPM-1-2-to-TPM-2-0/td-p/382419</a></p> <p><a href="https://support.hp.com/gb-en/document/c05792935" class="uri">https://support.hp.com/gb-en/document/c05792935</a></p> <p>Apparently, this can be upgraded to TPM 2.0. Riku linked this on IRC:</p> <p><a href="https://forum.ts.fujitsu.com/forum/viewtopic.php?t=49340#p156746" class="uri">https://forum.ts.fujitsu.com/forum/viewtopic.php?t=49340#p156746</a></p> <p>And also this, straight from the horse’s mouth:</p> <p><a href="https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slb-9660xt1.2/" class="uri">https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slb-9660xt1.2/</a></p> <div class="h"><h1 id="th-ssd-on-t440p">4th SSD on T440p</h1><a aria-hidden="true" href="#th-ssd-on-t440p">[link]</a></div> <p>probably possible on w541 too</p> <p><a href="https://www.youtube.com/watch?v=jURgHzLrpBs" class="uri">https://www.youtube.com/watch?v=jURgHzLrpBs</a></p> <p><a href="https://www.youtube.com/watch?v=gAZw0fTKdYg" class="uri">https://www.youtube.com/watch?v=gAZw0fTKdYg</a></p> <p>this was tested on windows in the lenovo firmware, but it will be possible to use this in coreboot with linux/bsd</p> <p>todo: test it. need to actually solder it and test it.</p> <div class="h"><h1 id="disable-me-device-in-devicetree">Disable ME device in devicetree</h1><a aria-hidden="true" href="#disable-me-device-in-devicetree">[link]</a></div> <p>We neutered, but coreboot still enables MEI1 on many boards.</p> <p>Look in devicetrees within coreboot, and see:</p> <pre><code> device ref mei1 on end device ref mei2 off end device ref me_ide_r off end device ref me_kt off end</code></pre> <p>Example taken from lenovo/x230. We could just turn all of these off. It doesn’t affect anything in practise, whether this is on or not, because we neuter anyway, so the ME interface is broken by default. Leaving it on in devicetree will result in a benign error message on linux dmesg.</p> <div class="h"><h1 id="switchable-graphics-optimus">Switchable Graphics (Optimus)</h1><a aria-hidden="true" href="#switchable-graphics-optimus">[link]</a></div> <p>Some of the Thinkpads we support have dual graphics, using Nvidia Optimus. It’d be nice to have. This coreboot patch enables it on Thinkpads:</p> <p><a href="https://review.coreboot.org/c/coreboot/+/28380" class="uri">https://review.coreboot.org/c/coreboot/+/28380</a></p> <p>There are other patches on Gerit, related to Optimus too:</p> <p><a href="https://review.coreboot.org/q/Optimus" class="uri">https://review.coreboot.org/q/Optimus</a></p> <p>This should be looked into.</p> <div class="h"><h1 id="overclocking-cpu-and-ram">Overclocking (CPU and RAM)</h1><a aria-hidden="true" href="#overclocking-cpu-and-ram">[link]</a></div> <p>Coreboot could be modified to support overclocking. Here is an example patch on gerrit (not merged in main):</p> <p><a href="https://review.coreboot.org/c/coreboot/+/42547" class="uri">https://review.coreboot.org/c/coreboot/+/42547</a></p> <p>Coreboot can also be used to load custom SPDs for the RAM if you want to get into re-binning (as it’s called. Thank you Riku for telling me that this is what it’s actually called). Useful if you want to quickly test.</p> <p>Libreboot is starting to support machines where some users may want to start overclocking their CPU/GPU/RAM.</p> <p>As for GPU overclocking: usually there are programs you can run for this in your operating system, but sometimes on laptops with dgpu, the VGA ROM might limit it in some way.</p> <p>This article is from someone who modified the VGA ROM on their AMD Radeon graphics chip, in a laptop: <a href="https://habr.com/en/articles/232265/?_x_tr_hist=true" class="uri">https://habr.com/en/articles/232265/?_x_tr_hist=true</a> - it is an example of the sort of thing lbmk could automate, when auto-downloading those VGA ROMs, on certain machines. NOTE: Page is in Russian, use a translator.</p> <p>The type of people (enthusiasts) that like Libreboot would be into this sort of thing. It may be interesting to study, especially on haswell machines.</p> <div class="h"><h2 id="haswell">Haswell</h2><a aria-hidden="true" href="#haswell">[link]</a></div> <p><a href="https://www.youtube.com/watch?v=vCZiTSZutR4" class="uri">https://www.youtube.com/watch?v=vCZiTSZutR4</a></p> <p>interesting video on alienware laptop (haswell), and there are other examples. those machines, whether they get ported to coreboot or not, could be used to study what affect those options have: take dumps of hardware logs using various utils, before and after, to study what change those settings actually makes. this could reverse engineered to then add those options in coreboot.</p> <p>haswell overclocking would be very useful to have, on libreboot machines, because you can get some still-very-nice CPUs for these machines.</p> <div class="h"><h1 id="x60t60-alloc-magic-is-broken-at-0x7b1aedf0-0">X60/T60 alloc magic is broken at 0x7b1aedf0: 0</h1><a aria-hidden="true" href="#x60t60-alloc-magic-is-broken-at-0x7b1aedf0-0">[link]</a></div> <p>See: <a href="https://codeberg.org/libreboot/lbmk/issues/179" class="uri">https://codeberg.org/libreboot/lbmk/issues/179</a></p> <p>Reported on T60. Another user reported on X60. Happened when booting from battery. On the X60 reported, booting with charger connected worked, but this GRUB error is produced when booting on battery.</p> <p>Happens in 20240126 and 20240225. Does not happen in 20230625.</p> <p>A bisect is indicated; possibly in GRUB, but if nothing is found there, then the bug will be in coreboot. Could be either of them.</p> <p>Could be a bug in GRUB’s memory management. And/or regression in coreboot raminit. More testing is needed.</p> <p>NOTE: May 2024 release is using coreboot from 20230625 on these laptops (i945) to work around the issue, but it’ll possibly be fixed before that release, otherwise afterward.</p> <div class="h"><h1 id="intelamd-errata-pdf">Intel/AMD errata PDF</h1><a aria-hidden="true" href="#intelamd-errata-pdf">[link]</a></div> <p>List PDF links for Intel/AMD CPUs, provided by Intel/AMD, showing what is unpatched as of yet, in microcode updates.</p> <p><a href="https://www.intel.com/content/www/us/en/products/docs/processors/core/core-technical-resources.html" class="uri">https://www.intel.com/content/www/us/en/products/docs/processors/core/core-technical-resources.html</a></p> <p><a href="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20230808" class="uri">https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20230808</a></p> <p>Links.</p> <div class="h"><h1 id="interesting-video">interesting video</h1><a aria-hidden="true" href="#interesting-video">[link]</a></div> <p><a href="https://www.youtube.com/watch?v=5qauRh7eTNY" class="uri">https://www.youtube.com/watch?v=5qauRh7eTNY</a></p> <div class="h"><h1 id="automate-testing">Automate testing</h1><a aria-hidden="true" href="#automate-testing">[link]</a></div> <p>Even though there’s lots of error handling, it’s better to be paranoid than brick users’ machines.</p> <div class="h"><h2 id="unit-tests">Unit tests</h2><a aria-hidden="true" href="#unit-tests">[link]</a></div> <ul> <li>Build time or separate?</li> <li>me_cleaner -c: checks that ime was inserted and has valid signatures</li> </ul> <div class="h"><h2 id="ci">CI</h2><a aria-hidden="true" href="#ci">[link]</a></div> <p>Preferably self-hosted. Run tests for every commit. There could be tests of different size, and even a periodic nightly release could be done.</p> <p>Integrating this with an automated test stand would also be doable. At the very least, it would assure that the ROM images boot successfully.</p> <div class="h"><h1 id="board-status">Board status</h1><a aria-hidden="true" href="#board-status">[link]</a></div> <p>As the number of ports grows, it becomes harder to keep track of what works. Let’s build a machine-readable repo documenting every release (or commit) on every board. What features/payloads work, maybe include errata text field. A HTML report could also be generated and published online.</p> <p>On top of this, an easy to use installer could be developed. It would know to not install an unbootable (broken) ROM, and would inform users about any known problems and have meaningful options.</p> <div class="h"><h1 id="haswell-board-bifircation">haswell board bifircation</h1><a aria-hidden="true" href="#haswell-board-bifircation">[link]</a></div> <p><a href="https://www.mouser.com/pdfDocs/4th-gen-core-family-desktop-vol-1-datasheet.pdf" class="uri">https://www.mouser.com/pdfDocs/4th-gen-core-family-desktop-vol-1-datasheet.pdf</a></p> <p>page 89</p> <p>also</p> <p><a href="https://winraid.level1techs.com/t/bios-mod-to-enable-pcie-bifurcation/31547" class="uri">https://winraid.level1techs.com/t/bios-mod-to-enable-pcie-bifurcation/31547</a></p> <div class="h"><h1 id="ec-hacking-on-lenovo-x230">ec hacking on lenovo x230</h1><a aria-hidden="true" href="#ec-hacking-on-lenovo-x230">[link]</a></div> <p><a href="https://zmatt.net/unlocking-my-lenovo-laptop-part-2/" class="uri">https://zmatt.net/unlocking-my-lenovo-laptop-part-2/</a></p> <div class="h"><h1 id="dell-7th-gen">DELL 7th gen</h1><a aria-hidden="true" href="#dell-7th-gen">[link]</a></div> <p>3050 micro is being worked on.</p> <p>3050 sff and mt are TODO</p> <p>5050 models also.</p> <div class="h"><h1 id="dell-3020">Dell 3020</h1><a aria-hidden="true" href="#dell-3020">[link]</a></div> <p>another haswell. different to 9020, but could be added.</p> <div class="h"><h1 id="dell-3050-micro-century-byte">Dell 3050 Micro century byte</h1><a aria-hidden="true" href="#dell-3050-micro-century-byte">[link]</a></div> <p>The <code>CONFIG_USE_LEGACY_8254_TIMER</code> and <code>CONFIG_USE_PC_CMOS_ALTCENTURY</code> options must both be enabled. Discovered in patch <code>d1743d1f64720801146b162c01568ca0023dfb00</code> of lbmk; look at that revision and the next one after it, revision <code>237fa1e3c18365794bf5bf525df99a460c821192</code>.</p> <p>As of that revision, SeaBIOS works normally, on Dell OptiPlex 3050 Micro. It was hanging. Look at the patches about 10 revisions before then, from when the 3050 was first added to lbmk. I made, at that time, a bunch of changes to match upstream as closely as possible, until fixing it in the above revisions.</p> <p>While SeaBIOS does indeed now work perfectly on this machine, I still don’t know why it was broken before. We have our smoking gun, but now what needs to happen is for this bug to be re-introduced, using the above information as reference.</p> <p>Then, follow SeaBIOS execution with serial debug, possibly inserting print statements into parts of the SeaBIOS source code. This would be desirable, so that SeaBIOS can be used with the above two options turned off.</p> <p>When debugging the issue, I initially tried many things. The issue was not to do with the SeaBIOS revision, though I also changed that to the one used by coreboot at the time, instead of the slightly newer one that lbmk was using; I even directly used coreboot’s own SeaBIOS build, instead of lbmk’s. Weirdly, I did also try with the legacy 8254 timer enabled, but without enabling the alt century byte option; when disabling the latter, relative to the above commit, that’s what broke SeaBIOS again.</p> <p>For now, Libreboot will leave these options enabled, but this is not desirable.</p> <div id="footer"> <hr /> <ul> <li><a href="/news/policy.html">Binary Blob Reduction Policy</a></li> <li><a href="/freedom-status.html">Freedom status</a></li> <li><a href="/git.html">Edit this page</a></li> <li><a href="/who.html">Who develops Libreboot?</a></li> <li><a href="/license.html">License</a></li> <li><a href="/template-license.html">Template</a></li> <li><a href="/logo-license.html">Logo</a></li> <li><a href="/contrib.html">Authors</a></li> </ul> <hr /> </div> <p>Markdown file for this page: <a href="https://libreboot.org/tasks/index.md" class="uri">https://libreboot.org/tasks/index.md</a></p> <p><a href="/feed.xml">Subscribe to RSS for this site</a></p> <p><a href="/sitemap.html">Site map</a></p> <p>This HTML page was generated by the <a href="https://untitled.vimuser.org/">Untitled Static Site Generator</a>.</p> </div> </div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10