There are several ways to lock the flash. Two are "permanent":
* Flash descriptor permission bits in the IFD
* SPI flash chip non-volatile Block Protect Bits and grounding the !WP pin
The IFD in the image that you're going to flash can be modified with ifdtool.
I'm not sure of the best way to se
On July 3, 2018 5:23 AM, Toan Le manh wrote:
> I'm facing the Status EFI_ACCESS_DENIED when using gRT->SetVariable() method.
>
> There is no description of this returned status forSetVariable() in UEFI
> spec.
It looks like the SmmVariableHandler can return EFI_ACCESS_DENIED, even though
it
I just noticed that ifdtool doesn't work correctly if the layout and
density are changed simultaneously:
% ./coreboot-4.6/util/ifdtool/ifdtool -n /tmp/layout.txt -D 16 /tmp/test.rom
File /tmp/test.rom is 8388608 bytes
The image has changed in size.
The old image is 8388608 bytes.
The new image is
On Tue, Apr 03, 2018 at 06:32:07PM +0300, Kyösti Mälkki wrote:
> [...]
> > I'm dealing an early bring-up problem on a modern architecture without
> > serial ports and wondering if that would a good way to debug it.
>
> Probably M.2 is not very useful for you... try to look for LPC
> signals, some
How soon after reset are port 0x80 messages available on a MiniPCIe
attached POST card? And would the POST card be expected to work with
a M.2 to MiniPCIe adapter? How is the ISA bus' I/O address space mapped
to PCIe devices?
I'm dealing an early bring-up problem on a modern architecture without
When cross compiling inteltool with musl-libc the header
is not included due to this test in inteltool.h:
#if defined(__GLIBC__)
#include
#endif
Unfortunately I'm not sure what the right test is here, since
the musl libc team is opposed to having a __MUSL__ define:
http://openwall.com/lists/mu
On Tue, Jan 16, 2018 at 07:29:18PM +0100, Carl-Daniel Hailfinger wrote:
> [...]
> At 34C3 I was told by someone that a major vendor has been shipping
> servers with coreboot without announcing this, and I unfortunately
> neither remember the server model nor who told me about this.
Hi, Carl-Daniel
Which of the LLNL clusters used LinuxBIOS? This page doesn't
mention it:
https://computing.llnl.gov/tutorials/linux_clusters/
Based on the LinuxNetworx slides, I know that MCR did and reached
#3 on the top500. Did any of the others?
--
Trammell
--
coreboot mailing list: coreboot@coreboot.o
On Sat, Oct 28, 2017 at 01:27:17PM +, ron minnich wrote:
> 2005, los alamos, a talk on EFI I had forgotten I had done.
> https://www.coreboot.org/images/d/d1/Openefi.pdf
> relevant to the current era.
I believe you could give that talk today with almost zero changes...
Jethro Beekman's efiper
On Wed, Oct 18, 2017 at 07:27:50PM -0400, [799] via coreboot wrote:
> I like that idea, I think I'll just choose a cheap one and in case it
> breaks I just use another one.
I've tried the really cheap ones and found that they do not work very
well at all. Even brand new this one required wiggling
On Wed, Oct 18, 2017 at 03:22:44PM +, Peter Stuge wrote:
> [...]
> I usually wire a small pin header to the flash chip on mainboards
> that I want to do development on.
Check out the Lenovo X3550-M5 mainboard:
https://www.flickr.com/photos/osr/37497785771/in/photostream/lightbox/
ZIF socket
On Wed, Oct 18, 2017 at 12:35:11PM +, Peter Stuge wrote:
> [...]
> These clips are test tools for occasional use, not development tools.
Do you have a recommendation on better clips? The Pomona seems to last
for a few months due to my above average number of clips. The 3M
is much worse and th
On Tue, Oct 10, 2017 at 02:44:02PM +, ron minnich wrote:
> [0.376881] ACPI Error: Hardware did not enter ACPI mode
> (20160831/evxfevnt-113)
>
> is this the step where it tries to do an outb to 0xb2 to tell smm we are
> taking over?
Yes, it looks like it is attempting to write to 0xB2:
On Mon, Oct 09, 2017 at 07:55:34PM -0700, Julius Werner wrote:
> My gut feeling would be to blame ACPI. The Linux patch is about
> caching a host controller register in the kernel, and in some cases
> (e.g. ehci_reset()), the patch re-reads the cached version from the
> hardware whereas the previou
On Mon, Oct 09, 2017 at 12:58:25PM +0300, Аладышев Константин wrote:
> I try to port coreboot on boards with Haswell CPU and Lynxpoint LP chipset
> (IBASE IB908AF-4650 board, DFI HU968) and I've encountered a strange
> problem. USB devices stop working shortly after OS boot (or after USB device
> r
On Mon, Oct 02, 2017 at 05:02:40PM -0700, Vadim Bendebury wrote:
> note that this debug header is going away in new Chrome OS designs. Its
> functionality is going to be provided by the closed case debugging (aka
> CCD) facility, where authorized user using a special debug cable can gain
> access t
A minor installation improvement that I've found is to rearrange
the Linux kernel command line to be last segment in the payload.
This allows me to tweak boot time parameters without having to
re-write the entire kernel and initrd in the flash.
Is there a current or historical reason for the order
On Tue, Aug 01, 2017 at 06:47:18PM +0200, Nico Huber wrote:
> On 01.08.2017 12:13, Nico Rikken wrote:
> > Is anybody of the Coreboot community going to the SHA hacker camp the
> > coming weekend? [...]
>
> I'll be there. Though, haven't organized anything but a train ticket
> yet. You can ping me
On Tue, Aug 01, 2017 at 02:49:27PM +, Peter Stuge wrote:
> Philipp Stanner wrote:
> [...]
> > * Why does every modern CPU still start in RM?
>
> Many industries run on DOS. Many system developers have created
> in-house BIOS extensions. x86 will never fully lose its 16-bit legacy.
And, just t
Yuriy Bulygin and Oleksandr Bazhaniuk's coreboot presentation at REcon
Montreal 2017:
https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-DiggingIntoTheCoreOfBoot.pdf
They recap the MMIO BAR issue (previously disclosed at REcon Brussles),
and identified two new vulnerabilities (handlin
When I have my coreboot payload Linux kernel setup a console framebuffer
and then kexec into Xen + another kernel, the video glitches out quite
a bit before falling back to text mode. The kexec --reset-vga option
doesn't seem to have any effect.
I read in the docs that kexec and framebuffers don'
You can reduce the window of time that the flash is writable by setting
the PRR registers and FLOCKDN bits before moving out of the bootblock --
this prevents even SMM from being able to write to the protected regions of
the flash. If someone can get code execution in the bootblock or
during S3 re
On Thu, May 11, 2017 at 9:56 AM, Trammell Hudson wrote:
> Unlike the few startup ACM images that I've looked at have the same
> public key for their signature, despite being on very different
> CPU models and from different IBV.
On Thu, May 11, 2017 at 10:30:48AM -0500, Allen Krell
On Thu, May 11, 2017 at 10:08:12PM +0200, Igor Skochinsky wrote:
> TH> On Thu, May 11, 2017 at 10:30:48AM -0500, Allen Krell wrote:
> >> [...] There are multiple keys
> >>
> >> ME - public/private key pair - Fused in by Intel and checked by Intel
> >> silicon - Probably different across models
>
On Thu, May 11, 2017 at 10:30:48AM -0500, Allen Krell wrote:
> [...] There are multiple keys
>
> ME - public/private key pair - Fused in by Intel and checked by Intel
> silicon - Probably different across models
>
> BIOS_ACM - public/private key pair - Fused in by Intel and checked by Intel
> sili
On Thu, May 11, 2017 at 07:01:47AM -0500, Allen Krell wrote:
> One thing I am still confused about is the relationship between Intel Boot
> Guard and the regions of flash. My understanding is that Boot Guard only
> applies to the legacy BIOS region of flash, not the ME/AMT region.
It seems to be
On Mon, May 08, 2017 at 06:11:52PM -0400, Healer64 via coreboot wrote:
> So the question still remains as to how big the initrd image will be
> assuming it has to have the necessities to mount root on lvm encrypted
> drive. Any idea?
The Heads Linux runtime can mount lvm encrypted drives (along wi
On Mon, May 01, 2017 at 10:44:45PM +, ron minnich wrote:
> On Mon, May 1, 2017 at 1:17 PM Rene Shuster
> > Yes Puri.sm has been debunked.
>
> I disagree. I've seen the systems. From what I can see, Puri.sm has made a
> good faith effort to go as far possible *with modern x86 chipsets* toward
On Mon, May 01, 2017 at 05:13:10PM +0100, Sam Kuper wrote:
> Has anyone here got a link describing or including the fix, either
> directly from Intel, or from an OEM?
Intel just posted one:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
--
Trammell
--
4 MB was quite limiting and it seemed like an artificial restriction,
especially since all the other machines have larger space available.
Since flashing both chips with an external programmer is a bit of a
pain, there is still a 4 MB version built with just flashrom and the
USB drivers. So you ca
On Wed, Apr 12, 2017 at 08:51:11AM -0600, Trammell Hudson wrote:
> [...]
> On the build host I can use cbfstool to add/extract them from the file,
> but I'm not seeing an easy way to do it on the running machine
> short of 'dd if=/dev/mem' at the correct address.
Which
Is there an easy way for a running payload to extract additional files
from its CBFS image in ROM? I'd like to have a reproducible kernel and
initrd as the primary payload, with user data (and keys) stored in a
separate payload section of the CBFS.
On the build host I can use cbfstool to add/extr
On Sun, Apr 02, 2017 at 09:18:10AM -0700, Todd Weaver wrote:
> [...]
> One of the three reasons we are including TPM in hardware is because of
> your great talk at 33c3 on Heads!
I'm glad to hear that it inspired you to include it!
> But I failed to see that it offered "boot menu type thing"
Cur
On Sat, Apr 01, 2017 at 07:43:40PM +, ron minnich wrote:
> Annnd with the linux payload we're back to linuxbios :-)
It was a good idea in 1999, and it is still a good idea.
> For a payload chooser and such I can offer two options:
> 1) petitboot has a boot menu type thing
> 2) u-root (u-r
As a very belated data point to disabling the ME on the x230, it appears
that it also disables the e1000e wired ethernet. The Linux kernel's
ich8lan.c file reports an error that "No valid NVM bank present" and
won't bring up eth0 if the ME has been flashed with a minimal firmware.
Since the ME sh
I was having a problem with adding compressed initrd images to my Linux
payload with cbfstool. What I noticed is that if I build my initrd.cpio
file and compress/link it into the bzImage via the Linux kernel's
.config file, the kernel starts up just fine and executes out of the
initrd. Likewi
Intel ATR presented "Baring the system: New vulnerabilities in SMM of
coreboot and UEFI based systems" at RECon Brussels last month:
https://recon.cx/2017/brussels/talks/baring_the_system.html
The slides are online now:
http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrus
On Thu, Feb 02, 2017 at 09:10:09PM +0100, Patrick Georgi via coreboot wrote:
> coreboot is normally reproducible:
> https://tests.reproducible-builds.org/coreboot/coreboot.html
Hmm. I must have messed up someting in my earlier tests (maybe they
ran without BUILD_TIMELESS=1?). You're right; the r
On Thu, Feb 02, 2017 at 08:55:56PM +0100, Zoran Stojsavljevic wrote:
> > Is there a right way to pass additional compiler flags to the coreboot
> > makefiles? We've been working on making the Heads firmware reproducible
> > and found that the -fdebug-prefix-map option is necessary to deal with
> >
Is there a right way to pass additional compiler flags to the coreboot
makefiles? We've been working on making the Heads firmware reproducible
and found that the -fdebug-prefix-map option is necessary to deal with
different build directories. To make this work with coreboot we ended
passing in en
On Tue, Jan 17, 2017 at 02:24:16PM -0600, Timothy Pearson wrote:
> [...]
> Regarding the BMC work, we're looking to enable a fully libre BMC on the
> KGPE-D16. This is a complex process involving significant reverse
> engineering efforts, writing new kernel drivers for the BMC, etc. With
> the BM
On Mon, Jan 16, 2017 at 04:40:33PM +0100, Denis 'GNUtoo' Carikli wrote:
> [...]
> As I understand from the slides DCI can be activated trough:
> - The flash descriptor
> - UEFI
> - The P2SB register
Aren't there two different things being discussed here?
There is DCI, which requires BIOS or firmwa
At 33c3 a question came up about "how can we trust and audit coreboot?"
compared to things like the Intel Firmware Support Package (FSP).
I'm relaying it to the list for discussion.
The FSP is a x86 binary blob that has an init function that writes magic
values to magic registers to bring up the m
On Thu, Jan 05, 2017 at 06:34:42AM -0700, Trammell Hudson wrote:
> When I build coreboot 4.5 from the release sources it is necessary
> to download the coreboot-blobs-4.5.tar.xz file and it looks like there
> might be a dependency now on the 3rdparty/vboot tree as well since
> cbf
When I build coreboot 4.5 from the release sources it is necessary
to download the coreboot-blobs-4.5.tar.xz file and it looks like there
might be a dependency now on the 3rdparty/vboot tree as well since
cbfs.h includes vb2_api.h:
https://github.com/coreboot/coreboot/blob/master/src/commonlib/inc
Is the position on the wiki accurate? It has a warning that makes
it sound like the location has not been set.
On Tue, Dec 27, 2016 at 05:19:28AM +0100, Zaolin wrote:
> Hall 4 (Chaos West Assembly Hackcenter) towards hall 3.
>
>
> On 12/27/2016 05:16 AM, Jonathan Neuschäfer wrote:
> > On Tue, D
Does the coreboot assembly have a location at 33c3 yet? I want to
include a pointer to it in my slides for my talk on Tuesday
--
Trammell
--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot
On Mon, Dec 12, 2016 at 03:08:53PM -0600, Aaron Durbin via coreboot wrote:
> What about the SSDT? With the patch I think the device is in the SSDT
> -- not DSDT.
Whups, forgot to include it. There is far less change:
--- ./no-tpm/SSDT.dsl 2016-12-12 17:23:51.314355365 -0500
+++ ./yes-tpm/SSDT.
On Mon, Dec 12, 2016 at 01:14:58PM -0600, Aaron Durbin via coreboot wrote:
> Can you provide the isal -d dumps of before and after for your board?
> I think in one they'll be in SSDT and the other in DSDT. They should
> reside in /sys/firmware/acpi/tables/ that you can copy them and run
> them thr
On Mon, Dec 12, 2016 at 11:37:30AM -0700, Trammell Hudson wrote:
> My x230's TPM has gone missing somewhere between 4.5 and the current head.
> CONFIG_LPC_TPM is still set, but neither coreboot nor the Linux payload
> detects it.
Based on a tip, I reverted this patch:
https://revie
My x230's TPM has gone missing somewhere between 4.5 and the current head.
CONFIG_LPC_TPM is still set, but neither coreboot nor the Linux payload
detects it. Bisecting will take a while since it requires reflashing;
does anyone know where it might have gone?
--
Trammell
--
coreboot mailing li
On Wed, Aug 10, 2016 at 07:03:58AM -0600, Trammell Hudson wrote:
> The Linux 4.7 kernel payload crashes early in the boot process
> with CoreBoot 4.4. [...]
The recently released 4.9 kernel does not require any patches to boot
as coreboot's payload. The diffs in head_64.S appear to
On Thu, Dec 01, 2016 at 11:20:00PM +, ron minnich wrote:
> If people are trying native graphics init I still think it's worth trying
> the SPARK stuff from nico at least once.
I'm intrigued by the use of Ada and excited about applying more
formal methods as well as safer languages to the firmw
On Thu, Dec 01, 2016 at 06:50:13PM +0100, Klemens Nanni wrote:
> On Thu, Dec 01, 2016 at 05:04:36PM +, ron minnich wrote:
> >what's the latest best one? [...]
>
> X230 if you'd ask me: 16G RAM, 12M ROM. runs fine with reduced (830K) ME
You can also retrofit the proper x220 keyboard into the x2
On Thu, Dec 01, 2016 at 01:15:59PM +, Peter Stuge wrote:
> Michael Carbone wrote:
> > I have been attempting to use a raspberry pi for spi flashing and when I
> > use the 3.3v pin the raspberry pi doesn't power up as the chip draws too
> > much power through the 3.3v pin for the raspberry pi to
On Sun, Nov 27, 2016 at 07:30:07PM -0500, Charlotte Plusplus wrote:
> [...]
> With the amount of flash we have, sharing the kernel and initrd doesn't
> seem like a bad idea.
The problem is if a bad kernel or initrd is flashed then there is no
way to recover without hardware intervention. Having a
On Sat, Nov 26, 2016 at 10:46:33PM +, ron minnich wrote:
> [...]
> Every bootloader starts simple, and becomes an OS. Every single one starts
> with the intent of being small and compact and only supporting some needed
> subset of file systems/devices/protocols and ends up implementing
> everyt
On Sun, Nov 20, 2016 at 08:20:51PM +, ron minnich wrote:
> [...]
> There's also no fundamental reason for using the name .config other than
> tradition. We could, for example, create
> build/vendor/mainboard/config and use that.
One minor concern with that placement is that I enjoy the ability
On Sun, Nov 13, 2016 at 03:34:49PM -0500, Charlotte Plusplus wrote:
> With the cross compiling tool chain, coreboot takes 1G. If you are a bit
> short on space, or if you want to save writes to your SSD, instead of
> having multiple copies of the coreboot source folder, I have found out
> overlayfs
On Sun, Nov 20, 2016 at 01:08:30AM +, Peter Stuge wrote:
> [...]
> Given your focus on USB, a Linux payload with custom initramfs is
> especially interesting.
Tobias -- I've been working on building a Linux payload with a focus on
how to integrate with the TPM and other security research. The
inside an official (Lenovo or
> other) bios is very interesting because it extends also to hardware not
> supported by coreboot, and probabily to CPUs newer than Ivy Bridge
> (Trammell Hudson tested it on a Skylake mobile CPU
> https://www.coreboot.org/pipermail/coreboot/2016-November/082335
On Fri, Nov 04, 2016 at 09:20:24PM +, Nicola Corna wrote:
> [...]
> * Sandy Bridge accepts an Intel ME firmware with just the FTPR partition,
> both
> with and without a valid FPT (the partition table of the Intel ME image).
> The system doesn't power off after 30 minutes, and the ME
On Wed, Oct 26, 2016 at 03:18:44AM +0200, Arthur Heymans wrote:
> I have been working on building a Petitboot, a kexec bootloader, [0]
> based Linux payload using the Buildroot build system to produce a nice
> bzImage that contains both linux and the initrd. It is inspired by the
> Raptor Enginerin
I'm working with a fairly large Linux payload in my coreboot image
and one of my targets (the x230) has two separate ROM chips. I'd like
to have the top 4 MB SPI flash reserved for coreboot (bootblock,
romstage, ramstage, mrc, etc) and the bottom 8 MB chip just for
Linux.
Most of my changes now a
Does anyone have one of the Thinkpads with Bootguard enabled that
prevented coreboot installation? I'm interested in poking at the full
firmware image (including the ME region) to verify my understanding
of how it is implemented.
--
Trammell
--
coreboot mailing list: coreboot@coreboot.org
http
On Wed, Oct 12, 2016 at 10:08:38AM -0700, Duncan Laurie wrote:
> I wouldn't read too much into the data in there, it turns out the ME
> release that added this output detail (which we shipped in this device)
> also got it wrong so the data is not reliable.
Interesting. Do you mean the ME firmware
Does anyone have experience with how long the Management Engine's
"Power Down Mitigation" timer is on Skylake? My Chell Chromebook
with modified ME firmware reports this on bootup / S3 resume:
ME: FW Partition Table : BAD
ME: Bringup Loader Failure : YES
ME: Firmware Init Complete : YES
ME
On Mon, Oct 10, 2016 at 09:40:49AM -0600, Trammell Hudson wrote:
> [...]
> I filed an issue on the tracker related to the ramstage problem
> and am trying to debug it with Aaron:
>
> https://ticket.coreboot.org/issues/78
And it appears to be a bug of my own creation...
Earli
When my Skylake system comes out of S3 it fails to resume and ends up
going back through the normal boot path. Console output durng resume:
coreboot-4.4-1781-g2fcabb8-heads Wed Oct 5 01:45:23 UTC 2016 ramstage
starting...
FSP_INFO_HEADER not set!
Enumerating buses...
Enabling Common Clock Confi
I've successfully built a coreboot firmware and Linux bootloader payload
for the Chell Chromebook with Skylake, which then kexec's Xen / Qubes
from the eMMC. Both of them are reporting that the IOMMU is not in use,
and there is no DMAR entry in the ACPI table, which I believe is what
they are look
On Thu, Oct 06, 2016 at 11:27:01AM -0700, Duncan Laurie wrote:
> I may be mis-remembering and this might come up as ttyS0 in linux for
> skylake. (it is ttyS2 on apollolake...) Or just use a custom command line
> like console=uart,mmio32,0xd1134000,115200n8
That commandline doesn't produce any o
Is it possible to use the Skylake Servo debug UART in Linux or Xen?
It doesn't show up as a normal 16550 (setserial reports "uart type
unknown"), which is making debugging the payload kernel a little
frustrating.
I've added lots of "outb $0x80" calls to trace the Xen hypervisor and
have figured ou
On Thu, Oct 06, 2016 at 01:33:53AM +0200, Zaolin wrote:
> Could you please submit a bug report at ticket.coreboot.org for that issue.
There seem to be two separate issues (infinite loop in romstage,
fault in relocatable ramstage):
https://ticket.coreboot.org/issues/77
https://ticket.coreboot.org/
On Wed, Oct 05, 2016 at 03:19:11PM -0500, Aaron Durbin wrote:
> On Wed, Oct 5, 2016 at 3:08 PM, Trammell Hudson wrote:
> > CBFS: 'Master Header Locator' located CBFS at [a00100:c0)
> > CBFS: Locating 'fallback/ramstage'
> > CBFS: Found @ offset afc0 si
On Wed, Oct 05, 2016 at 01:59:08PM -0500, Aaron Durbin wrote:
> > Does the car stage code exist somewhere else in the tree?
>
> Try this? [...]
>
> -romstage-$(CONFIG_SEPARATE_VERSTAGE) += romstage_after_verstage.S
> +romstage-y += romstage_after_verstage.S
That works to make it past the romstag
On Skylake with no verstage and FSP 1.1 there is no car_stage_entry
function, only a weak symbol with an infinite loop in
src/arch/x86/assembly_entry.S, and as a result coreboot hangs after
jumping into the romstage.
There is one defined in src/soc/intel/skylake/romstage/car_stage.S,
but this is o
Zoran --
Thanks for your insights on the ME. It's quite a messy bit of HW
and it makes no sense to me why Intel has it shrouded in such secrecy.
There is no reason that I can see for it to be undocumented.
> [...]
> Link to the very useful presentation (I clipped the above figure):
> http://www.
On Mon, Sep 12, 2016 at 09:27:18PM +, Peter Stuge wrote:
> Trammell Hudson wrote:
> > I've experimented with clearing additional bits, from 0x3000 to 0x1
> > with the same results. If I were really motivated I might binary search
> > how much of the firmware it n
On Tue, Sep 13, 2016 at 11:43:08PM +, ron minnich wrote:
> I've been trying to find a problem in linux that makes it not boot when
> used as the payload in the KGPE-D16. The symptom is that I get no output at
> all on serial when linux starts.
That sounds related to the decompression problem t
On Mon, Sep 12, 2016 at 11:58:43AM -0600, Trammell Hudson wrote:
> On Mon, Sep 12, 2016 at 06:13:16PM +, Peter Stuge wrote:
> > > If I just erase the first 4KB of its region (0x3000, starts with "$FPT"),
> > > coreboot boots up fine and reports that "WAR
On Mon, Sep 12, 2016 at 07:11:41PM +, Peter Stuge wrote:
> [...] It would be interesting to find out more about
> the state of the ME in this case. Maybe the cleared section isn't part
> of it's firmware, or maybe it really doesn't care, though that would
> surprise me.
The $FPT has pointers t
On Mon, Sep 12, 2016 at 06:13:16PM +, Peter Stuge wrote:
> > If I just erase the first 4KB of its region (0x3000, starts with "$FPT"),
> > coreboot boots up fine and reports that "WARNING: ME has bad firmware".
> > My Linux payload initializes without any complaints.
>
> Does it stay operation
I'm experimenting with what happens if I remove the ME firmware from
from the lower SPI flash chip on my Thinkpad x230. If I just erase the
first 4KB of its region (0x3000, starts with "$FPT"), coreboot boots up
fine and reports that "WARNING: ME has bad firmware". My Linux payload
initializes wi
On Mon, Aug 15, 2016 at 03:54:49PM -0700, Julius Werner wrote:
> I think the answer is that CONFIG_TPM doesn't do anything by itself
> (it just compiles extra libraries that offer functions to access
> TPMs), so there's no point in selecting it directly from menuconfig.
> Any feature that uses the
Is it possible to enable CONFIG_TPM with the current head in git?
On my Lenovo x230, CONFIG_MAINBOARD_HAS_LPC_TPM is selected, as is
CONFIG_LPC_TPM, but there does not appear to be any way to enable
CONFIG_TPM in menuconfig. In order to enable it, I had to change
src/Kconfig to default to y.
With
On Thu, Aug 11, 2016 at 05:00:00PM +0200, Zaolin wrote:
> The whole TPM stack needs to be reworked until it can used for a
> measured boot.
Is it necessary to import the entire complexity of TSS for the measured
boot task of hashing the various components? Once the Linux payload
starts up it can
I'd like to add a tlcl_measure() function to hash a region of code
and extend a PCR with the result. I see that the Chromebook systems use
a verstage that links in src/lib/tlcl.c and there are sha1 functions in
3rdparty/chromeec/common/sha1.c, but neither of these are available from
the romstage o
The Linux 4.7 kernel payload crashes early in the boot process
with CoreBoot 4.4. I traced it to these instructions that are
finding a safe spot to decompress the rest of the kernel and
patched around it with a hard coded location:
diff -u --recursive
/home/hudson/build/clean/linux-4.7/arch/x86
It looks like the util/crossgcc/buildgcc script disables HTTPS cert
checks and doesn't have a way to verify the signatures or hashes of the
files that it receives.
download_showing_percentage() {
url=$1
printf " ..${red} 0%%"
wget --no-check-certificate $url 2>&1 | while r
On Thu, Jul 28, 2016 at 10:04:56PM +0200, Stefan Reinauer wrote:
> * Trammell Hudson [160727 13:58]:
> > It looks like 4.4 is adding the initrd as a separate section
> > named "(empty)" with type "null" and the kernel can't find it:
>
> (empty) is i
I see a difference in the way 4.4 handles initrd images for linux
payloads versus the way it is done in head. With 4.4 my Linux
kernel can not find the external initrd, so it is necessary to
build it as part of the kernel. With head it works fine.
It looks like 4.4 is adding the initrd as a sepa
On Tue, Jul 26, 2016 at 02:48:42PM -0400, Ward Vandewege wrote:
> Oh, wow, thank you! Sorry that I didn't spend time tracking that down
> properly back in 2008. I'd be interested to know if Xen takes the patch.
Thank *you* for isolating it to the change between 3.1.0 and 3.1.3 so
many years ago.
On Tue, Jul 26, 2016 at 09:37:20AM -0600, Trammell Hudson wrote:
> [...]
> Unfortunately 3.1.3 is ancient; I'm going to build the more modern
> Xen 4.6.x to see if I can repeat these fixes to boot into Qubes.
This required a few more hacks, but it works now. The problem is not
with
On Mon, Jul 25, 2016 at 03:56:22PM -0600, Trammell Hudson wrote:
> # There seems to be a regression with regard to kexec'ing into
> # a Xen kernel between Xen 3.1.0 (confirmed working) and 3.1.3
> # (confirmed not working).
I was able to reproduce this in qemu, which allowed me to
On Mon, Jul 25, 2016 at 01:27:22PM -0600, Trammell Hudson wrote:
> I did find this note from 2008 that mentioned a similar
> issue regarding xen, kexec and coreboot:
>
> http://ward.vandewege.net/blog/2008/08/kexecing-into-a-xen-kernel/
Following the links to the xen-devel mailing l
On Mon, Jul 25, 2016 at 05:30:07PM +, ron minnich wrote:
> [...] I'm starting to worry about my toolchain.
My build machine is a stock Ubuntu 15.10:
diamond:~/build/coreboot: gcc -v -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
Target
On Mon, Jul 25, 2016 at 02:42:11PM +0200, Zoran Stojsavljevic wrote:
> [...]
> *Probably some module required for your baremetal fedora is missing
> in initramfs. First of all, remove "quiet" option to receive more
> details. If that's about missing module, you can regenerate initramfs:
The system
I've successfully built a 4.6.4 Linux kernel payload for CoreBoot and
flashed it onto the top 4 MB of the boot ROM on my Thinkpad x230.
The runtime is a dynamic linked busybox with glibc, as well as a copy
of the kexec binary from my Ubuntu laptop.
kexec of a xen kernel (multiboot-x86) results in
On Sun, Jul 24, 2016 at 06:42:42PM +, ron minnich wrote:
> [...] I'm hitting one problem: I need to get a working
> 4.7.0 kernel as a payload. I have a 3.18 working fine, as
> payload, but the 4.7.0 never puts out any serial output.
> If you have a 4.x.+ kernel config that works as a payload,
On Sat, Jul 23, 2016 at 08:27:17PM +, ron minnich wrote:
> I"m assuming this is native graphics? That's sometimes a sign that the
> graphics hardware can't get to memory for an image, either due to the page
> remapping on the graphics hardware being wrong or maybe BME is not set on
> the device
1 - 100 of 104 matches
Mail list logo