GRUB2 payload

[savchenko]

Thank you for publishing this. Do you think it would be possible to build Coreboot for 8770w with the GRUB2 payload (alternatively, SeaBios → GRUB2) and use the latter as the replacement for UEFI Secure Boot?

General idea:

1. Coreboot is written to the flash with locked descriptor to prevent future software flashing. Alternatively, Winbond spec sheet is studied for an ability to de-solder one of the legs to achieve the same result.
2. Seabios behaves as the "root of trust" as it can't be easily manipulated by software.
3. Seabios loads GRUB2 which prompts user for a password to unlock LUKS-encrypted /dev/whatever.
4. Once /boot is decrypted, Linux distribution continues to load normally. Only caveat - user will need to enter FDE password second time.

I have similar setup on the "librebooted" x200, the only difference being that Seabios is not required.

[SpookySkeletons]

I could very well ship a locked descriptor but the issue here is that you can't perform any subsequent flashes of the read only segments internally so updates become an issue. The Linux kernel already prevents internal write access unless iomem=relaxed in your kernel cmd.

Could very well do seabios versions. A little annoyed that Tianocore can't load secondaries. I believe I saw somewhere that you can build tianocore with seabios CSM which would be ideal for my purposes.

I'd need a grub config file to boot from if you have one handy or I could borrow libreboot's config file. I am not sure if the grub payload will work with this laptop but I have an external flashing hole drilled so can test.

[savchenko]

I could very well ship a locked descriptor but the issue here is that you can't perform any subsequent flashes of the read only segments internally so updates become an issue.

Well, "no software flashes possible" is kind of a point of this exercise... However, upon second thought, user is likely to configure grub.conf / etc. and then re-flash once satisfied with the result.

Could very well do seabios versions.

Would be grand. Happy to assist with testing if needs be.

I'd need a grub config file to boot from if you have one handy or I could borrow libreboot's config file.

Here is what I use as the default entry:

set prefix=(memdisk)/boot/grub

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci

# Serial and keyboard configuration, very important.
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial
terminal_input --append at_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

# Default to first option, automatically boot after 1 second
set default="0"
set timeout=3

set pager=1
keymap usqwerty

color_normal=light-gray/black
menu_color_normal=light-gray/dark-gray
menu_color_highlight=white/dark-gray

set superusers="MY_USER"
password_pbkdf2 MY_USER grub.pbkdf2.sha512.90000.LONG_HASH

menuentry 'Normal' {
    cryptomount -u MY_DRIVE_UUID
    set root='lvm/ssd-rootvol'
    linux /vmlinuz root=/dev/mapper/ssd-rootvol cryptdevice=/dev/mapper/ssd-rootvol:root
    initrd /initrd.img
}

# If things went terribly wrong...
menuentry 'Backup' {
    set root='(cbfsdisk)'
    configfile /grubtest.cfg
}

grubtest.cfg from the above is the default config from Libreboot repository: https://github.com/hankbao/libreboot/blob/107cdec81a45e087cea555dbd50f304fad1b27cc/projects/grub/install/corebootfb/grub.cfg