How could I flash Heads using 1vyrain?

[h4xor666]

Hey there folks, great work on this project! Big fan. Quick question though - I have built both the t430-flash and the normal t430 roms for my T430 successfully. Unfortunately, this T430 is in pretty bad shape already, and I'm worried that if I take it apart to physically flash it, components will break.

So, my question is, is it possible to just Heads using the option in 1vyrain to flash an alternate BIOS (e.g. Skulls, etc.)? If so, how would I do it? Would I flash the 4MB t430-flash file and then flash the 8MB file like normal? Or would I have to cat them together or something? I am a dumb person, pls don't be mad at me haha I just don't wanna brick my laptop again.

[tlaurion]

@h4xor666 You can see the future of non maximized boards at #1015.

I would not personally recommend going the path of non neutering the t430 and keeping in a locked state the IFD and non neutering ME. This gives 3MiB of additional space to the firmware, which is not accessible without external initial flashing, which takes freed ME space and give it back to available space for firmware, which otherwise would not be possible.

Non neutered (non maximized boards) means, for x230 and t430, less pretty GUI and a predicted loss of functionalities over time (dropbear and FBwhiiptail is not available anymore for non maximized boards already as a compromise for upgradability l, including cryptesetup2 and VBT required to go the Qubesos4.1 route and newer OSes comparability out if the box). More detail in the PR linked which is gonna be merged soon.

T430 owners have the possibility of upgrading CPU at the same time of opening the laptop to have 4 CPUs instead of 2, which quebeos would deactive for security purposes otherwise(hyperthreading is not welcome anymore). Not sure about your situation, but opening the case and flashing one time externally would give you more upgrading future lifetime if you intend to use heads over time, even more if you go the HOTP way, that is, having external and automatic validation of your firmware state through Librem key or Nitrokey pro/Storage.

Going 1vyrain might be tempting at first, but going that path is in my opinion just delaying an external initial flashing, since you can only take advantage of 7.5MiB space for firmware, where going external flashing will give you 11.5MiB which was the whole goal behind the maximized boards efforts. And permit you to flash the whole 12MiB combined SPI flash internally in the future, while measured boot is enforced from coreboot.

Questions welcome after having read #1015 content.

[h4xor666]

@h4xor666 You can see the future of non maximized boards at #1015.

I would not personally recommend going the path of non neutering the t430 and keeping in a locked state the IFD and non neutering ME. This gives 3MiB of additional space to the firmware, which is not accessible without external initial flashing, which takes freed ME space and give it back to available space for firmware, which otherwise would not be possible.

Non neutered (non maximized boards) means, for x230 and t430, less pretty GUI and a predicted loss of functionalities over time (dropbear and FBwhiiptail is not available anymore for non maximized boards already as a compromise for upgradability l, including cryptesetup2 and VBT required to go the Qubesos4.1 route and newer OSes comparability out if the box). More detail in the PR linked which is gonna be merged soon.

T430 owners have the possibility of upgrading CPU at the same time of opening the laptop to have 4 CPUs instead of 2, which quebeos would deactive for security purposes otherwise(hyperthreading is not welcome anymore). Not sure about your situation, but opening the case and flashing one time externally would give you more upgrading future lifetime if you intend to use heads over time, even more if you go the HOTP way, that is, having external and automatic validation of your firmware state through Librem key or Nitrokey pro/Storage.

Going 1vyrain might be tempting at first, but going that path is in my opinion just delaying an external initial flashing, since you can only take advantage of 7.5MiB space for firmware, where going external flashing will give you 11.5MiB which was the whole goal behind the maximized boards efforts. And permit you to flash the whole 12MiB combined SPI flash internally in the future, while measured boot is enforced from coreboot.

Questions welcome after having read #1015 content.

I appreciate it! I agree with you, I think I probably will flash it externally eventually. For now, however, just to test it out or for shoots and giggles - which ROM would I build to be able to flash it internally? I did read the PR, but I'm still worried I'm gonna brick my laptop again. I just would like to know which ROM I need to build to flash it internally (for now, at least). Pls :(

[tlaurion]

For now there is no board named t430-hotp-verification, which would be what you would like to flash internally after using 1vyrain to flash t430-flash (4mb flash image). The same applies to t430 boards, flashed externally with t430-flash to flash internally only the BIOS region of SPI (combined 7.5mb available space without neutering ME and using freed space of ME region to maximize BIOS region to 11.5Mb, which is defined both into maximized coreboot's config CBFS region and IFD. This is why IFD and ME regions of SPI flash needs to be unlocked so that Heads can flash the whole combined 12Mb SPI flash internally: which is why those boards are called maximized boards).

Otherwise, for the lifetime of that machine without being externally reflashed, only 7.5Mb is made available to BIOS region. Non-Maximized boards are specifying to flashrom, through board configuration, to only touch the BIOS region. This means space constraints for what can be put into the BIOS, which is once again what maximized boards are addressing. As a sidenote, once again specified into the blobs//README and board configuration, the GBE blob is generated and contains a static Ethernet MAC address being DE:AD:C0:FF:EE. This means, once again, that the user needs to generate MAC addresses from the OS level prior of using Ethernet. This can be configured into NetworkManager. Otherwise, the user can compile ROMs of its own, with an extracted original GBE blob of its original ROM. What is present under local blobs//gbe.bin will be reused on subsequent local builds. Downloading baked ROMs through CircleCI will contain the generated GBE blob with the static MAC address and will eventually produce complete reproducible roms again, when #1008 is reproducible again.

I do not own a t430, where @jans23 @alex-nitrokey may be interested to follow that path and create and test with real hardware.

[h4xor666]

I guess I'll just have to flash it externally for now, then. Thanks so much, boss, I appreciate it.

[tlaurion]

@h4xor666 updated https://github.com/osresearch/heads/issues/1049#issuecomment-954347194 with more explanation. This 1vyrain/skulls-> Heads internal upgrade path will need to be documented into #1015.

Adding a note for t430-hotp-verification board missing out.

[tlaurion]

@h4xor666 you can read https://github.com/osresearch/heads/pull/1015#issuecomment-954977109

t430-hotp-verification was added in #1015 and is now building with fixes that were needed to be able to use gui-init boot path without FBWhiptail.

You should still be ready to reflash externally in case of brick. I have not tested 1vyrain myself.

But flashing t430-flash from 1vyrain, then t430-hotp-verification (if you have a HOTP supporting device like Librem Key or Nitroeky Storage or Nitrokey Pro2, this should work. Note that flashing t430 is to be chosen if not having a HOTP supported USB Security dongle.)

[h4xor666]

So I should, with that PR, do make BOARD=t430-flash, flash that with 1vyrain, and then do make BOARD=t430 (I don't have an HOTP supporting device) and flash that from the t430-flash? Just want to clarify, I'm not fully understanding.

[tlaurion]

Exaxtly, while waiting for someone having an external reprogrammer to confirm it is working, which is asked under #1015 namely from Nitrokey people let it be @nitro-simon @jan23 or others define under main pinned issue for collaborators and board owners. X230 and T430 are really similar but not the same. My take here is best effort, not owning a t430.

[h4xor666]

Gotcha. I have an external programmer, so I can try it out tonight.

[tlaurion]

I keep repeating myself in all opening tickets where all is under #1015 but drooped documentation. By flashing through 1vyrain, you would loose 3.5 mb of bios space, reducing your experience to what I call legacy boards. If you backup your two SPI flash and go t430-maximized instead of flashing t430-flash through 1vyrain, and them from there t430, you could flash t430-maximized board artifacts, both being bottom.ROM and top.ROM images and install Q4.1 from there. Please read #1015 and question documentation needs from there.

1vyrain is made to deactivate, not neuter, ME. It cannot and won't unlock IFD nor take advantage of ME neutered space.

If you have an external reprogrammer, you should flash the maximized ROMs produced for you board. If you use WiFi and QuebesOS 4.1 you will get randomized Mac address by default. Concern is if you use Ethernet and them randomize your Mac address yourself from OS. Let it be Qubesos 4.0 or any other OS to protect your privacy while having a fully open source firmware. Outside if that that us your choice.

Edit: said x230 instead of t430 here. Multiple people are asking basically the same questions which are for my understanding explained under #1015.

[tlaurion]

@h4xor666 please comment/review https://github.com/osresearch/heads-wiki/pull/82/files?short_path=529f311#diff-529f311e8716c83389f3e386ff6b8e9a90113d07f137321554820739e2a7b81c

[tlaurion]

@h4xor666 : success?

Have you gone the 1vyrain to t430-flash to t430 or you went directly with being t430-maximized externally flashed through top and bottom images?

Test reports are important into #1015! Thanks!

[tlaurion]

And your report from 1vyrain to t430-flash to t430 internal flash would also be more then welcome.

[h4xor666]

And your report from 1vyrain to t430-flash to t430 internal flash would also be more then welcome.

Sorry - I ended up not using Heads. All the best to you.