tlaurion
commented
2 years ago @shmalebx9 awesome!
Closed shmalebx9 closed 1 year ago
tlaurion
commented
2 years ago @shmalebx9 awesome!
githubisnonfree
commented
2 years ago shmalebx9's work is the bee's knees. i'm very grateful for his osboot contributions
tlaurion
commented
2 years ago Note that this board, for users tolerating mrc, and opened to tolerate ACM init and ACM BIOS blobs could have TXT and measured boot with IBB encompassing bootblock.
That would mean that the CPU would be useable as a hardware root of trust, and TPM PCR0 would be populated by the ACM, measuring what is defined to be part of IBB.
There was a failed experiment on x230 and a PR created to download and extract ACM bios and ACM init blob. It proved to be successful initializing ACM blobs, but also failing to measure IBB, simply because that feature is not supported on Ivy bridge.
But the story is different for Haswell (and so, for Broadwell as well) which supports IBB measurement, initiated from the ACM blobs. Again, this would mean that the CPU measures coreboot bootbock as part of the IBB, and stores the measurement in PCR0. Then the bootblock measures itself and the next stage and so on. This would mean anchored root of trust. And added trust into the bootblock and measured boot. But also DRTM, for that part ivy would also benefit.
Any t440p owner willing to replicate and push forward an equivalent PR for the t440p where immediate benefit could be seen? Once done, Heads could add pcr0 as part of its sealing/unsealing PCRs. Nothing else then ACM blob can write into PCR0.
I know. More blobs. But also a hardware root of trust for those interested.
tlaurion
commented
2 years ago Supporting t440p would require
tlaurion
commented
2 years ago I could add it myself but we're far from release ready over at osboot, so I'm focusing my time there.
@shmalebx9 there is some interest from the community.
What is the status of the board under osboot?
shmalebx9
commented
2 years ago I could add it myself but we're far from release ready over at osboot, so I'm focusing my time there.
@shmalebx9 there is some interest from the community.
What is the status of the board under osboot?
Sorry to get back so late. I have a job working in the dirt (not tech related) and a baby so time is tight. The board is stable in osboot. Other than the grub bug, it should be good to go. I have a t440p board which I could use to test with heads as a payload. Let me know if you're interested. I'm not super familiar with your build system, but I figure I could build a linux payload for testing with osbmk and update in this issue.
tlaurion
commented
2 years ago So sad this mrc blob.
So sad work on reversing that mrc to support 16gb chips didn't go forward https://github.com/eurus13/T440P-32GB/issues/1
Alright, checked the code for mrc download and me extract. Should not be hard to add coreboot config, deduplicate/extraction scripts and wrap it under circleci.
Seems like cos download is already dealt with by coreboot, didn't know https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
Cannot guarantee when I will have time to do that, would love to see interested people do it but might do it later on.
shmalebx9
commented
2 years ago So sad this mrc blob.
So sad work on reversing that mrc to support 16gb chips didn't go forward eurus13/T440P-32GB#1
Alright, checked the code for mrc download and me extract. Should not be hard to add coreboot config, deduplicate/extraction scripts and wrap it under circleci.
Seems like cos download is already dealt with by coreboot, didn't know https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin
Cannot guarantee when I will have time to do that, would love to see interested people do it but might do it later on.
As far as I remember, the only change I made to the mrc downloader from coreboot was to add an archive.org link instead of the direct download link. It would probably be better to use ours if coreboot hasn't changed theirs.
tlaurion
commented
2 years ago @shmalebx9 this issue on skulls and upstream coreboot related partial fix for dGPU might be of interest for osboot as well. Again I do not own the hardware but t440p support still seems partial and including the board under Heads would result in lots of support requests I could not handle until it is known to work: https://github.com/merge/skulls/issues/220
I saw that a few others are interested in heads for the t440p #975 and so I thought I should let you know that I recently added this board to osboot. I wrote the infrastructure for blob extraction on osboot largely inspired by what I saw on heads, so I thought I'd let you know about my work over there as a thank-you. The only available download for the me (9.1) is listed in our blobs sources. That ME isn't compatible with the ifd you'd get from a donor board. I created my own ifd by modifying one from a donor board, and you can find it in our source here. That ifd will work with a truncated+relocated ME.
I also saw that there was a worry over the mrc blob for this board. On osboot, we forked a version of coreboot mrc downloader which uses an archive.org download link. That script should make sure that you'll get reproducible builds without having to distribute the mrc.
Adding the T440p to heads shouldn't be difficult at all since we have everything ready to go on osboot. I could add it myself but we're far from release ready over at osboot, so I'm focusing my time there.