Open tlaurion opened 1 year ago
merge
commented
1 year ago I haven't used (or at least changed) a Heads installation in quite a while now. What exactly is the meaning of the issue? - I'm not entierly sure. Skulls users "usually" would unlock IFD, this is the default behaviour even - as I think ideally we want Heads to enable WP before booting an OS.
tlaurion
commented
1 year ago Skulls users "usually" would unlock IFD, this is the default behaviour even - as I think ideally we want Heads to enable WP before booting an OS.
@merge that is exactly my concern. If ifd is locked by default today, those users can only flash Heads legacy ROMs for t430/x230/x220.
And those legacy boards per this ticket are thought to be dropped from main repository because its extremely hard to pack everything under 7mb of normally defined IFD BIOS region.
So my question to you is to how many users out there from skulls user base are having IFD locked, ME non-neutered/not unlocked which won't be able to internally flash to maximized boards.
As for WP protection, io386 and maximized boards are pushing PR0 locking, aka SMM platform locking through SMI chipset locking really recently.
merge
commented
1 year ago no, IFD is unlocked by default when installing Skulls. Most users neuter ME, but it's not yet the default. maximize the "bios" region is not yet done by Skulls, but iiuic it could be done without disrupting the user-workfow. what would it roughly be? coreboot config size-change, new layout-file + ifdtool run on the image? And if the actual size of the Skulls image remains <4M, external hardware-flashing is still possible to only the one 4M-chip? patches and testing welcome :)
good to hear WP is progressing
bwachter
commented
1 year ago I only have boards with neutered ME.
tlaurion
commented
1 year ago @merge @n4ru
good to hear WP is progressing
This was merged per https://github.com/osresearch/heads/commit/6ec0c814430c5ad0df54f834c89ee72a904466b2 for maximized boards only as of now.
It is to note that further disabling kernel config network options under linux-x230-legacy.config per https://github.com/osresearch/heads/pull/1381/files#diff-2af02345f256b80007d10fb6a49cfaaf8dd4c2d96f044f9976f8f5f1396b3fb6 delays deprecation for legacy boards (which all use linux-x230-legacy.config 5.10.5 from now on) a little bit more.
maximize the "bios" region is not yet done by Skulls, but iiuic it could be done without disrupting the user-workfow. what would it roughly be? coreboot config size-change, new layout-file + ifdtool run on the image? And if the actual size of the Skulls image remains <4M, external hardware-flashing is still possible to only the one 4M-chip? patches and testing welcome :)
This is the problem we are talking about. In simpler terms, skulls users need to follow https://osresearch.net/Prerequisites#current-legacy-boards down to this actionable verification https://osresearch.net/Updating#verify-upgradeability-paths-of-the-firmware
Problem here is that fixes for now would still not fix past deployments when it comes to IFD/ME being locked and requires external flashing. There is no such thing under Heads as a 4mb image outside of legacy-flash images that can be flashed to then flash legacy board rom images, which cannot use ME freed space unless IFD+ME are unlocked to flash maximized (neutered ME, space given to IFD BIOS region).
@merge : the question is then: how many past users using legacy version of Heads rom images are out there for x220/x230/t430. All other boards do not have legacy versions and expect a first external flash of maximized board images, which are always full images (containing ME, IFD, GBE), either one full 8mb ROM or a 12mb rom image splitted into bootom and top images to be flashed externally.
This basically would mean dropping x220/t430-legacy-flash/t430-legacy/x230-flash/x230-legacy board configs and stopping building those from CircleCI for direct download, preventing users from bricking their devices.
tlaurion
commented
1 year ago So per #1398 t430-legacy and x230-legacy were tested.
Other currently untested boards will now be renamed UNTESTED_*.
It is considered that the last working commit for those platforms was 91f65be for the following boards:
EDIT:
Edit: t440p-maximized and t440p-hotp-maximized were readded per 56a312e thanks for #@srgrint for standing up prior of merging.
tlaurion
commented
1 year ago x220-maximized and x220-hotp-maximized salvaged from going untested under #1398 thanks to @srgrint Note: x220 (legacy) is still untested.
tlaurion
commented
1 year ago t440p-maximized and t440p-hotp-maximized salvaged from going untested under https://github.com/osresearch/heads/pull/1398 thanks to @srgrint
tlaurion
commented
1 year ago t420-maximized and t420-hotp-maximized back to normal, was an error and fixed https://github.com/osresearch/heads/pull/1432
t420 (legacy) is still untested.
3hhh
commented
1 year ago I just tested d4f56bd546c195c8a46b3839813b514c30f2efbceef963c1ed6cb3499eafbaa3 heads-UNTESTED_t530-hotp-maximized-v0.2.0-1705-gedf200e.rom (https://github.com/osresearch/heads/commit/edf200e7913c62975a424cfb9dbd579747d0665c), seems to work so far. Apparently it even fixed https://github.com/QubesOS/qubes-issues/issues/8232, thanks!
tlaurion
commented
1 year ago I just tested d4f56bd546c195c8a46b3839813b514c30f2efbceef963c1ed6cb3499eafbaa3 heads-UNTESTED_t530-hotp-maximized-v0.2.0-1705-gedf200e.rom (https://github.com/osresearch/heads/commit/edf200e7913c62975a424cfb9dbd579747d0665c), seems to work so far. Apparently it even fixed QubesOS/qubes-issues#8232, thanks!
@3hhh So you get "finalizing chipset" on kexec call? Hopefully https://github.com/osresearch/heads/pull/1373#issuecomment-1587752648 was successful for you: should.
tlaurion
commented
1 year ago @3hhh if https://github.com/osresearch/heads/pull/1373#issuecomment-1587752648 doesn't work for you please open issue (should: coreboot config was unified across boards, but you never know until confirmed working through testing).
pcm720
commented
1 year ago @tlaurion You can remove x230-maximized-fhd_edp variations from untested, edf200e7913c62975a424cfb9dbd579747d0665c works fine on my eDP-modded X230. Sorry for not being able to test it sooner.
3hhh
commented
1 year ago @3hhh So you get "finalizing chipset" on kexec call? Hopefully #1373 (comment) was successful for you: should.
Yes, that worked as well. :-)
tlaurion
commented
1 year ago 
Tickmeister1
commented
1 year ago KGPE-D16 is working. (workstation variant tested)
tlaurion
commented
1 year ago KGPE-D16 is working. (workstation variant tested)
That is unexpected. Version? I see you replied on other issue with old version. Is that on master?
Tickmeister1
commented
1 year ago Yes, it is a fresh build from master, about 2 days old.
v0.2.0-1713-g06b1b09
Linux 5.10.5-heads
tlaurion
commented
1 year ago w530-hotp-max 1727 reported working under https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$XeRUrwx_n3uCjN8UDcYhLS4Ml2wlySGd0N3LmSx9_VU?via=matrix.org&via=nitro.chat&via=fairydust.space
(I suppose without dGPU otherwise would have been specified)
ThePlexus
commented
1 year ago p8z77-m_pro-tpm1-hotp-maximized p8z77-m_pro-tpm1-maximized
tested working
tlaurion
commented
1 year ago Unfortunately @ThePlexus, w530 have not been tested under https://github.com/osresearch/heads/pull/1403 which will be merged soon. Please report testing on top of master or under that branch and report individual board report statuses here so those board flavors can be moved back to tested (normal) so other can flash without worries.
Otherwise this is still considered untested.
tlaurion
commented
1 year ago Modified OP post to point to the list of boards containing UNTESTED_ from master. I think this is the most efficient way of dealing with this, and keeping issues open for untested boards
tlaurion
commented
1 year ago Can confirm heads-t430-maximized-v0.2.0-1747-g572573f.rom works
Originally posted by @srgrint in https://github.com/osresearch/heads/issues/1403#issuecomment-1681091500
t430-hotp-maximized and t430-maximized were removed from untested boards prior of #1403 merge, thanks to last minute testing from @srgrint !
EDIT: The following boards configurations are now considered untested until tested and reported as being functional by board owners:
coreboot, built by CircleCI but untested (NEEDS IMMEDIATE TESTING!)
Will not be able to update that list forever, but pointing PR that were untested in the list below as this issue tracks untested boards.
You can refer to master's list of boards containing UNTESTED_ : https://github.com/osresearch/heads/tree/master/boards
As a general note, dgpu boards are less tested then igpu (standard) boards.
linuxboot (NOT built by CircleCI/NOT tested since NERF/Heads project diverged, back in 2020):
coreboot based, but not built by CircleCI because build toolchain incompatibilities/CircleCI having race condition which makes build fails
Cannot be built by CircleCI (invalid ROM unless user adds ME/IFD/GBE manually: non-maximized board configs)
EDIT: t430-legacy and x230-legacy have been tested prior of #1398 being merged. x220/t430/x230 boards ROMs not showing "maximized" on Heads main menu are "legacy" boards ROMs. Those boards have been renamed under boards/ to legacy counterpart in the last year to bit be mixed with legacy boards.
EDIT:
Recent attempts bringing newer kernel version (5.10.5), gnupg 2.4 and newer flashrom tools (with reduction to only support newer flashrom with WP protection) is to be built for legacy boards/by lack of space in CBFS to add built payload into coreboot: https://app.circleci.com/pipelines/github/tlaurion/heads/1743/workflows/4d707277-dfdd-446f-82d9-ed241cd0842d
How many of you are still using non-maximized x230/t430/x220? That would be: not seeing maximized on main Heads prompt as seen in https://osresearch.net screenshot.
Please voice yourself.
Tagging per board owners of #692:
Heads users coming from other projects: @n4ru: That would impact all your users coming from 1vyrain. (IFD unlock is not possible from 1vyrain) @merge: That would be all your users coming from skulls without applying optional IFD unlock. This touches the following board configs: x230-legacy, x220 (legacy) and t420 (legacy).
VALIDATION STEP: https://osresearch.net/Updating#locked-ifd-and-me