Am 12.04.21 um 14:33 schrieb Peter Stuge:
maxime.corne--- via coreboot wrote:After some research on the Internet, I found out coreboot couldn’t be port to modern hardware because of an Intel technology which encrypt the bios (I might be wrong, if so, sorry).Encryption (signatures actually, not encryption) isn't relevant for porting, but if the system integrator has enabled BootGuard in the "wrong" way then the signature verification is intended to make it impossible to install coreboot onto the system. In that case, and a few others, the only option is to desolder the flash chip and work with external programming options.
This seems a bit misleading. BootGuard is independent of the flash chip and write access to it. BootGuard reads the BIOS (more accurately the bootblock) and acts on what it sees. If it is configured in verifi- cation mode, it will deny to boot if the BIOS' signature isn't valid. Only the OEM who configured BootGuard can provide a valid signature. BootGuard is not tied to the flash chip but the PCH (which is part of the CPU module in ultrabooks). That's a lot more work to replace. Older versions of BootGuard may be susceptible to a TOCTOU discrepancy, i.e. you might get around it with a flash emulator that presents a bootblock with a valid signature to BootGuard and lets the CPU execute another later. But this won't be easy if possible at all.
I’d be more than happy to tinker with my hardware, so how you would you do to put coreboot on a recent thinkpad by replacing the bios chip?
Lenovo is known to set up BootGuard in verification mode on Thinkpads. Actually, Intel implemented BootGuard for OEMs like Lenovo who asked for it. I didn't watch the whole video, but what I remember: 9elements bought a rare Thinkpad with BootGuard disabled. Might have been an early prototype or a development sample. Generally not easy to get. So TL;DR coreboot on modern hardware: no problem at all (if you "own" the hardware and accept some blobs). coreboot on modern Thinkpads: totally up to Lenovo who "owns" all modern Thinkpads even after selling them. If it doesn't have to be a Thinkpad, please consider buying hardware that ships with coreboot ;) If it does, you have to talk to Lenovo. We resell Thinkpads and talked to them... short version: we're selling too few to get a custom Boot- Guard configuration :-( Maybe if you take 10,000+ units, they're more interested (actually, I've no idea how much we sell). If you talk to a sales representative, they'll promising you anything; but that doesn't mean you get the deal. So it's not easy to figure out even a rough number. Also, this was some years ago. Always worth another shot to ask. Nico -- M. Sc. Nico Huber Senior Consultant SINA Software Development and Verification Division Defence & Space secunet Security Networks AG Phone: +49-201-5454-3635, Fax: +49-201-5454-1325 E-Mail: nico.hu...@secunet.com Mergenthalerallee 77, 65760 Eschborn, Deutschland www.secunet.com _____________________________________________________________________ secunet Security Networks AG Registered at: Kurfuerstenstraße 58, 45138 Essen, Germany Amtsgericht Essen HRB 13615Management Board: Axel Deininger (CEO), Torsten Henn, Dr. Kai Martius, Thomas Pleines
Chairman of Supervisory Board: Ralf Wintergerst ______________________________________________________________________
OpenPGP_0xBD56B4A4138B3CE3.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
