Alex James is participating in the Google Summer of Code for the coreboot project, writing Ghidra tools that work with coreboot! Initial status report is now available:
coreboot 4.9 has been released. There are lots of changes, but the project does a great job summarizing the changes in their announcement:
[…]In the little more than 7 months since 4.8.1 we had 175 authors commit 2610 changes to master. The changes were, for the most part, all over the place, touching every part of the repository: chipsets, mainboards, tools, build system, documentation. In that time we also had 70 authors made their first commit to coreboot.[…]
* ACPICA: Update to version 20181031
* olog:olog.json: Update OPAL skiboot errors to check on olog scan
* acpi: button: check fixed hardware & control method power buttons
* kernelscan: add -k option to specify klog json filename
* README: update package dependency notes for RHEL
* acpica: fix linker issues when building with ACPI disabled
* src/lib: add module probing helper functions
* lib: fwts_efi_module: use the new module loading helper functions
* lib/fwts_cpu: use new use the new module loading helper functions
* snapcraft: update confinement and plugs
* lib: fwts_coreboot_cbmem: don’t use void * pointer arithmetic
* lib: fwts_coreboot_cbmem: shift UL values rather than signed int values
* lib: fwts_log: shift UL values rather than signed int values
* acpi: syntaxcheck: rename syntaxcheck_table to syntaxcheck_single_table
* dmicheck: fix Maximum Capacity checking range
* mcfg: fix MMIO config space checking
* madt: fix the Local APIC NMI processor UID checking
* auto-packager: mkpackage.sh: add disco
[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.
Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]
3mdeb has a new video showing how to use BITS and CHIPSEC as coreboot payloads.
A freshly-created Github project:
UEFI Payload (UefiPayloadPkg) aims to be an upgrade to CorebootModulePkg and CorebootPayloadPkg. Features:
– Supporting Slim Bootloader in addition to Coreboot
– Source level configuration using .ini format
– User Extension using simple “C” codes
– Platform support library for adding platform specific codes
Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]
[…]The other fun thing about it is that none of the firmware flashing protection is enabled, including Intel Boot Guard. This means running a custom firmware image is possible, and what would a ridiculous custom Thinkpad be without ridiculous custom firmware? A shadow of its potential, that’s what. So, I read the Coreboot motherboard porting guide and set to.[…]
Lenovo should be giving Matthew a free X210 for this effort:
See blog post for full list of changes.
- Start of refactoring the TPM software stack
- Introduced coreboot security section in kconfig
- VBoot & TPM code moved into src/security
Open Source Bios at Scale
Julien Viard de Galbert
At Scaleway we started to design our servers with the ARM C1. Later we switched to a x86 architecture to provide the C2 and Dedibox SC2016. In both ARM and x86, a BIOS is required to start the server. BIOS software got many legacy and backward compatible software to ensure a reliable behavior accross many boards. I was in charge of the BIOS development for our new generation of x86 servers. This article presents technical choices we used during our development.[…]
Embedded Software Engineer – Bootloaders
Qualcomm processors provide integrated solutions for millions of diverse mobile and new emerging platforms across IoT, Automotive and Compute markets. It all starts with the Boot Firmware the first mission critical code to execute on our SoC(System on chip) and prepare the system for operation. We design and develop the software we put in mask boot ROM, along with system boot-loaders. Features we work on include image authentication, multicore setup, the UEFI pre-boot environment, configuration of next-generation DDR memories, ARM CPU and custom Qualcomm DSP/microprocessors, MMU/Cache memory management and advanced driver development for multiple boot/storage devices including eMMC, UFS, NAND, SPI-NOR, QSPI and flashless boot transport interfaces such as PCIe, SDIO, USB. Embedded Bootloader design & development involves architecting solutions to address different use cases and feature requirements in the early bootloader environment before the handoff to the High Level Operating System kernel. Engineer is expected to work with different Qualcomm build infrastructure tools and ARM compiler tool chains to enable different drivers and services for Bootloaders, optimizing them both for boot time, internal memory size constraints and power metrics.
* Design, development and integration of custom and/or open source Bootloaders for QCT mobile platforms.
* ThreadX, Linux, Android, Windows Boot process knowhow
* UEFI (Unified Extensible Firmware Interface) based bootloader and device driver model experience
* coreboot, uboot based bootloader experiences
The UEFI Forum likes to frame UEFI -vs- BIOS, and has a 3-5 Class heirarchy of those systems, including having to deal with UEFI systems that also provide BIOS via Compatibility Support Module (CSM), referring to BIOS as Legacy Mode. If you look at BIOS outside of the framing of the UEFI Forum, it is usually based security, and UEFI has some security where BIOS has none. But there’s another ‘class’: non-UEFI coreboot, optionally secured with Verified Boot, with a BIOS payload. UEFI Forum doesn’t include this in their Class heirarchy… AFAICT, the mainstream IBVs have given up on BIOS and migrated to UEFI. The only places where BIOS will probably remain are in Purism boxes, where they will use TPM+Heads to secure BIOS, or on Chrome boxes, where they will use coreboot Verified Boot to secure BIOS, or in SeaBIOS-based VMs. When Intel stops offering Intel’s implementation of BIOS, maybe this means that the remaining BIOS users will switch to the open source SeaBIOS project, which is great news. Getting rid of the complex class of dual UEFI/BIOS systems will be a joy. 🙂
Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:
The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.
In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….