Uncategorized

SeaBIOS 1.10.0 released!

Kevin O’Connor announced the 1.10.0 release of SeaBIOS.

New in this release:
* Initial support for Trusted Platform Module (TPM) version 2.0
* Several USB XHCI timing fixes on real hardware
* Support for “LSI MPT Fusion” scsi controllers on QEMU
* Support for virtio devices mapped above 4GB
* Several bug fixes and code cleanups

Multiple contributors: Kevin O’Connor, Stefan Berger, Gerd Hoffmann, Igor Mammedov, Dana Rubin, Marcel Apfelbaum, Alex Williamson, Cao jin, Cole Robinson, Don Slutz, Haozhong Zhang, Matt DeVillier, Paolo Bonzini, Piotr Król, Roger Pau Monne, and Zheng Bao.

More info:
https://www.coreboot.org/pipermail/seabios/2016-October/010996.html
https://www.seabios.org/Releases#SeaBIOS_1.10.0

 

Standard
Uncategorized

SeaBIOS TPM support improved

Stefan Berger of IBM submitted a 6-part patch to the SeaBIOS project, updating it’s TPM support, his patch comment follows:

This series of patches extends the TPM2 code to extend the BIOS related PCRs 0-7 in all available banks. This prevents that these PCRs remain untouched and filled with bogus values by applications. For example, the SHA1 hash is extended into the SHA256 bank. The value that is extended into this bank is essentially a SHA1 with zero bytes used for filling it to the size of a sha256 hash. This is done for all PCR banks of the TPM2 where these PCRs are available. In v2 of this series I also extended the log functions for logging the additional hashes. So there are more patches now.

For more information, see the full patch sent to the SeaBIOS list:
https://www.coreboot.org/mailman/listinfo/seabios

Standard
Uncategorized

Wikipedia’s BIOS security roadmap

You’d think that with a blog called ‘firmware security’, I’d know about the ‘Wikipedia BIOS feature comparison’ page. But I did not, sad. 😦  The other day I was wishing someone would create a comparision of BIOS implementations and their security features. Luckily, Kevin O’Conner of the SeaBIOS project was kind enough to point this out to me, when I was looking for a SeaBIOS security roadmap:

https://en.wikipedia.org/wiki/BIOS_features_comparison

I’ve been learning more about SeaBIOS, and am impressed with it’s features. I wonder why some Linux OEMs still ship closed-source BIOS systems from IBVs? Given their audience demographic, you’d think they’d be using Linux-based coreboot, and on x86/x64 systems using SeaBIOS. They could be using coreboot Verified Boot + SeaBIOS’s TPM support for a much more secure than they are today. If you’re buying a System76 or ThinkPenguin or other Linux-centric site, ask them what firmware solution they’re giving you.

Standard
Uncategorized

SeaBIOS 1.9.0 released

Kevin O’Connor announced the release of SeaBIOS version 1.9.0 today, on the SeaBIOS, QEMU-devel, and coreboot mailing lists. New in this release:

* The default boot menu key is now the ESC key (instead of F12)
* Initial support for Trusted Platform Module (TPM) hardware and BIOS calls
* Initial support for chain loading SeaBIOS from Grub (via multiboot support)
* Initial support for booting from SD cards on real hardware
* virtio 1.0 device support
* The build will no longer include the build hostname or build time on “clean” builds.  This makes the build binaries more “reproducible”.
* Basic support for running SeaBIOS on Baytrail Chromebooks
* SeaVGABIOS: improved support for old versions of x86emu (the “leal” instruction is now emulated)
* Several bug fixes and code cleanups

TPM support sounds interesting! And remember, if F12 no longer works, try ESC…

More information:
http://seabios.org/Releases
http://seabios.org/Download
http://www.seabios.org/mailman/listinfo/seabios

Standard
Uncategorized

PAE-enabled SeaBIOS

On the SeaBIOS mailing list, Kevin O’Connor recently provided a patch to SeaBIOS to enable it to run in PAE mode. SeaBIOS is the main open source implementation of 16-bit x86 BIOS, used in coreboot, tianocore, and elsewhere. Excerpting Kevin’s posting:

I was curious to see if SeaBIOS could run its 32bit code with PAE paging enabled.  So, I put together some test code, and so far it seems to work.

The reason why PAE is interesting (instead of standard i386 paging) is that it allows for 64bit mappings and because one can set it up with just a single level page directory of 2MB pages.  The single level page directory makes maintaining it much easier.

The SeaBIOS’ malloc code could also be updated to remap pages which would make it possible for it to relocate itself above 4GB and to store data above 4GB.  That’s likely not all that useful, but I think it would be a little amusing for a 16bit bios to fully support 64bit memory.

I haven’t done any performance tests.  It’s unclear what the performance impact of enabling paging on every 32bit entry point would be.

It appears that more work will be done before this patch is contributed to trunk. But it is interesting to see PAE-enabled BIOS!

More Information:
http://www.seabios.org/pipermail/seabios/2015-September/009788.html
http://www.seabios.org/

Standard
Uncategorized

Sage Engineering updates Minnow firmware

Sage Engineering maintains a Coreboot-based, SeaBIOS payload-based firmware for the Intel MinnowBoard MAX.

Today, they’ve announced an updated release. This update allows for flashing the boot image without a hardware device.

The binary SageBIOS boot ROM image, which is flashed on the development board’s SPI Flash device, is based on the Intel Firmware Support Package (Intel FSP) and coreboot open source initialization. The SageBIOS OSP replaces UEFI firmware that comes installed on both versions of MinnowBoard MAX and will support booting a greater variety of operating systems, including FreeBSD and a variety of RTOS, as well as legacy operating systems such as older versions of Microsoft Windows and even DOS. The SageBIOS OSP will support all the operating systems supported by the native UEFI firmware, such as Windows and Linux. In addition, the SageBIOS OSP will boot both 32-bit and 64-bit operating systems with a single boot image.

The download of the “demo ROM” is free, but email registration is required.
More information:
http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20150518/001523.html
http://www.se-eng.com/minnow/

Standard