-
-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide IFD, Gbe and ME blobs #307
Comments
This and #375 is really only one issue IMO :) |
I think it might a false problem. For both x220 and x230 and other 2 spi chips boards, the IFD should be provided inside of Heads (./initrd/etc/x230-layout.txt), accompanied with a flash script (/initrd/bin/flashrom-x230.sh) for Heads to be able to flash internally, the IFD containing the ME region to not touch, though that region could be reduced a lot, no? @osresearch : would flashtool be able to deal with reading the IFD in flash dynamically and determine the real used ME region? I mean. On the x230, there is plenty of space when ME modules are trimmed and the free space is concatenated:
|
In this case, following the previous output from me_cleaner:
/etc/x230-layout.txt ME region could be modified from
to: So we could use the output of me_cleaner to adapt the /etc/x230-layout.txt Is there something i'm missing? |
no, I think you're right. The question is mostly whether we need the space and want to become dependent on me_cleaner being applied.
Am 20. April 2018 22:41:23 MESZ schrieb tlaurion <[email protected]>:
…In this case:
```
00000000:00000FFF Descriptor
00001000:00002FFF GBe
00003000:004FFFFF ME
00500000:00BFFFFF BIOS
```
ME could be reduced to:`
00003000:0001AFFF ME`
Is there something i'm missing?
--
Martin Kepplinger
http://martinkepplinger.com
sent from mobile
|
@osresearch yes the 12m isn't flashable which is dangerous when flashing externally (first-time install) and people get it wrong (and the head wiki might even be misleading a little). FWIW, specifically (only) for the X230, there's now a tiny project named Skulls that basically tries to hide as much as possible and simplify external flashing / unlocking the IFD (and applying me_cleaner). There is a script to install Heads (from Linux) too. |
this comment actually belonges in here more: #424 (comment) |
@osresearch @merge @flammit : The x230 flash.sh specifics could then overwrite the whole SPI instead of just the bios region. What do you think? Modifying the scripts. |
Missing some pieces of the puzzle. |
why? what's the benefit when flashing internally on the system? |
@merge more space, the possibility to update ME internally following probable changes in the ROMP and BUP modules and to have a valid IFD instead of only being able to flash the bios region since the layout file is not provided anymore. Flashrom 1.0 upgrade and related flash.sh modifications wiped it. But basically, more usable space in SPI flash. Maybe a false need, again. |
@merge said in #424 which is now merge:
I think the x230-flash should deal with it internally. If i get things right from skulls, it means that x230-flash misses ifd tool to unlock the IFD from within. @merge? |
ifdtool's "unlock" has to be applied to the 8M chip's region. x230-flash or x230 shouldn't include ifdtool in initrd. For future write-protection solutions we won't use IFD. We just need it to be unlocked once. |
Interesting points posted in #564
gpg is not there anymore, since GPG2 is too big and x230-flash is used only to bootsrap.
Unfortunately, following #517 and 4mb limit, having a flash-gui displayed in FBWhiptail or Whiptail only, won't fit in 4Mb. I will look again on the Skull's external_install_bottom.sh script, since I can't still wrap my head about how we could deal with this one shot from the external, flashing system. Never actually played with Skull. Will try to find some time. @shamen123
The process hasn't change a lot since that time. Chip that script in? |
not yet at least :) but alright. There's no need to have a GUI for that one job.
It's nothing special. Just a different 4M coreboot build, and thus it has all the bootstrapping-benefits that we need equally need to take advantage of for "x230-flash" here. Basically, you can even directly replace a pre-built "skulls" image with an "x230-flash" image and directly use skulls' "external" scripts - one per flash chip.
|
@merge : There is not enough space anymore in the BIOS region (coreboot cbfs defined space) as it is to do anything else. Playing around and applying this, including ifd and me in rom (while modifying flash.sh for it to reflash whole 12mb, not just BIOS region), there is now around 5mb flash that just appeared magically. Looking at how Purism distributes its binaries through whole rom download for their board, there doesn't seem to be any problem redistributing ifd and me, which are basically included in their downloadable image, and extracted by their scripts. @kylerankin ? @zaolin : Would there be a legal problem redistributing me.bin (98kb shrinked bin) and resulting ifd.bin directly from a x230 blobs directory on the repo? What I propose:
This way, reading roms would only be useful to have backups of them, but there would be no real reason to even run me_cleaner anymore. Just download GitlabCI artifact, and flash both chips. x230 me_cleaner command generating blobs would ressemble this: What do you think? Playing around to include thin-provisioning-tools right now to measure OEM distributed image directly from distributed /boot with dm-verity at reownership. More space is needed and my quest to reduce firmware size has not gone very far. @marmarek: That would be useful too if fwupd subproject goes farther in providing firmware upgrades from QubesOS over sys-whonix from dom0 (so not a Heads task, but QubesOS task.) Heads could look into directory for signed firmware file, validate against distributing key inside of rom, and compute new measurements based on firmware parts to implement forward sealing of firmware upgrades.. Any thoughts on that are also welcome. Playing with this here |
The Intel has a very reasonable redistribution clause for their microcode updates that came about from the Debian pushback as well as for the FSP. However, the ME team has not had any similar sort of large scale push them to change their license. Lots of us have asked, but I've never received a response. Fetching it from a separate blobs repo would at least avoid tainting the main Heads tree, which seems to be the coreboot approach. This also avoids bloating up the tree with how ever many devices end up being supported. |
I guess we should just do that. Might be the easiest way to keep the x230 supported. I might think that through sometime... (we need more space for vboot later anyways). (not now but for the future, I'd be interested: would we then need a new vboot fmd file in coreboot too? how would that look like?) |
I tested this too and it works nicely: merge@4cbab95 5M of free space. we need to be careful how to make the transition: We change the IFD, so flashing from inside of Heads won't (conveniently) work! I guess before we do a Heads-release, we can and should do this and force flashing from outside of Heads (ifd, me and bios regions (we can write a script) from userspace or 4M/8M from external hardware). do you see any way we could avoid that "break" for users? IMO the state of the project would allow us to do it and say "please flash from outside of Heads, once now", when doing a release? |
#590 can be closed when this is resolved. |
Following #700 conclusions, without gbe blob, no ethernet. |
the GBE blob is necessarily system unique though, right? since it contains the MAC address? |
(EDIT) Tracking of attempts: |
@MrChromebox @tlaurion I came here via the me_cleaner ticket opened. There is a lot going on between a number of repos and tickets but did want to mention something relevant to the gbe blob. Yes, the gbe blob from the x230 contains the mac address. Using hexyl on the gbe blob outputted from iftool , the address is at offset EDIT: Oops, looks like I a little slow. @tlaurion seemed to have figured this out in #700 |
@Thrilleratplay : no its not fixed (not randomized). Its the actual mac address provided in gbe.bin blob that is exposed and present directly in the blob in that issue update, showing its addresses. I haven't tried to randomize it yet. Any success on your side? |
@tlaurion I'm sorry I don't understand what you mean by
The MAC addresses seems to be in a fixed position at those hex offsets. My offsets match the ones you posted in #700 and they are also the same on my x220. I haven't tried modifying the addresses, I assumed there was a crc32 checksum or something that verified the mac's validity apart from the vendor prefix. |
I meant I didnt try to modify it.
On May 12, 2020 10:20:06 PM UTC, Tom Hiller ***@***.***> wrote:
@tlaurion I'm sorry I don't understand what you mean by
> no its not fixed (not randomized)
The MAC addresses seems to be in a fixed position at those hex offsets. My offsets match the ones you posted in #700 and they are also the same on my x220. I haven't tried modifying the addresses, I assumed there was a crc32 checksum or something that verified the mac's validity apart from the vendor prefix.
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#307 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
GBe attempts can be followed here |
on IGB: missed that and looking at it https://libreboot.org/docs/gnulinux/grub_cbfs.html#changeMAC |
Well, Leah seems to have resolved that 2 years ago: https://notabug.org/libreboot/libreboot/src/master/resources/utilities/ich9deblob/src/gbe/gbe.c |
So, to be able to generate gbe blobs (ich9gen wast obsoleted in favor of bincfg), one would need to adapt the x200 bincfg spec file to ICH6 series @9elements @3mdeb anyone? |
From #307 (comment)
@Thrilleratplay BTW it seems there is no verification made on GBE checksums. Dunno if you are going to be quicker then me, but it seems that if we find a quick way to extract GBE from flash, modify at offset MAC defined in /etc/config (or under board config at compilation) we could hack the MAC, and reinject it prior of flashing, we could have either user defined MAC and persistent randomized MAC in Heads from a new menu entry. |
@tlaurion You are saying that the checksum within the GBE blob is not checked? And it does not effect OS level drivers? Huh. I want to create a python script that is more flexible than bincfg that allows a command line parameter or template to set the MAC. If a patch file is generated for the gbe-82579LM config the MAC could be set on compilation with correct checksum. Although, if the checksum is not utilized, a small C program probably could do a binary replacement of the MAC in HEADS as it already has Flashrom. However, I am not a C developer and cannot write it quick/efficient/safe. |
@Thrilleratplay my idea was to bash script around busybox' hexedit from output flashrom -p --ifd -I gbe -r /tmp/GBE.ROM following this insight. I tried to manually hexedit only de:ad:c0:ff:ee at both offsets, and then flash /tmp/GBE.ROM back But then, bringing up Ethernet by loading e1000e results in: I haven't checked further then this. But checksum is confirmed to necessary at least on x230 from that little test. Commented PR and crosslinked here. |
@tlaurion |
@Thrilleratplay well i just modified de:ad:c0:ff:ee at both places with a valid one without changing the checksum here, so the error seems pretty valid to me. Of course, if the whole region is computed in the checksum (on both regions which are exactly the same match the real checksum of what is expected, the error is legit here. I just had hopes that as reported in the PR referred above, it wasn't checked. But it clearly is, following reporte error. I still think its possible to script something to extract the region, modify it and append checksum. Then duplicate as expected and reinject in GBE in backuo and flash back. But of course, a C program could do it as well. Just thought a quick hack could be made and confirmed it can't as easily as expected. Checksum is needed. |
The 12 MB x230 ROM image isn't flashable since it doesn't include the IFD and ME sections. This isn't normally a large problem for updates since
flashrom-x230
won't touch the ME region, but it does lead to problems for initial install.tlaurion hijacking top post here to give actual status in a glimpse.
Some efforts are still needed so the blob is downloaded directly from Lenovo, on which innoextract needs to be applied to remove the blob itself from local blob directory and do the required magic in a script having downloaded the blob from Lenovo website directly.Meanwhile the cleaned blob is present in tree with manual reproducibility instructions in xx30's blobs's directory README. Read the xx30 blobs README here for more details. Please show interest for being paid fixing this.Mitigations from dropping those binaries would be to:
So the result of the ongoing #703 PR is a PoC of that, which requires Heads to fake MAC address on boot to not have a MAC collision on the same LAN network segment if many Heads xx30 empowered machines are present.
Todo:
The text was updated successfully, but these errors were encountered: