-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heads port to Lenovo G505s #453
Comments
Affirmative, and contact info for a few other owners. What's up? |
@awokd : some of the owners are developers and would be willing to port Heads to them? Would you tag those owners or invite them here? I've ported Heads to KGPE-D16, would gladly port Heads to the G505s if I had access to one. Couple of questions. Have nice and cheap providers to buy from to suggest? |
If TPM isn't required and there's no serious C level coding involved, I can give it a try. Might need some hand-holding, though. Do you have a step-by-step of how you ported Heads to that KPGE-D16? G505s ought to be pretty similar. If no TPM doesn't quash the idea, I'll drop a line to others and point them here to see if there's any developer availability. |
TPM is not a show stopper, while better.
Librem/Nitrokey Pro v2 keys can validate the integrity of the firmware in a
similar way externally.
Check the porting guide on heads-wiki project from osresearch's github.
Can give you a hand but won't be able to debug. Working Linux and coreboot
configurations are required. You can copy the kgpe-d16 board config as a
start.
…On Thu, Sep 27, 2018, 15:01 awokd, ***@***.***> wrote:
- No TPM, is that OK for Heads?
- A10-5750M 4 core CPU with built in GPU, some models have an
additional external GPU
- Not aware of any formal providers, can only find in used market
If TPM isn't required and there's no serious C level coding involved, I
can give it a try. Might need some hand-holding, though. Do you have a
step-by-step of how you ported Heads to that KPGE-D16? G505s ought to be
pretty similar. If no TPM doesn't quash the idea, I'll drop a line to
others and point them here to see if there's any developer availability.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#453 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAygsm8jVq-BxgD73qhYI75ww2v5LQv3ks5ufSCigaJpZM4WsIe4>
.
|
I am getting an error about strict aliasing. The same
|
@awokd : Coreboot 4.8.1 hasn't been merged into Heads yet...
|
@awokd: coreboot 4.8.1 is merged. |
Thank you, I will try it again when I get a few!
|
I used to have this laptop and co-authored the coreboot port for it. Unfortunately I no longer have the hardware and it's quite rare around here even on the second hand market :( |
Damien Zammit wrote on 12/27/18 4:02 AM:
I used to have this laptop and co-authored the coreboot port for it. Unfortunately I no longer have the hardware and it's quite rare around here even on the second hand market :(
Nice, thanks for stopping by! My "lab" is in storage at the moment, but
I should be able to get back to work on this in a month or so.
|
Attempted the compile again, but although it worked in Coreboot, in Heads it failed with the same error as above:
I think it might be due to Coreboot respecting
while Heads might not. How can I persuade Heads to include that |
I was able to get past the warning above by running
Should I wait and try again once coreboot 4.9 is merged? |
@awokd : what is the building distro? |
and merged this? |
Thank you, #445 (comment) fixed it. I should have seen that! It's getting through the compile now and only failing because
|
4MB flash is really limited. Heads, without a TPM/LibremKey can't perform firmware measurements. GPG is required to sign /boot files. But that would require more space to have LibremKey support and GPG2 config. Are all G505S are found with 4MB flash? I doubt anything is really possible in such limited space. You could get rid of dropbear: Since you do not have a TPM, you could get rid of:
and add: Then try to use merge this PR to use the LibremKey as a TPM replacement, but that again would probably use more then available space. You would otherwise get Heads without firmware measurements and integrity attestation. :/ |
Well, getting rid of those and not adding LibremKey still only got it down to 4603489 bytes. :( Yes, I think they are all 4MB only. I could maybe put Heads' |
Thinking some more, there are only three models of this laptop varying only by GPU options. I'm going to try to strip down the Linux config to the bare minimum needed to support just this laptop. "[F]irmware measurements and integrity attestation" are more important to me than networking support on boot, for example. |
Trimming the Linux config shaved off ~400KB, but I'm still close to 1MB short. I'm afraid we'll need to shelve this idea. :( |
@awokd : would be nice if you posted your used board config and any other files you changed for the record :) |
@awokd Hi there 😉 What is your current Linux config? I think it could be trimmed even more, and there might be some Linux kernel fork for space-constrained environments. Also, what compression you are using - LZMA ? By the way, it might be possible to update G505S BIOS chip from 4MB to 8MB or even 16MB, but that's pretty hard to do without a special equipment (our friend damaged a copper track on his G505S while trying to do that) and even if you'll succeed, the other people with 4MB chips wouldn't be able to get involved in your project until these space issues are resolved. So you should try your best to solve this. |
Here are my preliminary config files. I used the kgpe-d16 ones as a template and removed These are: Hi @mikebdp2 ! If there's something I'm overlooking in the Linux config, please let me know. Not much fat in there as far as I can tell. I am using whatever compression Heads defaults to. I remember your email on Coreboot's mailing list saying the newer version of LZMA had better results, but it would have to be a lot better to go from 4MB to 3MB. I see in the reference above there might be graphics files somewhere that could be trimmed? |
Your recent email reminds me, would it be compatible with Heads' threat model to chainload from Corebooted flash to a burnt DVD with the kernel? I think most of these had DVD drives. There is also an SD card reader on USB 2.0; I think those can be write-protected. |
Interesting idea for SDcard chainloading. That would require some additional kernel modules integration (look for SDHCI) I still think the first step should be #590 |
@awokd sorry for a really late reply! I wonder - why this TPM stuff is taking so much space? Maybe cut out some not-essential functions? Also, upgrading LZMA to a newer version is unlikely to give a 1MB, so you'll need to look at the alternative compression like paq8px and implement it to coreboot. A decompressor would also need to be small enough. Overall: this is possible, but could significantly prolong a boot time - i.e. an extra one minute. These alternative (de)compressors could be quite strong and aren't widely used only because of a turtle decompression speed - but with sizes like 4MB it hopefully won't be as noticeable. |
Heads relies on TPM (measured boot) and GPG2 for signed /boot digest (from USB Security dongle), verified against public key inserted in ROM, which is also measured by TPM. As replied in other tickets you opened, without a TPM or any other root of trust for firmware measurements in romstage (in cache, prior to ramstage) there would be no root of trust, as other binaries could be tampered with and there would not be any way of knowing. The heavy parts under heads are the GPG toolset (take a look at modules/* and dependencies of gpg2). Take a look at #590 :) |
Someone has this laptop? @awokd?
The text was updated successfully, but these errors were encountered: