Librem CorebootExperimental
ActivePublic

Recent Activity

Fri, Sep 6

audidiablo renamed T820: Please make it a priority to add support for UEFI booting for install from "For the love of GOD please make it a priority to add support for UEFI booting for install" to "Please make it a priority to add support for UEFI booting for install".
Fri, Sep 6, 7:29 PM · Restricted Project, Librem Coreboot, Librem BIOS, Restricted Project
audidiablo added a comment to T820: Please make it a priority to add support for UEFI booting for install.

https://nabeards.com/posts/pureos-install/

Fri, Sep 6, 4:47 PM · Restricted Project, Librem Coreboot, Librem BIOS, Restricted Project
audidiablo added a comment to T820: Please make it a priority to add support for UEFI booting for install.

Understandable and I don't intend to be rude or disrespectful. I have read other posts where this particular request appears to be parked repeatedly. I'm at a desperation point and only intend to imply the desperation and not to offend anyone or hurt anyone's feelings.

Fri, Sep 6, 4:16 PM · Restricted Project, Librem Coreboot, Librem BIOS, Restricted Project
EchedeyLR added a comment to T820: Please make it a priority to add support for UEFI booting for install.

I don't think this is the way to request for support Please be kind and read other issues related with your problem first.

Fri, Sep 6, 2:12 AM · Restricted Project, Librem Coreboot, Librem BIOS, Restricted Project

Thu, Sep 5

audidiablo created T820: Please make it a priority to add support for UEFI booting for install.
Thu, Sep 5, 12:26 AM · Restricted Project, Librem Coreboot, Librem BIOS, Restricted Project

Apr 17 2019

dylanger added a watcher for Librem Coreboot: dylanger.
Apr 17 2019, 12:31 PM
dylanger added a comment to T315: Enable vboot.

I'm not sure what vboot is, but if we're talking about Intel Boot Guard, it's my understanding that requires physically blowing fuses within the CPU, that then only allows signed UEFI to actually boot/run.

Apr 17 2019, 12:29 PM · Librem Coreboot

Mar 11 2019

bubblethink added a comment to T315: Enable vboot.

Earlier systems implemented it as a screw or switch on the mainboard. The current solution is an onboard controller (CR50, IIRC) dedicated to debugging and owner control

Mar 11 2019, 12:30 PM · Librem Coreboot

Sep 30 2018

icon added a comment to T315: Enable vboot.

Oh and btw. how do you intend to detect tampering anyway? Please don't tell me you need a Librem Key. Purism tries to sell the laptops as secure and not secure-with-additional-hardware, right? Or is the Key now part of the laptop shipment? If not, what is your security goal for a humble users without Librem Key?

Sep 30 2018, 12:31 PM · Librem Coreboot
icon added a comment to T315: Enable vboot.

You seem to be trapped in the thinking that signature verification is bad and measuring is good. Please don't see it like that. They both complement each other very well.

Sep 30 2018, 12:26 PM · Librem Coreboot

Sep 27 2018

kyle.rankin added a comment to T315: Enable vboot.

We do not need or want it. Specifically the problem with systems like vboot (and why we went with Heads instead) is that we do not want to require that the BIOS pass a signature check against a key that we control. We want the user to be able to flash with a custom BIOS if they so choose, even if we haven't blessed it with our signature.

Sep 27 2018, 10:11 PM · Librem Coreboot
kakaroto assigned T315: Enable vboot to kyle.rankin.

Kyle, can you evaluate vboot in terms of security, do we need it, do we want it and all that.. so we can decide if we want to add it or not

Sep 27 2018, 9:32 PM · Librem Coreboot

Jul 16 2018

kakaroto closed T510: Coreboot build script fails on Librem 13v1 device as "Resolved".

I fixed it by using the old commit hash for the previous microcode. I didn't want to update the microcode since that would mean changing the version (so, changing the config, adding a new tag, rebuilding all, changing coreboot final hashes, changelog, etc..) and I'd like to do it later when I update the FSP for the skylake ones as well, but that one needs testing first and I wanted this fix to be out asap.

Jul 16 2018, 7:08 PM · Librem Coreboot
kakaroto added a comment to T510: Coreboot build script fails on Librem 13v1 device.

Humm.. I thought that repo was meant to contain an archive of all microcodes, I didn't realize he deleted old ones when new ones are out.
I'll update the link and use the commit hash, I prefer that than having the script break constantly.

Jul 16 2018, 7:00 PM · Librem Coreboot

Jul 15 2018

mladen edited the description of T510: Coreboot build script fails on Librem 13v1 device.
Jul 15 2018, 8:49 PM · Librem Coreboot
MrChromebox added a comment to T510: Coreboot build script fails on Librem 13v1 device.

actually, you'd want to change the link to use the latest commit hash, not master, otherwise the script will break again next time the microcode is updated. So instead use:
https://github.com/platomav/CPUMicrocodes/tree/956244154c87316e4e6162f02b17cf3547597b1a/Intel/cpu306D4_platC0_ver0000002**B_2018-03-22_PRD_0B0DD00D**.bin//

Jul 15 2018, 8:15 PM · Librem Coreboot
mladen edited the description of T510: Coreboot build script fails on Librem 13v1 device.
Jul 15 2018, 8:08 PM · Librem Coreboot
mladen created T510: Coreboot build script fails on Librem 13v1 device.
Jul 15 2018, 8:04 PM · Librem Coreboot

Jun 1 2018

francois added a comment to T164: Verify NVMe issues with L13v1 port.

I confirm I haven't been able to reproduce the bug after weeks of usage.

Jun 1 2018, 6:57 PM · Librem Coreboot
kakaroto triaged T177: Test/Implement fwupd support as "Normal" priority.
Jun 1 2018, 6:52 PM · Librem Coreboot
kakaroto triaged T463: Build coreboot as part of purism-librem-coreboot-updater debian package as "High" priority.
Jun 1 2018, 6:51 PM · Librem Coreboot
kakaroto assigned T177: Test/Implement fwupd support to vivia.nikolaidou.
Jun 1 2018, 6:51 PM · Librem Coreboot
kakaroto created T463: Build coreboot as part of purism-librem-coreboot-updater debian package.
Jun 1 2018, 6:50 PM · Librem Coreboot
kakaroto closed T166: Port Coreboot to L15v2 as "Resolved".
Jun 1 2018, 6:46 PM · Librem Coreboot
kakaroto closed T164: Verify NVMe issues with L13v1 port as "Resolved".

I think the issue was found and resolved and tests by Francois haven't been able to reproduce the problem, so i'll consider this done.

Jun 1 2018, 6:46 PM · Librem Coreboot
kakaroto closed T313: Update/test/release 4.7 as "Resolved".
Jun 1 2018, 6:45 PM · Librem Coreboot

Feb 25 2018

kakaroto added a comment to T312: Enable Intel SGX or not.

From customer email :

Intel SGX is a technology that provides protection of predefined secrets even in a case of system compromise by creating SGX enclaves. I currently need to run several projects that makes use of SGX on the librem and that's why I need it enabled.
Feb 25 2018, 2:11 AM · Librem Coreboot

Feb 23 2018

kakaroto closed T314: Enable vboot as "Invalid".
Feb 23 2018, 4:53 PM · Librem Coreboot
kakaroto added a comment to T313: Update/test/release 4.7.

IT's done for l13v2 and l15v3, need to add the iommu patches for broadwell in the branch and test it for l13 v1 as well

Feb 23 2018, 4:52 PM · Librem Coreboot
kakaroto moved T313: Update/test/release 4.7 from L13v2 to L13v1 on the Librem Coreboot board.
Feb 23 2018, 4:52 PM · Librem Coreboot
kakaroto closed T179: Test/Enable VT-d support as "Resolved".
Feb 23 2018, 4:51 PM · Librem Coreboot
kakaroto added a comment to T179: Test/Enable VT-d support.

Yep, and we will very gladly do so! thanks for the reminder!

Feb 23 2018, 4:51 PM · Librem Coreboot
mladen added a comment to T179: Test/Enable VT-d support.

Can we close this one?

Feb 23 2018, 11:55 AM · Librem Coreboot

Feb 7 2018

kakaroto added a comment to T315: Enable vboot.

<avph> KaKaRoTo: does purism have any plans on using vboot btw?
<KaKaRoTo> avph, I'm not familiar with it, so I never looked into it. I was asked that same question last week and I opened this task for it : https://tracker.pureos.net/T315
<KaKaRoTo> it's mostly about "what is it? what is it for? do we need it? can we enable it ? etc..."
<KaKaRoTo> avph, so if you're familiar with vboot and want to give us some pointers on that, I'd appreciate it
<nico_h> mostly for a secure update mechanism
<nico_h> so not every malware can write to the flash chip
<avph> well it won't run the malware mostly :)
<nico_h> um, scratch the latter
<KaKaRoTo> nico_h, how does it achieve it? needs a portion of the flash to be read-only, no ? does it use an IFD region for that ?
<KaKaRoTo> does it require a TPM or is it a way to get verified boot without TPM ?
<nico_h> Google uses the write-protection feature and /WP pin of the flash chips
<nico_h> I'm not sure if it requires a TPM (I think only for downgrade protections or something)
<avph> KaKaRoTo: no read only is (or can be) achieved with southbridge registers. TPM is to prevent updates rollback but the secure boot and safe updates are still there
<KaKaRoTo> /WP pin of the flash chip with protect the entire chip, not just a portion of it
<nico_h> no, /WP pin to protected part of the flash chip
<nico_h> usually, /WP only protects the block protection setup of the chip not the whole chip
<nico_h> but... that depends on the chip
<nico_h> KaKaRoTo: the general idea is: 1. have one part RO during runtime (can be achieved with early programming of PCH registers, as avph pointed out). 2. the RO part only runs other (updated) parts if a signature verification worked out
<KaKaRoTo> ok
<KaKaRoTo> I assume the early programming of PCH registers is done by vboot itself already
<avph> not sure but certainly saw stuff like that
<KaKaRoTo> I have this in my TO-READ list, so I'll explore that more later : https://www.coreboot.org/git-docs/Intel/vboot.html
<nico_h> unlikely, as it's mostly only used on chromebooks with the /WP thing

Feb 7 2018, 4:37 PM · Librem Coreboot

Feb 5 2018

kakaroto added a comment to T177: Test/Implement fwupd support.

You won't taint it because this task/project is about writing a bash script, there's no proprietary bits in the bash script itself. Unless it's about the FSF requirement and the fact that the script itself will manipulate a binary file? Somehow I'm not sure that's a valid reason, considering that the librem-coreboot-updater script is already in PureOS and this task is about porting that script to the fwupd system
Either way, whether it's tagged PureOS or not, a PureOS developer is still probably the best person for the task here.

Feb 5 2018, 8:18 PM · Librem Coreboot
kyle.rankin removed a project from T177: Test/Implement fwupd support: Restricted Project.

After discussion, removing the PureOS tags as we don't want to risk tainting PureOS with the remaining proprietary software in our coreboot firmware. This project will remain on the coreboot side.

Feb 5 2018, 8:14 PM · Librem Coreboot
kyle.rankin added a project to T177: Test/Implement fwupd support: Restricted Project.

Given most of the work for this is not coreboot work, but PureOS work integrating an existing firmware image (which we'd treat as a binary blob) with fwupd, I don't know that this is really a coreboot project as much as a PureOS project.

Feb 5 2018, 6:41 PM · Librem Coreboot

Jan 29 2018

kakaroto created T315: Enable vboot.
Jan 29 2018, 8:25 PM · Librem Coreboot
kakaroto created T314: Enable vboot.
Jan 29 2018, 8:25 PM · Librem Coreboot
kakaroto added a comment to T312: Enable Intel SGX or not.

Oh yeah, here's the changes needed to enable SGX (over commit id 65d2754e1aaa4e90059b65fac3c00d847e2e465f) :

Jan 29 2018, 8:21 PM · Librem Coreboot
kakaroto created T313: Update/test/release 4.7.
Jan 29 2018, 8:18 PM · Librem Coreboot
kakaroto created T312: Enable Intel SGX or not.
Jan 29 2018, 8:17 PM · Librem Coreboot
kakaroto closed T176: cleanup coreboot patches and upstream them as "Resolved".
Jan 29 2018, 7:18 PM · Librem Coreboot
kakaroto triaged T179: Test/Enable VT-d support as "High" priority.
Jan 29 2018, 7:17 PM · Librem Coreboot

Dec 1 2017

kakaroto added a comment to T189: Figure out gpio stuff from Hannah.

Considered fixed.

Dec 1 2017, 9:08 PM · Librem Coreboot
kakaroto closed T189: Figure out gpio stuff from Hannah as "Resolved".
Dec 1 2017, 9:08 PM · Librem Coreboot

Oct 30 2017

kakaroto edited the description of T179: Test/Enable VT-d support.
Oct 30 2017, 8:43 PM · Librem Coreboot

Oct 22 2017

blendergeek added a watcher for Librem Coreboot: blendergeek.
Oct 22 2017, 7:49 PM

Oct 16 2017

kakaroto added a comment to T176: cleanup coreboot patches and upstream them.

Patches have been cleaned up and pushed to gerrit.

Oct 16 2017, 6:10 PM · Librem Coreboot
kakaroto closed T182: Create variant for librem 15v3 as "Resolved".
Oct 16 2017, 5:09 PM · Librem Coreboot