Research support for libreboot/coreboot-based systems #1594
Comments
marmarek
added
T: enhancement
|
@isislovecruft any luck with your coreboot+Qubes set-up since Congress? |
|
I'm also not able to boot off a dvd to the installer, X200 with libreboot. |
|
Which model? (See dmidecode output from a livecd) What cpu microcode do you have? Do you have dmar error from livecd boot? It seems that dmar initialisation is incomplete from coreboot/libreboot. I From my experiments, there is some issues with xen and lenovo gm45/Penryn Putting iommu=0 on the xen boot line resolved the issues but that also Iommu=no-igfx permits xen to boot and system installation but will hang at I need help to troubleshoot the issues accordingly. See this thread: I have hope those devices can be supported.
|
|
I could recommend to flash libreboot after having installed qubes as a working workaround, if that is feasible to you. Keep in mind that vt-d is not supported at the moment from libreboot, and that vt-x depends of the microcode update version, as per my previous post. |
|
@mfc: There were several coreboot issues with raminit on a Thinkpad x220, which (so far) are seemingly unrelated to QubesOS. There are probably still quite a few issues with coreboot RAM initialisation on x220, given that the example issues which I hit included:
Despite the issues with raminit, VT-x and VT-d were supported, and (when the laptop did successfully initialise the RAM and successfully boot) the Xen hypervisor was exec'd successfully as well. So, theoretically, it does work (if you enjoy fully powercycling your machine ~30 times to get it to boot). |
|
X200 limitations:
As a result, one can presently install Qubes inside a fully encrypted disk. Boot from libreboot into a password protected GRUB that only permits to boot from that luks container through a passphrase that unlocks and boots the system where, unfortunately, real full device isolation is not possible. *vt-d1 (vt-d2 has interrupt remapping) on x200/t400 has issues with i915 driver and memory region corruption without libreboot being installed. Actual libreboot is the functional equivalent of putting iommu=0 on the xen boot line, putting device isolation off. Still, this is better then having normal OS operating. The question of choosing what threat vector could hit you is a hard one and seems to be based on one's personal beliefs: Intel ME/computrace administration injected malwares or vt-d1 device isolation vulnerabilites (not supporting interrupt remapping) A laptop permitting interrupt remapping (vt-d2) but not having ME is impossible to find. Purism 13 makes no exception (!NOT TRUE FOR SANDY/IVY BRIDGES EG LIBREM 13V1 OR X230 X220 ETC where ME is neutered+deactivated!). Until people create real alternatives enforcing IOMMU and virtualisation, it seems we will have to choose between old hardware without ME/Neutered ones (ivy/sandy bridges) with different levels of device isolation or recent hardware enforcing both (FSP blobs, ME blobs, MRC memory init blob, and other blobs included in coreboot configs for hardware to initialize) EDIT: The X200 and other models not having vt-d2 don't meet QubesOS 4 requirements |
|
Other than video glitches during bootup, my x230 (4 GB, i5-3320) is running Qubes 3.1 successfully and CoreBoot boots reliably. I had previously installed Qubes on the system, so I'm not sure if the install process works. |
|
hi @osresearch that's great! and thanks for your qubes-devel list emails giving further details. it's not clear to me if current coreboot git head is sufficient or if your patches are necessary as well? Could you draw up some basic documentation on how to get from vanilla x230 to there so that less skilled folks can test it out? |
|
My totally not-ready-for-prime-time tree is here: https://github.com/osresearch/heads If you run My TPM patches for coreboot are not yet stable. I'm poking at it in the romstage and need to figure out how it interacts with S3 resume. |
|
@osresearch: awesome work. |
|
This high level design for vIOMMU is an interesting thing to watch for Libreboot support (old machines not supporting vt-d interrupt remapping) https://www.mail-archive.com/[email protected]/msg78654.html I have not read it throughfully yet, but that made me wonder: "3.3 Interrupt remapping |
|
I am running x220 with me_cleaner and when I flashed seabios instead of grub2 payload into my coreboot, I am able to boot the 3.2 installer. Will try to install soon |
|
By the way, I submitted a patch ages ago to fix DMAR table in X200, so VT-d1 works on X200 with coreboot and no ME, see https://review.coreboot.org/#/c/16330/ ... also, there might be some way to fix the graphics corruption on IGD if someone considers pursuing my old patch that got abandoned: https://review.coreboot.org/#/c/17645/ |
|
For people interested: http://dodoid.net/qubreboot/ - An easy way to install Qubes OS on T400 Libreboot - |
|
On Tue, Mar 20, 2018 at 10:07:24AM -0700, Bastien ADAM wrote:
For people interested: http://dodoid.net/qubreboot/ - An easy way to install Qubes OS on T400 Libreboot -
I'm rather interested why you cannot use a seabios payload in libreboot
and then boot a usbstick with a qubes iso?
and then I find it utterly ironic that the site requires me to run
random javascript code for no reason., though i'm not sure the following
wget fails because of javascript or because of using tor or simple because
a server misconfiguration:
user@host:~$ wget http://dodoid.net/qubreboot/release/qubreboot-0.1.zip
--2018-03-20 18:15:42-- http://dodoid.net/qubreboot/release/qubreboot-0.1.zip
Resolving dodoid.net (dodoid.net)... 185.27.134.225
Connecting to dodoid.net (dodoid.net)|185.27.134.225|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-03-20 18:17:17 ERROR 403: Forbidden.
…--
cheers,
Holger
|
Firstly because latest version doesn't have seabios integrated probably because https://libreboot.org/faq.html#external-gpus The script runned on qubreboot's download seem to be SlowAES to get a cryptographic alternative to SSL (http://code.google.com/p/slowaes/) curl -A googlebot http://dodoid.net/qubreboot/release/qubreboot-0.1.zip > qubreboot-0.1.zip(with useragent to googlebot to avoid scripts and got direct download) Even if many part of qubreboot's project need to be improved, the script is quite short and quite easily understandable. It's a good (and easy) starting point I think Sorry for my brief answer, hope I'm understandable and hope I have understood |
Attention people. The same limitations applies. Qubes 3.2.x will let you install itself because it is less restrictive on IOMMU requirements. But you won't get real IOMMU memory/device isolation, which requires vt-d2 and interrupt remapping, not present on t400/x200 models only supporting vt-d1. If you want a laptop that supports the same kind of freedom while not being Intel and do not have Intel ME (even if the x230 only has BUP and ROMP) I would suggest to go for the Lenovo G505s AMD based laptop. If you are a developer and own a Lenovo G505s, please help Heads support it! |
|
Edited: #1594 (comment) Let's not forget that in that false "open source" idiom we live in denial in (coreboot is not free anymore with FSP, MRC memory init blob and other blobs in), we silently accept other blobs (even in Linux kernel now) without even questioning them anymore. CPU microcode updates blobs, EC blobs, disk firmware blobs, iKVM blobs, TPM firmware blobs, etc. This GitHub physical server probably has all of them excluding EC. Your secured mail server provider. Your VPN server... We are accepting that silently. We are consequently complicit. The kgpe-d16, the kcma-d8, the g505s are the last candidates without binary blobs, outside of the EC and microcode updates. And their support from coreboot is fading, with the risk of disappearing soon (amdfam15 will if nothing is done) since support for newer x86 is the main goal of coreboot. I understand, while disagreeing this false dichotomy. People didn't realise they needed it because they never understood they existed nor why they were important from their freer standpoint. Even open firmware researchers accept blobs, now. We have to choose to invest energies in x86 alternatives, which implement both IOMMU and virtualization, while not letting die what we currently have which are the most libre that will probably exist on the x86. Amdfam15 and Intel sandy/ivy bridge. That's it. More recent then that and you get a full blown Intel Me or equivalent that can only be gently asked to be deactivated, no more native ram training nor hardware init without binary blobs. That is the reality until we stop denying it and build/support something else. We should, as open source researchers, even more in the open firmware world, stop supporting newer Intel and AMD platforms until their blobs sources are publicly available without NDA. We should boycott them until they really open their things up. Decide to stop believing in them and their never respected promises. Now an open source onboard certification plan? A logo for open source platforms certification? Please. Open just means less and less. Else we are complicit in accepting things will just get more closed source. The Open Source firmware community is silently accepting this fact. There is something really wrong happening. There is an elephant in the room! Can we at least agree on the actual reality? So we restate the need of building from there a real trustable root of trust, this time on real, open source hardware? Or we really are waiting for everything to collapse, being complicit of it... |
According to user reports it doesn't work.
Related: #1131
The text was updated successfully, but these errors were encountered: