Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GRUB2 payload #1

Open
savchenko opened this issue Jan 12, 2020 · 2 comments
Open

GRUB2 payload #1

savchenko opened this issue Jan 12, 2020 · 2 comments

Comments

@savchenko
Copy link

Thank you for publishing this. Do you think it would be possible to build Coreboot for 8770w with the GRUB2 payload (alternatively, SeaBios → GRUB2) and use the latter as the replacement for UEFI Secure Boot?

General idea:

  1. Coreboot is written to the flash with locked descriptor to prevent future software flashing. Alternatively, Winbond spec sheet is studied for an ability to de-solder one of the legs to achieve the same result.
  2. Seabios behaves as the "root of trust" as it can't be easily manipulated by software.
  3. Seabios loads GRUB2 which prompts user for a password to unlock LUKS-encrypted /dev/whatever.
  4. Once /boot is decrypted, Linux distribution continues to load normally. Only caveat - user will need to enter FDE password second time.

I have similar setup on the "librebooted" x200, the only difference being that Seabios is not required.

@SpookySkeletons
Copy link
Owner

I could very well ship a locked descriptor but the issue here is that you can't perform any subsequent flashes of the read only segments internally so updates become an issue. The Linux kernel already prevents internal write access unless iomem=relaxed in your kernel cmd.

Could very well do seabios versions. A little annoyed that Tianocore can't load secondaries. I believe I saw somewhere that you can build tianocore with seabios CSM which would be ideal for my purposes.

I'd need a grub config file to boot from if you have one handy or I could borrow libreboot's config file. I am not sure if the grub payload will work with this laptop but I have an external flashing hole drilled so can test.

@savchenko
Copy link
Author

I could very well ship a locked descriptor but the issue here is that you can't perform any subsequent flashes of the read only segments internally so updates become an issue.

Well, "no software flashes possible" is kind of a point of this exercise... However, upon second thought, user is likely to configure grub.conf / etc. and then re-flash once satisfied with the result.

Could very well do seabios versions.

Would be grand. Happy to assist with testing if needs be.

I'd need a grub config file to boot from if you have one handy or I could borrow libreboot's config file.

Here is what I use as the default entry:

set prefix=(memdisk)/boot/grub

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci

# Serial and keyboard configuration, very important.
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial
terminal_input --append at_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

# Default to first option, automatically boot after 1 second
set default="0"
set timeout=3

set pager=1
keymap usqwerty

color_normal=light-gray/black
menu_color_normal=light-gray/dark-gray
menu_color_highlight=white/dark-gray

set superusers="MY_USER"
password_pbkdf2 MY_USER grub.pbkdf2.sha512.90000.LONG_HASH

menuentry 'Normal' {
	cryptomount -u MY_DRIVE_UUID
	set root='lvm/ssd-rootvol'
	linux /vmlinuz root=/dev/mapper/ssd-rootvol cryptdevice=/dev/mapper/ssd-rootvol:root
	initrd /initrd.img
}

# If things went terribly wrong...
menuentry 'Backup' {
	set root='(cbfsdisk)'
	configfile /grubtest.cfg
}

grubtest.cfg from the above is the default config from Libreboot repository: https://github.com/hankbao/libreboot/blob/107cdec81a45e087cea555dbd50f304fad1b27cc/projects/grub/install/corebootfb/grub.cfg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants