### Roadmap - use `` to manage `Kconfig`-based `.config` files: - [x] [done 2023-Apr-16](https://git.sr.ht/~amjoseph/ownerboot/commit/88d20a5f63b03a2a548d6798b25de7a41420ad65) for coreboot - [ ] for kernel - [ ] add support for a single image (no fallback) on 8mbyte flash, so people can try ownerboot without buying a new flash chip - [x] [done 2023-Apr-09](https://git.sr.ht/~amjoseph/ownerboot/commit/b48635fa1d26da9532fbfe5e746b69aa82f632ef) include scripts in the coreboot outpath to flash the images (normal/fallback) individually and manipulate the next-boot selector. - [ ] update the documentation to reference these scripts, which will make it considerably simpler - [ ] rk3399-gru-kevin: turn on [software sync](https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md#preventing-the-rw-ec-firmware-from-being-overwritten-by-software-sync-at-boot) so the EC firmware can be kept inside the coreboot flash image - [ ] kgpe-d16: start the hardware watchdog in the bootblock to improve robustness of unattended reboots # `ownerboot` Ownerboot is a set of [nix](https://nixos.org/manual/nix/unstable/) expressions which use [nixpkgs](https://github.com/NixOS/nixpkgs/tree/master/pkgs) to build bootloader images for [owner-controlled](doc/owner-controlled.md) computers. All the necessary components ([coreboot](https://www.coreboot.org/), kernel, [busybox](https://busybox.net/)-based initramfs with cryptsetup/lvm2) are stored entirely in the bootloader flash chip. This leaves no *writable unencrypted media* in the boot process when the flash chip's write protect pin is shorted. Ownerboot extends coreboot with a new [`normal`/`fallback` mechanism](doc/fallback.md). The flash chip holds two complete copies of the bootloader; only a single page (the bootblock) is shared between them. Each image can be flashed and write-protected indepedently of the other. The `fallback` image can be selected by `/dev/watchdog`, `nvramtool`, or physical input (front-panel button on servers, stylus eject on laptops). Because ownerboot is written in [nix](https://nixos.org/manual/nix/unstable/), it can ensure that these builds are deterministic. Ownerboot contains no binaries, and instantiates nixpkgs with `config.allowNonSource=false`; if you disable nix's [binary substituter](https://nixos.org/manual/nix/unstable/command-ref/conf-file.html#conf-trusted-public-keys) you are assured that all the software in your bootloader will be built *from source* on your local machine, all the way back to the [compiler which compiles your compiler](https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/linux/make-bootstrap-tools.nix). ## Building Copypasta: ``` nix-build --option trusted-public-keys "" src -A kgpe.coreboot # kgpe-d16 AMD opteron nix-build --option trusted-public-keys "" src -A am1i.coreboot # am1-i AMD kabini nix-build --option trusted-public-keys "" src -A kevin.coreboot # Samsung chromebook rk3399 arm64 ``` Details: [doc/build.md](doc/build.md). ## All that compiling and it just dumps me at a bash prompt? Right now, yes. On my own machines, I have a pile of big ugly bash scripts for `/linuxrc` (i.e. initramfs PID 1, which `exec()`s the long-lived PID 1). These are a complete mess and totally unsuitable for public release. I'm rewriting them in Rust and will publish the result of that work when it's ready. ## Supported hardware Current (all require a 16mbyte flash chip): * [KGPE-D16 motherboards](https://www.coreboot.org/Board:asus/kgpe-d16) (amd64): target `kgpe` ([notes](doc/platform/kgpe/notes.md)) * [AM1-I motherboards](https://www.msi.com/Motherboard/AM1I/Specification) (amd64): target `am1i` ([notes](doc/platform/am1i/notes.md)) * [Samsung XE513c24](https://www.samsung.com/us/computing/chromebooks/12-14/xe513c24-k01us-xe513c24-k01us/) "[gru-kevin](https://github.com/torvalds/linux/blob/master/arch/arm64/boot/dts/rockchip/rk3399-gru-kevin.dts)" Chromebook Plus (arm64): target `kevin` ([notes](doc/platform/kevin/notes.md)) Planned: * [Cavium Octeon](https://en.wikichip.org/wiki/cavium/octeon) routers ([ER-4](https://openwrt.org/toh/ubiquiti/edgerouter_4), ER-6, and ER-12), likely using u-boot "falcon mode" * [Raptor Computing Talos2](https://www.raptorcs.com/) -- [Arctic Tern](https://www.raptorcs.com/content/AT1PC2/intro.html) *required* ## Additional Tools Ownerboot includes three nixpkgs-style packages: * `em100`: a nix expression for the [coreboot project's open-source driver](https://www.coreboot.org/EM100pro) for the em100 flash chip emulator. * `nvramtool`: a nix expression for the coreboot utility which manipulates the battery-backed (RTC) memory on x86 motherboards. * `flashrom-wp`: adds an out-of-tree patch to flashrom to configure which range of bytes are protected by the write-protect pin. Upstream [does not have this feature](https://github.com/flashrom/flashrom/issues/142#issuecomment-793548441). There [appears to be adding some work towards adding it](https://review.coreboot.org/q/topic:more_wp). Work on this [began in 2016](https://mail.coreboot.org/pipermail/flashrom/2016-July/014737.html). There is a [separate fork](https://chromium.googlesource.com/chromiumos/third_party/flashrom) maintained by Google for their chromebooks which implements this functionality on them; it is enabled by the `forChromebook` parameter. I'm not sure either of these really belongs in nixpkgs, but they are useful to the same kinds of people who might be interested in ownerboot. So this is a good place for them. ## Code Overview See [doc/architecture.md](doc/architecture.md). ## Acknowledgements * This project was originally inspired by the [petitboot](http://jk.ozlabs.org/projects/petitboot/) kexec-based bootloader, a [derivative of which](https://wiki.raptorcs.com/wiki/Petitboot) is shipped with Raptor Computing's POWER9 hardware. * The independent write protection of normal/fallback images was inspired by a [similar scheme](https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/write_protection.md) used by the Embedded Controller firmware in arm64 Chromebooks. [More details](https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/write_protection.md#ro-and-rw). * The nix language is, *by far*, the most advanced solution available for auditable and reproducible builds of complex software. An incredible amount of software goes into an ownerboot image (almost none of which was written by me!); it's effectively a tiny Linux distribution, and as a bootloader it is at the pinnacle of security sensitivity. Nothing else besides nix gave me any confidence that I knew what was going into my bootloader. * `nixpkgs` was chosen because it is *policy-free software*: it doesn't force any policy decisions on its dependees. `nixpkgs` also has amazing support for [cross-compilation](https://github.com/NixOS/nixpkgs/blob/master/doc/stdenv/cross-compilation.chapter.md); once you've used it you'll never want to deal with cross compilers any other way, ever again. * [PrawnOS](https://github.com/SolidHal/PrawnOS) is a great resource for arm64 chromebook owners. If you have one, make sure to check out [@SolidHal's guide](https://github.com/SolidHal/Samsung_Chromebook_plus_v1_wifi_from_webcam) on transplanting a blobless wifi chip into your laptop. It's easier than it looks. ## Related Links - [Google Working To Remove MINIX-Based ME From Intel Platforms](https://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html) - Hugo Landau's [interesting idea for implementing write-protect-until-next-power-off](https://www.devever.net/~hl/secureboot) using discrete components. ## License Everything in this repository is licensed under the GNU General Public License, version 2 or version 3 (at your option).