You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Adam Joseph 0f15fd86a8 kgpe/linux.config: remove sb700 watchdog-related settings The KGPE-D16 southbridge contains a watchdog; the kernel module for this watchdog is sp5100_tco. Unfortunately this watchdog keeps its counter in the main system CPU RAM. This means that the IOMMU will block the watchdog's attempts to read and write its own counter (through the SMBus, which is PCI device 0000:00:14.0), resulting in massive amounts of dmesg spam like this: ``` pci 0000:00:14.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0004 address=0xfdf9103300 flags=0x0030] piix4_smbus 0000:00:14.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0004 address=0xfdf9103300 flags=0x0030] ``` Setting the IOMMU to allow these accesses is a headache, and pointless anyways: the KGPE-D16 board disallows the use of the watchdog by the CPU; it is reserved for the exclusive use of the BMC. Attempting to enable the watchdog does nothing; the enable bit will not turn on. Recent kernels check for this situation and report when it is detected: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7781b067522aa269213e8025c80cbed1868d349 Fortunately there is another watchdog on the motherboard, inside the `W83667HG-A` SuperIO chip, and it is supported by `w83627hf_wdt.ko`. Subsequent commits to ownerboot will use that watchdog instead. Dump of my collection of possibly-related links: - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266325 - https://forums.freebsd.org/threads/ivhd-errors-after-upgrade-host-to-13-1.85234/ - https://lists.linuxfoundation.org/pipermail/iommu/2015-October/014523.html - https://lkml.org/lkml/2014/4/22/562 - https://bugzilla.kernel.org/show_bug.cgi?id=170741 - https://marc.info/?l=linuxbios&m=152035277020470&w=2		2 years ago
doc	doc/owner-controlled.md: mention debian and gnuk	2 years ago
nixpkgs@db791e8291	update nixpkgs to 21.11	2 years ago
src	kgpe/linux.config: remove sb700 watchdog-related settings	2 years ago
.gitignore	init	2 years ago
.gitmodules	init	2 years ago
COPYING	init	2 years ago
README.md	README.md: update roadmap	2 years ago

README.md

Roadmap

merged upstream 2023-Jan-10: blobless ath9k wifi firmware
rk3399-gru-kevin
- done 2023-Mar-30 The Chromebook Embedded Controller (EC) firmware (ecfw)
- done 2023-Mar-30 make flashrom -p ec work by using the chromeos flashrom fork
- done 2023-Mar-29 ectool, which is the tool you run on a Chromebook CPU in order to control the EC
- turn on software sync so the EC firmware can be kept inside the coreboot flash image
kgpe-d16
- include scripts in the coreboot outpath to:
  - flash just the NORMAL image
  - flash both the NORMAL and FALLBACK images
  - set nvram to force a FALLBACK boot
  - wiggle the write-protect bits

`ownerboot`

Ownerboot is a set of nix expressions which use nixpkgs to build bootloader images for owner-controlled computers.

All the necessary components (coreboot, kernel, busybox-based initramfs with cryptsetup/lvm2) are stored entirely in the bootloader flash chip. This leaves no writable unencrypted media in the boot process when the flash chip's write protect pin is shorted.

Ownerboot extends coreboot with a new normal/fallback mechanism. The flash chip holds two complete copies of the bootloader; only a single page (the bootblock) is shared between them. Each image can be flashed and write-protected indepedently of the other. The fallback image can be selected by /dev/watchdog, nvramtool, or physical input (front-panel button on servers, stylus eject on laptops).

Because ownerboot is written in nix, it can ensure that these builds are deterministic. Ownerboot contains no binaries, and instantiates nixpkgs with config.allowNonSource=false; if you disable nix's binary substituter you are assured that all the software in your bootloader will be built from source on your local machine, all the way back to the compiler which compiles your compiler.

Building

Copypasta:

git submodule init
git submodule update --depth 1 nixpkgs
export NIX_PATH=$(pwd)
nix build --option trusted-public-keys "" -L -f src kgpe.coreboot    # kgpe-d16 AMD opteron
nix build --option trusted-public-keys "" -L -f src am1i.coreboot    # am1-i AMD kabini
nix build --option trusted-public-keys "" -L -f src kevin.coreboot   # Samsung chromebook rk3399 arm64

Details: doc/build.md.

All that compiling and it just dumps me at a bash prompt?

Right now, yes.

On my own machines, I have a pile of big ugly bash scripts for /linuxrc (i.e. initramfs PID 1, which exec()s the long-lived PID 1). These are a complete mess and totally unsuitable for public release. I'm rewriting them in Rust and will publish the result of that work when it's ready.

Supported hardware

Current (all require a 16mbyte flash chip):

KGPE-D16 motherboards (amd64): target kgpe (notes)
AM1-I motherboards (amd64): target am1i (notes)
Samsung XE513c24 "gru-kevin" Chromebook Plus (arm64): target kevin (notes)

Planned:

Cavium Octeon routers (ER-4, ER-6, and ER-12), likely using u-boot "falcon mode"
Raptor Computing Talos2 -- Arctic Tern required

Additional Tools

Ownerboot includes three nixpkgs-style packages:

em100: a nix expression for the coreboot project's open-source driver for the em100 flash chip emulator.
nvramtool: a nix expression for the coreboot utility which manipulates the battery-backed (RTC) memory on x86 motherboards.
flashrom-wp: adds an out-of-tree patch to flashrom to configure which range of bytes are protected by the write-protect pin. Upstream does not have this feature. There appears to be adding some work towards adding it. Work on this began in 2016. There is a separate fork maintained by Google for their chromebooks which implements this functionality on them; it is enabled by the forChromebook parameter.

I'm not sure either of these really belongs in nixpkgs, but they are useful to the same kinds of people who might be interested in ownerboot. So this is a good place for them.

Code Overview

See doc/architecture.md.

Acknowledgements

This project was originally inspired by the petitboot kexec-based bootloader, a derivative of which is shipped with Raptor Computing's POWER9 hardware.
The independent write protection of normal/fallback images was inspired by a similar scheme used by the Embedded Controller firmware in arm64 Chromebooks. More details.
The nix language is, by far, the most advanced solution available for auditable and reproducible builds of complex software. An incredible amount of software goes into an ownerboot image (almost none of which was written by me!); it's effectively a tiny Linux distribution, and as a bootloader it is at the pinnacle of security sensitivity. Nothing else besides nix gave me any confidence that I knew what was going into my bootloader.
nixpkgs was chosen because it is policy-free software: it doesn't force any policy decisions on its dependees. nixpkgs also has amazing support for cross-compilation; once you've used it you'll never want to deal with cross compilers any other way, ever again.
PrawnOS is a great resource for arm64 chromebook owners. If you have one, make sure to check out @SolidHal's guide on transplanting a blobless wifi chip into your laptop. It's easier than it looks.

Google Working To Remove MINIX-Based ME From Intel Platforms
Hugo Landau's interesting idea for implementing write-protect-until-next-power-off using discrete components.

License

Everything in this repository is licensed under the GNU General Public License, version 2 or later (at your option).