You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Adam Joseph c0c6141971 coreboot: kgpe-d16: do not enable hw monitor until kernel boots
This commit adds a coreboot patch which causes kgpe-d16 to skip the
PNP enumeration/assignment process for the "hardware monitor"
(basically a temperature sensor and fan-speed controller) block on
the southbridge chip.

I have found this patch solves the last remaining boot reliability
problem I was having with my unattended kgpe-d16 machines.

The commit message for this patch is below:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The hardware monitor is one of the blocks within the w83667hg-a chip
(there are many others).  It is basically a bunch of ADCs (analog to
digital converters) hooked up to voltage, current, and temperature
sensors in various locations on the motherboard.

This block has the ability to generate several different interrupts
(SMI#, OVT#, etc) in response to thermal conditions.  It appears to
sometimes (about 10% of boot-ups, depending on temperature) spew
erroneous alarm interrupts the instant you enable it, when doing so
from within coreboot.  This causes the w83667hg-a chip and the
entire system to hang, and the watchdog cannot recover from this
state because it is part of the w83667hg-a chip too.

An even bigger problem is that the hardware monitor is initialized
*before* the fans are brought up to full speed.  So if the CPU is
above the critical temperature it will remain there because the fans
are in their default low-speed boot state.  The chip just keeps
getting hotter and hotter -- not enough to damage itself, but hot
enough that it won't come down to an acceptable temperature with
simple reboots and power-cycles; you have to leave the system off
for a while.  Since the fans aren't running while the system is off
this takes quite a while (several minutes).  It's a very fussy and
fidgety process, and not something you want to walk a remote-hands
guy at the datacenter through over the phone.

To avoid this whole mess, let's simply not assign PNP resources to
the hardware monitor from coreboot.  Linux doesn't need these
anyways; it communicates with the hardware using I2C.
2 years ago
COPYING Relicense: GPL-v2-or-v3 instead of GPL-v2-or-later 2 years ago
doc doc/platform/kgpe/notes.md: mention watchdogs 2 years ago
src coreboot: kgpe-d16: do not enable hw monitor until kernel boots 2 years ago
.gitignore init 2 years ago
.gitmodules init 2 years ago
README.md pin nixpkgs using a tarball rather than submodule 2 years ago

README.md

Roadmap

  • use <nixpkgs/lib/module.nix> to manage Kconfig-based .config files:
  • add support for a single image (no fallback) on 8mbyte flash, so people can try ownerboot without buying a new flash chip
  • done 2023-Apr-09 include scripts in the coreboot outpath to flash the images (normal/fallback) individually and manipulate the next-boot selector.
    • update the documentation to reference these scripts, which will make it considerably simpler
  • rk3399-gru-kevin: turn on software sync so the EC firmware can be kept inside the coreboot flash image
  • kgpe-d16: start the hardware watchdog in the bootblock to improve robustness of unattended reboots

ownerboot

Ownerboot is a set of nix expressions which use nixpkgs to build bootloader images for owner-controlled computers.

All the necessary components (coreboot, kernel, busybox-based initramfs with cryptsetup/lvm2) are stored entirely in the bootloader flash chip. This leaves no writable unencrypted media in the boot process when the flash chip's write protect pin is shorted.

Ownerboot extends coreboot with a new normal/fallback mechanism. The flash chip holds two complete copies of the bootloader; only a single page (the bootblock) is shared between them. Each image can be flashed and write-protected indepedently of the other. The fallback image can be selected by /dev/watchdog, nvramtool, or physical input (front-panel button on servers, stylus eject on laptops).

Because ownerboot is written in nix, it can ensure that these builds are deterministic. Ownerboot contains no binaries, and instantiates nixpkgs with config.allowNonSource=false; if you disable nix's binary substituter you are assured that all the software in your bootloader will be built from source on your local machine, all the way back to the compiler which compiles your compiler.

Building

Copypasta:

nix-build --option trusted-public-keys "" src -A kgpe.coreboot    # kgpe-d16 AMD opteron
nix-build --option trusted-public-keys "" src -A am1i.coreboot    # am1-i AMD kabini
nix-build --option trusted-public-keys "" src -A kevin.coreboot   # Samsung chromebook rk3399 arm64

Details: doc/build.md.

All that compiling and it just dumps me at a bash prompt?

Right now, yes.

On my own machines, I have a pile of big ugly bash scripts for /linuxrc (i.e. initramfs PID 1, which exec()s the long-lived PID 1). These are a complete mess and totally unsuitable for public release. I'm rewriting them in Rust and will publish the result of that work when it's ready.

Supported hardware

Current (all require a 16mbyte flash chip):

Planned:

Additional Tools

Ownerboot includes three nixpkgs-style packages:

I'm not sure either of these really belongs in nixpkgs, but they are useful to the same kinds of people who might be interested in ownerboot. So this is a good place for them.

Code Overview

See doc/architecture.md.

Acknowledgements

  • This project was originally inspired by the petitboot kexec-based bootloader, a derivative of which is shipped with Raptor Computing's POWER9 hardware.

  • The independent write protection of normal/fallback images was inspired by a similar scheme used by the Embedded Controller firmware in arm64 Chromebooks. More details.

  • The nix language is, by far, the most advanced solution available for auditable and reproducible builds of complex software. An incredible amount of software goes into an ownerboot image (almost none of which was written by me!); it's effectively a tiny Linux distribution, and as a bootloader it is at the pinnacle of security sensitivity. Nothing else besides nix gave me any confidence that I knew what was going into my bootloader.

  • nixpkgs was chosen because it is policy-free software: it doesn't force any policy decisions on its dependees. nixpkgs also has amazing support for cross-compilation; once you've used it you'll never want to deal with cross compilers any other way, ever again.

  • PrawnOS is a great resource for arm64 chromebook owners. If you have one, make sure to check out @SolidHal's guide on transplanting a blobless wifi chip into your laptop. It's easier than it looks.

License

Everything in this repository is licensed under the GNU General Public License, version 2 or version 3 (at your option).