Skip to content

How to coreboot

Zaolin edited this page Aug 9, 2018 · 5 revisions

Prerequisites

Any Linux OS should work but starting with an Ubuntu 16.04/18.04 should be fine.

Install missing dependencies

sudo apt-get install -y bison build-essential curl flex git gnat-5 libncurses5-dev m4 zlib1g-dev libgmp-dev libcrypto-dev u-boot-tools golang

Required Tools

Linux Kernel Drivers

coreboot already integrates really well with the Linux Kernel. There are option for VPD/LOG and coreboot table.

You can activate them by menuconfig (Firmware Drivers -> Google Firmware Drivers):

coreboot

coreboot is an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems. As an Open Source project it provides auditability and maximum control over technology.

For more coreboot related information, please visit the coreboot documentation.

Build an image

Setup the coreboot toolchain
CPUS=8 make crossgcc
Clean previous artifacts
make clean
make distclean
Copy existing config
cp rotundu-release-8M.defconfig .config
Generate full .config or configure custom options
make menuconfig
Compile coreboot
make

The final image can be found for flashing a device under build/coreboot.rom .

VBoot

Google's verified boot technology offers failure safety, update functionality and secure/trusted boot features under coreboot.

Development keys

These keys are automatically generated by coreboot if vboot is enabled via kconfig.

Production keys

The vboot tools can be found under 3rdparty/vboot. Switch to the directory.

Compile the vboot tools
make
Install the vboot tools
DESTDIR=/usr sudo make install 

Switch back to the coreboot root directory.

Generate production keys if they not exist
3rdparty/vboot/scripts/keygeneration/create_new_keys.sh --4k --4k-root --output keys

Sign the final image regardless if DEV or RELEASE build

Fist of all build the coreboot image. The build version "1" is incrementally increased and should unique for firmware builds in order to be protected against rollback attacks.

3rdparty/vboot/scripts/image_signing/sign_firmware.sh build/coreboot.rom keys/ coreboot-rotundu-release-v1.signed.rom 1

Updates

Updates can simply applied by using the coreboot flashrom tool and applying this patch.

Update FW partition A
flashrom --fmap -i RW_SECTION_A -w coreboot.rom
Update FW partition B
flashrom --fmap -i RW_SECTION_B -w coreboot.rom

VPD

For coreboot firmware boot options are implemented through VPD. Now if we want to write some boot options from the OS in order to describe the boot setup. VPD does not support error correction or checksums! For more documentation about VPD, refer to their official guide.

Add RO VPD entries to file
vpd -f build/coreboot.rom -i RO_VPD -O -s "foo"='blah'

Set RW options inside the OS

Inside the running OS the RW VPD values can be easily written:

vpd -i "RW_VPD" -O -s "foo"='blah'
You can’t perform that action at this time.