![]() Libreboot – Frequently Asked Questions. Frequently Asked Questions. Edit this page - - Back to previous index. What version of libreboot do I have?[link]See here. Flashrom complains about DEVMEM access[link]If running flashrom - p internal for software based flashing, and you get an error related to /dev/mem access, you should reboot with iomem=relaxed kernel parameter before running flashrom, or use a kernel that has CONFIG_STRICT_DEVMEM and CONFIG_IO_STRICT_DEVMEM not enabled. · Best Motherboard/Processor for linux. This is a discussion on Best Motherboard/Processor for linux within the Linux Support forums, part of the Tech. Managing EFI Boot Loaders for Linux by Rod Smith, [email protected]. Originally written: 9/23/2011; last update: 7/17/2017. This Web page is provided free of. Intel Quad-Core Processor N3150, Solid Capacitor design, Supports DDR3/DDR3L 1600 memory, 2 SO-DIMM slots, 1 PCIe 2.0 x1, 1 mini-PCIe, Graphics Output Options : DVI. Mini-ITX Motherboards. Try our new Board Finder Tool to locate your ideal board. Mini-ITX Motherboard comparison charts. Example flashrom output with both CONFIG_STRICT_DEVMEM and CONFIG_IO_STRICT_DEVMEM enabled: flashrom v. Linux 4. 1. 1. 9- 1- ARCH (x. ![]() Calibrating delay loop.. OK. Error accessing high tables, 0x. Operation not permitted. Failed getting access to coreboot high tables. Error accessing DMI Table, 0x. Operation not permitted. We don’t know how to detect the correct PWM value to use in coreboot- libre, so we just use the default one in coreboot which has this issue on some CCFL panels, but not LED panels. You can work around this in your distribution, by following the notes at docs: backlight control. The ethernet doesn’t work on my X2. T4. 00/X6. 0/T6. 0 when I plug in it[link]This was observed on some systems using network- manager. This happens both on the original BIOS and in libreboot. It’s a quirk in the hardware. On debian systems, a workaround is to restart the networking service when you connect the ethernet cable: $ sudo service network- manager restart. On Parabola, you can try: $ sudo systemctl restart network- manager(the service name might be different for you, depending on your configuration)My KCMA- D8 or KGPE- D1. PIKE2. 00. 8 module installed[link]Libreboot 2. Sea. BIOS, PCI options ROMs are loaded when available, by default. This is not technically a problem, because an option ROM can be free or non- free. In practise, though, they are usually non- free. Loading the option ROM from the PIKE2. ASUS KCMA- D8 or KGPE- D1. It’s possible to use this in the payload (if you use a linux kernel payload, or petitboot), or to boot (with Sea. GRUB and/or Sea. BIOS) from regular SATA and then use it in GNU+Linux. The Linux kernel is capable of using the PIKE2. ROM. Libreboot- unstable (or git) now disables loading PCI option ROMs, but previous releases with Sea. GRUB (2. 01. 60. 81. You can work around this by running the following command: $ ./cbfstool yourrom. You can find cbfstool in the _util archive with the libreboot release that you are using. What systems are compatible with libreboot?[link]See here. Will the Purism laptops be supported?[link]Short answer: no. There are severe privacy, security and freedom issues with these laptops, due to the Intel chipsets that they use. See: Most notably, these laptops also use the Intel FSP binary blob, for the entire hardware initialization. Coreboot does support a particular revision of one of their laptops, but most are either unsupported or rely on binary blobs for most of the hardware initialization. In particular, the Intel Management Engine is a severe threat to privacy and security, not to mention freedom, since it is a remote backdoor that provides Intel remote access to a computer where it is present. Intel themselves even admitted it, publicly. The Libreboot project recommends avoiding all hardware sold by Purism. Why is the latest Intel hardware unsupported in libreboot?[link]It is unlikely that any post- 2. Intel hardware will ever be supported in libreboot, due to severe security and freedom issues; so severe, that the libreboot project recommends avoiding all modern Intel hardware. If you have an Intel based system affected by the problems described below, then you should get rid of it as soon as possible. The main issues are as follows: Intel Management Engine (ME)[link]Introduced in June 2. Intel’s 9. 65 Express Chipset Family of (Graphics and) Memory Controller Hubs, or (G)MCHs, and the ICH8 I/O Controller Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip. In Q3 2. 00. 9, the first generation of Intel Core i. Nehalem) CPUs and the 5 Series Chipset family of Platform Controller Hubs, or PCHs, brought a more tightly integrated ME (now at version 6. PCH chip, which itself replaced the ICH. Thus, the ME is present on all Intel desktop, mobile (laptop), and server systems since mid 2. The ME consists of an ARC processor core (replaced with other processor cores in later generations of the ME), code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has network access with its own MAC address through an Intel Gigabit Ethernet Controller. Its boot program, stored on the internal ROM, loads a firmware “manifest” from the PC’s SPI flash chip. This manifest is signed with a strong cryptographic key, which differs between versions of the ME firmware. If the manifest isn’t signed by a specific Intel key, the boot ROM won’t load and execute the firmware and the ME processor core will be halted. The ME firmware is compressed and consists of modules that are listed in the manifest along with secure cryptographic hashes of their contents. One module is the operating system kernel, which is based on a proprietary real- time operating system (RTOS) kernel called “Thread. X”. The developer, Express Logic, sells licenses and source code for Thread. X. Customers such as Intel are forbidden from disclosing or sublicensing the Thread. X source code. Another module is the Dynamic Application Loader (DAL), which consists of a Java virtual machine and set of preinstalled Java classes for cryptography, secure storage, etc. The DAL module can load and execute additional ME modules from the PC’s HDD or SSD. The ME firmware also includes a number of native application modules within its flash memory space, including Intel Active Management Technology (AMT), an implementation of a Trusted Platform Module (TPM), Intel Boot Guard, and audio and video DRM systems. The Active Management Technology (AMT) application, part of the Intel “v. Pro” brand, is a Web server and application code that enables remote users to power on, power off, view information about, and otherwise manage the PC. It can be used remotely even while the PC is powered off (via Wake- on- Lan). Traffic is encrypted using SSL/TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known vulnerabilities, which have been exploited to develop rootkits and keyloggers and covertly gain encrypted access to the management features of a PC. Remember that the ME has full access to the PC’s RAM. This means that an attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open files, all running applications, all keys pressed, and more. Intel Boot Guard is an ME application introduced in Q2 2. ME firmware version 9. Generation Intel Core i. Haswell) CPUs. It allows a PC OEM to generate an asymmetric cryptographic keypair, install the public key in the CPU, and prevent the CPU from executing boot firmware that isn’t signed with their private key. This means that coreboot and libreboot are impossible to port to such PCs, without the OEM’s private signing key. Note that systems assembled from separately purchased mainboard and CPU parts are unaffected, since the vendor of the mainboard (on which the boot firmware is stored) can’t possibly affect the public key stored on the CPU. ME firmware versions 4. Intel 4 Series and later chipsets) include an ME application for audio and video DRM called “Protected Audio Video Path” (PAVP). The ME receives from the host operating system an encrypted media stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the GPU, which then decrypts the media. PAVP is also used by another ME application to draw an authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC’s screen in a way that the host OS cannot detect. ME firmware version 7. PCHs with 2nd Generation Intel Core i. Sandy Bridge) CPUs replaces PAVP with a similar DRM application called “Intel Insider”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |