Coreboot end users guide?


#1

can you make a “coreboot for dummys”? got the info screen (escape) but how do you do things like password protect boot? disable hyperthreading? or even update coreboot?


#2

I’m also interested in such a guide especially for updating coreboot.

I try to follow the building coreboot from source thread but I would say I’m far away from understanding it or all the details, pre-requirements or issues with specific librem machines, processors or e.g. I also saw some problems with an NVMe disk (and I have one in my librem15v3 as well).

Summed up I’m way too uncertain that I would give it a try. I’m too afraid that something will go wrong and I end up with machine which does not work anymore.

Are there any news related to this?

I think it might make sense to update the initial post or prepare some kind of wiki post (this is possible in some other wikis based on the same framework - simply update the initial post might work like this as well or use the gitlab wiki or whatever) which describes the current situation. Nobody who just starts his plans to update coreboot will read >300 posts to get sure to understand all details and risks.

And my last point: @kakaroto Is there any way to send you a donation for your work?


#3

@pixel: “coreboot just works as it works”, there is no password protection, there is no bios menu and there are no options to enable/disable stuff. Coreboot finishes booting within 350ms, it doesn’t even initialize the graphics, and it certainly leaves no time for you to press a key and it doesn’t have any user-menu.
What coreboot does however is run Seabios (the “info screen (escape)” you were talking about), and seabios’ task is simple : show boot medias and boot into the one you select. To do that, it will run the vgabios, initializing your graphics, in order to show you the boot menu, wait 2 seconds for you to press ESC, then boot the media by default or whatever choice you made. That’s it, there is nothing more to it than that.
If you want to disable hyperthreading, you can do it directly from within Linux (like most other ‘options’ that you would have expected in the BIOS), see this link for example.
If you look at any modern computer’s proprietary BIOS, you’ll also notice that the only options you have are : set date/time, set boot device. You wouldn’t have any of the other options like disable hyperthreading in the BIOS anymore because it can all be done from linux directly (as wel as overclocking and all that).

@Smojo: I can’t edit the first post unfortunately, I need to poke someone to do it for me I guess… The build script is very n00b-friendly and pretty much fool-proof. It’s been used for well over a year now by all sorts of people, some who had never even heard of what a “script” or a “terminal” is, and so far I’m glad to report that there haven’t been a single brick or problem with it. The script itself will not even suggest to you to flash the BIOS with the updated coreboot unless everything is verified 100% to have been done correctly and the hash must match the hash that I have built here which is a known working image.
fwupd work has started, but it’s still a long way off I assume.
The issues that you described are actually bugs in coreboot that updates have been fixing. The NVMe issue was a problem that prevented someone from booting into his NVMe drive (it didn’t appear in the seabios boot menu) and that was a problem with that very specific model of NVMe (one that was bought separately by the user, one which hadn’t been tested by us as being supported), and we bought the same drive and found and fixed the bug rather quickly and allowed the user to start using librem (if he bought an NVMe with his order, he wouldn’t have had the issue, but he wanted to save money and buy a cheaper nvme separately).

Finally, about the donation, you’re not the first to ask, and I appreciate it, thank you, but I’m already getting paid by Purism for this work, so I don’t think it would be appropriate for me to accept donations.


#4

so to update coreboot, rebuild and reflash? can this be done from qubes, or do you have to make a usb boot for it?

no password check for booting from other devices? i know that wont stop a determined attacker, but it could stop a casual evil maid or time sensitive opportunistic attack. do we need to use heads or aem for this?