Age | Commit message (Collapse) | Author |
|
Hyperthreading is a risk factor for spectre/meltdown
and other attacks.
Disabling it is a best practise. Those who need it
can always turn this option back on. Otherwise, disabling
it by default is a simply courtesy to the average user,
in the interest of security.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
The Libreboot 20241206 release provided FSP pre-assembled
and inserted into the ROM images; the only file inserted
by vendor.sh was the Intel ME.
Direct distribution of an unmodified FSP image is permitted
by Intel, provided that the license notice is given among
other requirements. Due to how coreboot works, it must split
up the FSP into subcomponents, and adjust certain pointers
within the -M component (for raminit).
Such build-time modifications are perfectly fine in a coreboot
context, where it is expected that you are building from source.
The end result is simply what you use.
In a distribution such as Libreboot, where we provide pre-built
images, this becomes problematic. It's a technicality of the
license, and it seems that Intel themselves probably intended
for Libreboot to use the FSP this way anyway, since it is they
who seem to be the author of SplitFspBin.py, which is the
utility that coreboot uses for splitting up the FSP image.
Due to the technicality of the licensing, the FSP shall now
be scrubbed from releases, and re-inserted.
Coreboot was inserting the -S component with LZ4 compression,
which is bad news for ./mk inject beacuse the act of compression
is currently not reproducible. Therefore, coreboot has been
modified not to compress this section, and the inject command
doesn't compress it either. This means that the S file is using
about 180KB in flash, instead of about 140KB. This is totally OK.
The _fsp targets are retained, but set to release=n, because these
targets *still* don't scrub fsp.bin; if released, they would
include fsp files, so they've been set to release=n. These can
be used on older Libreboot release archives, for compatibility.
The new ROM images released for the affected machines are:
t480_vfsp_16mb
t480s_vfsp_16mb
dell3050micro_vfsp_16mb
Note the use of _vfsp instead of _fsp. These images are released,
unlike _fsp, and they lack fspm/fsps in the image. FSP S/M must
be inserted using ./mk inject.
This has been tested and confirmed to boot just fine.
The 20241206 images will be re-compiled and re-uploaded with this
and other recent changes, to make Libreboot 20241206 rev8.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This uses the excellent deguard utility, written by
the excellent Mate Kukri.
A few bugs but it mostly works. Documentation to come
shortly, in lbwww.git.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
The previous stability issues were resolved, thanks to
the previous revision which added a fix courtesy Simon Glass.
This reverts commit eba73c778a85d1c6ad2f0de57c82a8775cdd1c17.
|
|
It's really buggy on hardware. Disable for now.
I've contacted Simon Glass on IRC, asking about hardware.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
coreboot/dell7 is now part of coreboot/next, which in turn
has been updated, to accomodate 3050 micro patchset 18:
https://review.coreboot.org/c/coreboot/+/82053/18
It incorporates my Verb/VBT patches, which are therefore
no longer included separately.
Mate has fixed the USB config; see diff for details.
The configuration of USB ports was wrong, before.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
pin mod needed (soldering) but according to mate, you
can use some coffeelake CPUs on these machines, despite
them being intel 7th gen. this includes 8-core chips.
this patch enables the software configuration in coreboot.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Remove what is now unnecessary bloat, for ensuring that
GRUB is the primary payload; SeaGRUB is the only preference,
as per lbmk design.
The SeaBIOS hanging issue was fixed, so SeaGRUB is OK now.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Again, I'm adapting the config to be as close to the
coreboot one as possible. I compiled directly from coreboot
earlier, and got SeaBIOS to work on my 3050.
I'm matching the setup as closely as possible. Once it works,
I can use that in a Libreboot release but then debug why the
old config wasn't working.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I'm eliminating as many differences as possible between lbmk's
setup, and the setup that is default when simply building from
the gerrit patch, directly in coreboot, by just picking the
mainboard; in this way, coreboot picks SeaBIOS as payload. I
already changed the SeaBIOS configs, in the previous patch.
Upon testing, this seems to have fixed the SeaBIOS hanging. I
need to have both of these options selected, or SeaBIOS hangs
just after it says "Press ESC" for the boot menu.
With this config change, SeaBIOS does not hang; instead, it shows
the list of devices as normal, and boots your machine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Specifically, use the same revision that Mate used in patchset 15.
This will ensure that any issues are *not* caused by the coreboot
revision; this is being done, because the old coreboot revision was
from July, but patchset 15 from Mate is based on a September revision
of coreboot.
I've been eliminating as many variables as possible, trying to fix
SeaBIOS payload on this machine, because it hangs in Libreboot, but
not when building from gerrit directly, which means the coreboot
revision may be a factor (since I'm using his patches on an older
revision so upstream might have made some changes since then that
the port relies on).
For this, a new coreboot tree is used, called "dell7", referring to
the fact that Kabylake is Intel's 7th generation.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Use patchset 15 instead of 14:
config/coreboot/default/patches/0061-WIP-OptiPlex-3050-Micro-port.patch
Rebase the verb patch; patchset 15 modified the Makefile:
config/coreboot/default/patches/0064-dell-optiplex_3050-add-hda_verb.c.patch
We were using patchset 14 for the 3050 micro:
https://review.coreboot.org/c/coreboot/+/82053/14
Now we use patchset 15:
https://review.coreboot.org/c/coreboot/+/82053/15
Without this patch, the fans are always on a low setting, on
the Dell OptiPlex 3050 Micro, even under stress conditions. With
this patch, the fans change speed according to CPU temperature.
I had to rebase my verb patch, because Mate modified the Makefile
to add his sch5555 handler, on the same line where I add hda_verb.
Mate tells me he will merge my verb and vbt patches into a further
patchset later on. For now, I've simply rebased these patches on
top of Mate's newer work; I've told him he can use them in his port.
I'm probably going to now issue a new revision ROM image for
Libreboot 20241008, so that users can get this fix sooner.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
on 3050micro, we disable seabios as a primary payload,
making grub a pribary payload instead.
the way it worked, the roms were still named seagrub
and the seabios rom would be compiled, but with the wrong
path, so seabios wouldn't be executed; seabios would hang
anyway, on this board.
instead, engineer it in such a way as to disable seabios_
images on this board. also, rename seagrub_ to grub_.
i normally only permit seagrub, and not grub, but i make an
exception for 3050micro because we know grub works, but seabios
currently hangs on this board (which means no bsd).
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
SeaBIOS is known to hang on this board. It is being investigated.
Add two variable options for target.cfg files:
* seabiosname
* grubname
This string defines where it would be located in CBFS.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise it takes ages to boot
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
SeaBIOS hangs without this. Thanks go to Mate Kukri who
suggested this workaround.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This is using Mate Kukri's port, which was added in
previous lbmk revisions. I've added an IFD that sets
the HAP bit, and unlocks regions as standard.
vcfg is set to 3050micro, which defines downloading
of the MEv11 image and it will run deguard automatically.
I made a small adjustment to vendor.sh, because the hotpatch
logic for deguard uses -C in git, and when doing that, the
specified directory path is relative to that Git repository;
the .patch path has been adjusted accordingly.
Also add 3rdparty/fsp to coreboot/default modules.
This board requires the ifdtool option: -p sklkbl
The -p option tells flashrom what quirks are present in a
given IFD. We don't normally need this on other Libreboot
targets that we currently support. The -p option was needed
for creating this modified IFD, and it is therefore needed in
the inject script. Therefore, an "IFD_platform" option is
specified in a given board's target.cfg file. If this is set,
another variable is set that makes -p be used.
In this case, 3050's target.cfg says:
IFD_platform="sklkbl"
This option enables quirks for skylake/kabylake descriptors,
as required when using ifdtool.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|