[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot-dev] C201 Chromebook (veyron_speedy) port and Chromium OS
From: |
Paul Kocialkowski |
Subject: |
Re: [Libreboot-dev] C201 Chromebook (veyron_speedy) port and Chromium OS security model |
Date: |
Sat, 31 Oct 2015 12:37:29 +0100 |
Le lundi 12 octobre 2015 à 01:55 +0100, Gammel Holte a écrit :
> Excellent! I'm really glad there's a port for the C201.
Glad to see such enthusiasm about it!
> Libreboot aside, how far is it from being completely blob-less? It's
> only about finalising the (stalled) Lima driver for Mali?
Well, the current state of free software on the device is described at:
http://libreboot.org/docs/hcl/c201.html
>
> On Sat, Oct 10, 2015 at 10:55 PM, Paul Kocialkowski <address@hidden>
> wrote:
> Since I've been asked countless times for a status update on
> the
> Chromebook C201 port to Libreboot, here is a summary of what
> is going
> on and what is planned for the future.
>
> First off, the code to rebuild coreboot, depthcharge and vboot
> in libreboot is ready. This includes the scripts to download,
> patch, build and prepare each of those, in the right order.
> The process produces a RO image of coreboot that can be
> flashed to the first MiB of the SPI flash (the image won't try
> to jump to any of the coreboot stages that are stored on the
> RW part of the SPI flash, thus, it is completely standalone).
> This comes with an image containing a string of the libreboot
> version (to be stored on a dedicated fmap partition on the SPI
> flash). Most importantly, a script to ease the replacement of
> those images in a full SPI flash image is provided, along with
> a description of the partitions .
>
> While the code is ready, installation instructions are still
> at a draft stage. Even though they have already been tested
> successfully on a brand new device, some parts still need some
> more attention. Suggestions about it are welcome (replying to
> this thread is just fine for this purpose).
>
> The libreboot repo[0] with those changes is available at my
> personal git repository. Expect it to be rebased from time to
> time!
>
> When installation instructions are done, it will be time to
> merge those changes with the main libreboot repository, start
> building release images for the C201 (codename veyron_speedy)
> and update the documentation on the libreboot website!
>
> However, there is still a lot more left to accomplish after
> that milestone. The current state of the code only replaces
> part of the SPI flash. In the long run, it would be nice to
> rebuild and replace each and every part of software that lives
> on the SPI flash. As described in an earlier email to the
> list, there are many things in there, thus a lot of work
> ahead.
>
> The first challenge will be to replace the RW stages of
> coreboot. Those are signed with a private key and their
> signatures are checked before being executed. If we want to
> release full images that can be installed as-is (or nearly),
> those will have to be signed with some keys. Those can either
> be test keys that are publicly available, which voids the
> whole security model, or keys that are kept secret by the
> libreboot project, which implies that users trust the project
> and have a way to verify that images signed that way do in
> fact originate from libreboot. Of course, we want to encourage
> users to generate and use their own keys instead, which offers
> the best security guarantees (provided they keep the private
> keys, well, private)! Writing up documentation for this will
> also be greatly needed.
>
> Another important step will be to rebuild and release the
> embedded controller firmware. It is not strictly related to
> libreboot, since it lives outside of the main processor.
> Still, it's good to have it integrated with the libreboot
> build process since it is all free software as well. This will
> also make it easier to modify and rebuild it, as early
> investigation shows that it is not trivial to rebuild at all.
> The embedded controller firmware and its hash are also stored
> on the SPI flash, so we need to release them too in order to
> release a full flash image. This is part of a process called
> EC software sync, that updates the RW firmware part of the EC
> internal memory with the firmware stored on the SPI flash when
> the hashes of the two firmwares mismatch. The EC also has a RO
> firmware that should be considered fail-safe. Of course,
> libreboot will also release a rebuilt free firmware for the RO
> EC firmware.
>
> With all that achieved, it'll only be a few bits and pieces to
> include to produce a full image that can replace the whole SPI
> flash chip!
>
> Stay tuned for more information on the port!
>
>
> --Paul Kocialkowski, Replicant developer
> Replicant is a fully free Android distribution running on
> several
> devices, a free software mobile operating system putting the
> emphasis
> on freedom and privacy/security.
> Website: https://www.replicant.us/Blog:
> https://blog.replicant.us/Wiki/tracker/forums:
> https://redmine.replicant.us/
>
>
signature.asc
Description: This is a digitally signed message part