aka a l l o f t h e m
On Intel Sandybridge, IvyBridge and Haswell platforms,
the flash is divided into these partitions:
* Intel Flash Descriptor (IFD)
* Intel Management Engine (ME)
* Intel Gigabit Ethernet NVM (GbE)
* Platform Data
* BIOS
IFD contains many configuration details of the entire
machine, but for our purpose, you might compare this
to the MBR or GPT section (partition table) on an HDD
or SSD. It does, among other things, define these regions.
Intel Management Engine is a coprocessor that handles,
among other things, certain power management and OOB
execution for things like Intel AMT, providing remote
management features; it also implements a soft TPM on
some platforms, and (on later platforms) Intel Boot Guard.
GbE contains configuration data for the onboard ethernet
chipset, if it's an Intel chipset. It also stores the
MAC address.
Platform Data is essentially just text, where you can
store any number of things. Vendors will sometimes put
information here e.g. version information for firmware.
The BIOS region contains actual boot firmware, for
example Canoeboot.
The Intel ME is a binary blob, so it cannot be included
in Canoeboot. On *Libreboot*, we handle this where needed,
by automatically downloading it from a vendor, and
processing it with the me_cleaner utility which disables
the ME after early bringup; only the ROMP and BUP modules
remain. These are essentially an analog of coreboot, as
they initialise the Intel ME. The Intel ME's own bootrom
executes the ME firmware stored in system flash, from
the ME region.
The *Canoeboot* setup differs greatly from Libreboot, in
that the Intel ME is not handled at all, on these platforms.
It is possible to still disable early ME bringup, by setting
the HAP (ME AltDisable) bit in the IFD; coreboot also has
an option called ME Soft Temporary Disable, and we use this
by default.
With use of either HAP and/or Temporary Disable, a full ME
region, with nothing removed (no me_cleaner) is functionally
identical, as this means only the ROMP and BUP modules will
run, and other modules are disabled.
Libreboot handles Intel ME by generating a *full* image,
including Intel ME, downloading the ME firmware at build
time; Libreboot's way of doing it violates GNU FSDG, and
thus could not be used in Canoeboot.
Canoeboot *does not* handle the Intel ME, but it doesn't
need to. We simply provide images where the Intel ME region
in the ROM is all zeroes. If you then flash the ME region
with that, it will result in a brick; however, you can avoid
flashing the ME region.
The flashprog software (also flashrom which we no longer
use) can be made to flash only specific parts of the flash,
by using either the --ifd option, or by using a layout file.
To generate a layout file, do this on a Canoeboot ROM:
./ifdtool -f layout.txt canoeboot.rom
You can then do e.g.:
./flashprog -l layout.txt -i fd canoeboot.rom
./flashprog -l layout.txt -i gbe canoeboot.rom
./flashprog -l layout.txt -i bios canoeboot.rom
In these examples, fd means IFD, gbe means GbE and
bios means BIOS, so you flash these regions. If you
wanted to flash Intel ME, you could use -i me, but
Canoeboot users migrating from factory firmware or
Libreboot can simply leave the ME region alone.
For all of these machines being added, the BIOS region
is entirely free software; even microcode updates are
excluded. The machines run just fine without microcode
updates, after extensive testing.
The IFD and GBE are not software; they are just config,
and their data format is fully documented by public
Intel datasheets. Canoeboot provides the nvmutil software
for changing GBE MAC addresses, and also ifdtool from
coreboot which can be used to modify IFD if you wish.
The general rule of thumb is this:
* If flashing Canoeboot from factory firmware, please
flash both the IFD and BIOS regions; you may also
modify the GBE region if you wish
* If flashing Canoeboot from Libreboot firmware, please
note that Libreboot *shrinks* the ME, and uses a different
IFD layout; some Dell mainboards also use 16KB GbE in
the Canoeboot setup, mirroring what the vendor did, where
Libreboot corrected this to 8KB:
* Therefore, if flashing Canoeboot from Libreboot, please
flash ONLY the GbE and BIOS regions; do not flash the IFD
region.
Libreboot's way of doing it is superior, because you don't
need to care what's in the original flash, since Intel ME
and other vendor files are automatically downloaded at
build time and inserted into images, or inserted after
the fact by use of a special script on release images.
Canoeboot's method has risks, because for example you might
ignore this entire commit message or the documentation that
I'm going to write covering these facts, and you would then
possibly overwrite the ME region with zeroes, or something
else stupid. If you did do that, you could always just build
Libreboot or something, and use that, but obviously We in
the Canoeboot project do not recommend this, as it would
be extremely unGNU.
Signed-off-by: Leah Rowe <leah@libreboot.org>
while cherry picking other recent lbmk changes, i
skipped the coreboot updates, because the lbmk ones
were done in mayn commits. it's more efficient just
to do it all in bulk, when adapting for canoeboot.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Thanks go to Nicholas Chin and Lorenzo Aloe for working on
and testing this code. Based on the 780 MT port.
Signed-off-by: Leah Rowe <leah@libreboot.org>
cbmk 9429287 is the present canoeboot revision, on this day,
two commits after canoeboot 20231107
the cbmk revision was based on lbmk c4d90087, but lbmk
has developed a lot since, right up to f5b04fa5. lbmk
c4d90087 was four commits after libreboot 20231106
this patch brings cbmk up to date, versus lbmk f5b04fa5,
which is 135 commits after libreboot 20231106 (not 4)
therefore, the next canoeboot release shall import lbmk
changes made *after* lbmk revision f5b04fa5. good day!
In English (the above is for my reference, next time
I make a new canoeboot release):
This imports all of the numerous improvements from
Libreboot, sans the non-FSDG-compliant changes. You
can find a full list of such changes in the audit4 page:
https://libreboot.org/news/audit4.html
A full canoeboot-ised changelog will be available in
the next canoeboot release, with these and subsequent
changes. Most notable here is the update to the new
GRUB 2.12 release (instead of 2.12-rc1), and the
improvements Riku made to pico-serprog. And the build
system improvements from lbmk, such as improved, more
generic cmake and autoconf handling.
Canoeboot-specific changes: I also tweaked the deblob
logic, to make it less error-prone. The new design
changes imported into cbmk (based on latest lbmk) somewhat
broke the deblob logic; it was constantly reminding the
user that blobs.list was missing for coreboot,
at config/coreboot/blobs.list - coreboot is a multi-tree
project in both cbmk and lbmk, and the deblob logic was
tuned for single/multi, but was treating coreboot as both.
for simplicity, i removed the check for whether blobs.list
is present. this means that the operator must ensure that
these files are present, in any given revision, where they
are required on a given set of projects (and the files are
all present, in this update to cbmk)
Also of note: the grub.cfg improvements are included in this
cbmk update. The improved grub.cfg can find grub/syslinux
configs by default, not just grub anymore, also finds extlinux,
and will also find them on EFI System Partition - in addition,
UEFI-based install media is also more robust; although cbmk
doesn't provide UEFI configurations on x86, our GRUB palyoad
does still need to work with distro install media, and many
of them now use UEFI-based GRUB configurations in their
installation media, which just happen to work with our GRUB
Signed-off-by: Leah Rowe <leah@libreboot.org>
Leah Rowe