libreboot
/
lbwww
1
0
Fork 0
Code Packages Projects Releases Activity

put even more stuff on the todo page 

i'm about 30% finished

Signed-off-by: Leah Rowe <leah@libreboot.org>
master
Leah Rowe 2023-12-26 11:34:14 +00:00
parent 11ca7793ee
commit 1682d2731d
1 changed files with 206 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

206
site/tasks/index.md
View File

@ -11,6 +11,27 @@ Many of these entries will pertain to *lbmk*, which is Libreboot's build
system, but some entries may relate to documentation, or organisational
changes.
S3 on ivy/sandy/haswell
=======================
Ivybridge, sandybridge and haswell thinkpads have broken S3 suspend/resume,
at least in coreboot 4.22 - we are affected in lbmk, where we use a revision
that is quite close to 4.22, but we mitigate it by turning off the TSEG stage
cache.
It's possible that upstream may have properly fixed it already. In our case,
disabling TSEG stage cache makes S3 work again, on these machines - but GM45
and i945 are still broken (see below).
Of interest, this patch was merged *after* the current revision used
in Libreboot, at least on 26 December 2023:
<https://review.coreboot.org/c/coreboot/+/78850>
Updating coreboot revisions is par for the course in Libreboot. This should
be tested again, but with TSEG Stage Cache re-enabled, to verify whether S3
is still broken on these machines (ditto GM45 and i945).
S3 on GM45 and i945
===================
@ -147,6 +168,31 @@ Boards
not much different code-wise to the D16 mainboard, so differences
in coreboot `4.11_branch` could be adapted to provide a Dasharo port.
ThinkPad T430s and T431s
-------------------------
These are interesting; the T431s in particular has soldered RAM, so we'd need
to take care of SPDs (not done automatically yet, in coreboot). The schematics
will show GPIO straps that could be used to glean which SPD data is correct,
if we wanted to scan it automatically at boot time (we'd have to include SPD
data for all known modules, it might be possible to extract it from vendor
updates, otherwise we'd have to dump it from multiple variants of the same
machine).
Both are supported by coreboot.
840 G2 (possible 820 G2)
-------------------------
These notes are based on a chat on Libreboot IRC.
The TPM is Infineon SLB9660 and does TPM 1.2. We could maybe upgrade
firmware to that of SLB9665. It would no longer work with the HP BIOS but
maybe coreboot could be used, and then we could have
newer TPM version - SLB9665 firmware can meet TPM 2.0 specification.
(we do not yet use the TPM in any meaningful way on Libreboot machines)
Blobless boards
-----------
@ -647,6 +693,51 @@ GRUB 2.06 package. See:
These could be re-based for GRUB 2.12, which is what Libreboot uses.
Already merged
--------------
GRUB 2.12 has these patches already, so we don't need to do anything. The
above pertains to GRUB 2.06, but they were upstreamed for 2.12. That being
said, we do have some users who like 2.06 for some reason!
Document how to use
-------------------
John lane's site even has instructions for how to use detached LUKS headers
in GRUB.
Maybe we could do something for it in automation too. When scanning for
grub.cfg files, at the stage where cryptomount -a is executed, we could
also check for LUKS header files and handle them if found. Yes, we could make
the default Libreboot setup work out of the box, with detached LUKS headers.
We already have this functionality, as described above, but we need to
configure it. Read John Lane's site for more information, and the upstream
GRUB documentation will also cover it.
lbmk-c: clustered builds
========================
I had an idea on IRC when we were talking about how to optimise the build
speed in Libreboot. Most of the time is spent simply compiling the ROM images,
and this will become especially true when we support hundreds of boards; almost
none of the time, by percentage, will be spent on payloads and cross compilers
anymore.
So my idea was: what if we had a cluster setup where multiple machines have
their own clone of lbmk, but they all stay in sync, re-using the same builds,
for example the same crossgcc builds, but each dividing up tasks between each
other.
For example, if you have 100 boards and 10 machines, those 10 machines in
the cluster would build 10 rom sets each. They would tell each other when
they're all done, and then at the end, there would be a process where they're
all copied.
This could probably be done using an NFS share, for things like the bin/
directory on the release/ directory. We really will need something like this
in the future, because Libreboot's goal is to support literally every coreboot
board, providing automated configurations for all of them.
Use crossgcc for SeaBIOS and GRUB
=================================
@ -1108,6 +1199,24 @@ Cross compilation is the first step to reproducibility, because then we only
have to worry about the toolchain, which is easier to control. We can start
focusing specifically on reproducibility once all of that has been done.
Tarballs
--------
We already have partial reproducibility, though we currently use the `-T0`
option in xz, whereas `-T1` is more appropriate; forcing it to run on 1 core
will ensure that the file is always compressed in the same way.
See: <https://reproducible-builds.org/docs/archives/>
We already pretty much are right on the money. The main task that we still need
to work on is cross compilation; specifically, we need to actually cross compile,
because most code is compiled by hostcc when we use lbmk. This is covered in
another section, on this TODO page.
Also: <https://lists.debian.org/debian-dpkg/2016/10/msg00012.html>
This post writes about the rationale for `-T1` when using xz.
VGA: Run-time, not build-time
=============================
@ -1331,3 +1440,100 @@ mainboard, for different setups. We could skip a lot of the re-building.
This pretty much goes hand in hand with the other entry on this TODO page,
about spliting up the various stages in coreboot, and handling CBFS generation
within lbmk.
Notes about Git
---------------
See: <https://github.blog/2020-12-21-get-up-to-speed-with-partial-clone-and-shallow-clone/>
This guide has some useful information about using Git, and some of it may be
useful for this goal. There are many cases where we download all of the Git
history for a given project, where we really only need a small part of it. We
could speed up the downloads a lot, and also speed up the builds a bit (by
reducing the amount of deltas that need to be resolved when cloning).
In particular, Git Work Trees are a useful feature that we might use in lbmk.
Scan submodules for backups
---------------------------
Where a project does use submodules, it's possible that we may already define
how to download it, with redundant links. We could scan for this, by parsing
the `.gitmodules` file within a project and comparing to what we have
under `config/git/`.
Chinese users can't run lbmk
==========================
Libreboot has quite a few Chinese users, but the Chinese internet blocks access
to several sites like github - and apparently the coreboot gerrit site is also
blocked, where we clone coreboot from.
We'd need to get Chinese internet users to test this, but lbmk should be
modified to work on the Chinese internet, when downloading packages. China is
a huge country with over 1 billion people, all of whom deserve to use coreboot.
We could provide special branches of lbmk with patches in it, that make certain
upstreams be altered. For example, download coreboot from several mirrors that
are not blocked in China.
I did toy with the idea of making a Gitee account (China's not-invented-here
copy of GitHub), but registration required a Chinese phone number, so I couldn't
make an account. I was going to set it up for Libreboot.
me cleaner is old
=================
From what I can tell, `me_cleaner` is not well-tested or supported on many
newer Intel platforms. it shouldn't affect us in Libreboot for now, because we're
not even past Haswell yet, but see for instance:
Also: disablement
-----------------
See: <https://github.com/corna/me_cleaner/issues/278>
This looks interesting. It seems on some arrandale machines it's actually
possible to completely disable the ME (remove it from the nor flash),
with "almost no ill effects" according to the OP on that issue page.
me6updateparser
===============
We have me7updateparser, imported from the Heads project. It is used to
re-construct full intel ME firmware from the partial firmware update provided
in Lenovo X220 update files.
We do not have ME auto-download on ThinkPad X201 (ME6). If we run it on those
updates, it has the same problem: it is a partial ME update. We need to
reconstruct the ME6 firmware, in the same way. The current me7updateparser is
not suitable for ME6.
FAQ: cover USB fuzzing attacks
==============================
We write on the FAQ that SATA devices could potentially have DMA capability,
but this has still not been proven, and it's probably not true in practise.
USB may not have DMA, but it's possible to perform what's called a fuzzing
attack, whereby a USB device pretends to be something such as a keyboard,
a mouse, a networking device, or any number of things in quick succession.
A wily attacker could program a small USB dongle, and plug it into your running
machine. If your operating system is insufficiently secured or otherwise
poorly configured, and attacker could then remotely control your machine,
and steal data.
You can just look up "USB fuzzing attack" online. There are several actually
practical examples of it in the wild, and it's really easy to do. Easy meaning:
cheap. It's a low-effort attack.
So we should cover it, and talk about ways to mitigate the risk (e.g. disable
USB input devices and networking devices, in the user's operating system).
Coreboot users page
===================
Update it and also add canoeboot there. The current entry isn't really a problem
but it could be better, and also be more descriptive about all the features
lbmk offers.