diff --git a/site/docs/hardware/hp820g2.md b/site/docs/hardware/hp820g2.md new file mode 100644 index 0000000..775a1af --- /dev/null +++ b/site/docs/hardware/hp820g2.md @@ -0,0 +1,294 @@ +--- +title: HP EliteBook 820 G2 +x-toc-enable: true +... + +**[PLEASE READ THESE INSTRUCTIONS BEFORE INSTALLING](../../news/safety.md), +OR YOU MIGHT BRICK YOUR MACHINE: [SAFETY PRECAUTIONS](../../news/safety.md)** + +
+
+HP EliteBook 820 G2 +HP EliteBook 820 G2 +HP EliteBook 820 G2 +HP EliteBook 820 G2 +HP EliteBook 820 G2 +
+ +| ***Specifications*** | | +|----------------------------|------------------------------------------------| +| **Manufacturer** | HP | +| **Name** | EliteBook 820 G2 | +| **Variants** | EliteBook 820 G2 | +| **Released** | 2011 | +| **Chipset** | 5th gen (Broadwell, SoC) | +| **CPU** | Intel Broadwell | +| **Graphics** | Intel HD 5500 graphics (libre initialisation) | +| **Display** | 14" 1366x768 or 1920x1080 TFT | +| **Memory** | Two slots, max 16GB/slot (32GB), DDR3/SODIMM | +| **Architecture** | x86_64 | +| **EC** | SMSC MEC1324 in main boot flash | +| **Original boot firmware** | HP UEFI firmware | +| **Intel ME/AMD PSP** | Present. Can be disabled with me_cleaner. | +| **Flash chip** | SOIC-8 16MiB 128Mbit, 12MiB usable by coreboot | + + +``` +W+: Works without blobs; +N: Doesn't work; +W*: Works with blobs; +U: Untested; +P+: Partially works; +P*: Partially works with blobs +``` + +| ***Features*** | | +|---------------------------------------------------|----| +| **Internal flashing with original boot firmware** | N | +| **Display (if Intel GPU)** | W+ | +| **Audio** | W+ | +| **RAM Init** | W+ | +| **External output** | W+ | +| **Display brightness** | W+ | + +| ***Payloads supported*** | | +|---------------------------|-----------| +| **GRUB** | Works | +| **SeaBIOS** | Works | +| **SeaBIOS with GRUB** | Works | +
+Introduction +============ + +**Unavailable in Libreboot 20231106 or earlier. You must [compile from +source](../build/), or use a release newer than 20231106.** + +This is a beastly 12.5" Broadwell machine from HP, the main benefit of which is +high power efficiency (compared to Ivybridge and Haswell platforms), while +offering similar CPU performance but much higher graphics performance. + +All variants of this mainboard will come with Intel HD 5500 graphics, which has +completely free software initialisation in coreboot, provided by *libgfxinit*. + +Build ROM image from source +--------------------------- + +First, install the build dependencies and initialise git, using the +instructions in [building from source](../build/). Unless you're using a +release after Libreboot 20231106, you *must* use the latest `lbmk.git`. + +The build target, when building from source, is thus: + + ./build roms hp820g2_12mb + +NOTE: The actual flash is 16MB, but you must flash only the first 12MB of it. +The ROM images provided by Libreboot are 12MB. + +There is a separate 2MB *system* flash that you must *erase*, prior to +installing Libreboot. This, along with Libreboot's modified IFD, bypasses +the security (HP Sure Start) that the vendor put there, allowing you to +use coreboot-based firmware such as Libreboot. + +Installation +============ + +Insert binary files +------------------- + +If you're using a release ROM, please ensure that you've inserted extra firmware +required refer to the [guide](../install/ivy_has_common.md) for that. (**failure +to adhere to this advice will result in a bricked machine**) + +If you're *building* from source (using lbmk), the steps takes above are done +for you automatically, inserting all of the required files. The above link is +only relevant for *release* images, which lack some of these files. + +Set MAC address +--------------- + +This platform uses an Intel Flash Descriptor, and defines an Intel GbE NVM +region. As such, release/build ROMs will contain the same MAC address. To +change the MAC address, please read [nvmutil documentation](../install/nvmutil.md). + +Update an existing Libreboot installation +----------------- + +NOTE: This section only applies if you haven't enabled write protection. You +can otherwise use the external flashing instructions (see below) for both the +initial installation and updates, but for updates you don't need to re-erase +the private flash, if it was already erased. + +If you're already running Libreboot, and you don't have flash protection +turned on, [internal flashing](../install/) is possible, but please note: + +You must *only* flash the first 12MB, and nothing in the final 4MB of the flash. +This is because the EC firmware is in flash, and we don't touch that during +initial installation or during updates. + +Update it like so: + +Create a dummy 16MB ROM like so: + +``` +dd if=/dev/zero of=new.bin bs=16M count=1 +``` + +Then insert your 16MB ROM image into the dummy file: + +``` +dd if=libreboot.rom of=new.bin bs=12M count=1 conv=notrunc +``` + +The `libreboot.rom` file is the 12MB image from Libreboot. The `new.bin` +file is the Libreboot ROM, padded to 16MB. You will not flash the entire 16MB +file, but flashrom detects a 16MB flash IC. This just makes flashrom not +complain about mismatching ROM/chip size. + +You should flash each region individually: + +``` +flashrom -p internal --ifd -i gbe -w new.bin --noverify-all +flashrom -p internal --ifd -i bios -w new.bin --noverify-all +flashrom -p internal --ifd -i me -w new.bin --noverify-all +flashrom -p internal --ifd -i ifd -w new.bin --noverify-all +``` + +NOTE: The `--ifd` option uses the regions defined in the *flashed* IFD, so +they must match the ROM. You can otherwise dump a layout file and use that, +using the instructions below (using `-l layout.txt` instead of `--ifd`). + +NOTE: If you already did an installation before, and you don't want to +[change the MAC address](../install/nvmutil.html) stored in the gbe region, +you can skip the gbe/ifd/me regions as above, and flash just the BIOS region. + +NOTE: Use of `--ifd` requires flashrom 1.2 or higher. If you have an older +version, or you don't have `--ifd`, you could instead do: + +``` +ifdtool -f layout.txt libreboot.rom +``` + +Then, instead of `--ifd` you would use `-l layout.txt`. + +ALSO: The `--ifd` option makes flashrom flash regions based on what's in +the *current* flashed IFD. + +Flashing Libreboot first time (hardware) +======================================== + +**PLEASE ENSURE that you dump a copy of both flash ICs (system flash and +private flash). Take two dumps of each, and make sure each has two good hashes. +This is because there are certain files that, while you may not need for a +regular Libreboot installation, may be useful for recovery purposes. You have +been warned!** + +This section is relevant to you if you're still running the original HP +firmware. You must [flash externally](../install/spi.md). + +Take stock of these further notes, because there are extra steps that you +must take. + +HP Sure Start +------------- + +There is a 16MB flash and a 2MB flash. Read this page for info: + + +The page makes it seem more complicated than necessary, from a user's point +of view. What you really need to do is just erase the flash. Consult +the [SPI flashing guide](../install/spi.md) and act as if you were flashing, +but leave out `-w libreboot.rom` (don't write an image), and instead +use the `--erase` option, with your clip connected to the private flash (2MB +flash IC). + +You might want to dump the private flash first, just in case (use `-r priv.rom` +or whatever filename you want to dump to, and take two dumps, ensuring that +the hashes match). The private (2MB) flash is inaccessible from your OS. The +system stores hashes of the IFD, GbE and a copy of IFD/GbE in private flash, +restoring them if they were modified, but erasing the private flash disables +this security mechanism. + +Here is a photo of the board, with the flashes: + +![HP 820 G2 flash](https://av.libreboot.org/hp820g2/hp820g2_flash.jpg) + +HP bootblock +------------ + +See: + +In this page it talks about HP's own bootblock and EC firmware. These are in +the final 4MB of the flash. You must *not* modify these, because you will brick +your machine unless the IFD is modified; + +This is why Libreboot provides 12MB images. The IFD in Libreboot is modified, as +per this coreboot documentation, to make the BIOS region *end* at the last byte +of the first 12MB in flash, bypassing HP's security entirely. In other words, +you can run whatever you want (such as Libreboot) in the first 12MB of flash, +so long as the upper 4MB is untouched and the private 2MB flash has been erased. + +With Libreboot's modified IFD, HP's own bootblock is never executed, but the +EC firmware *is*, and must be left alone. You do not to insert it in your +Libreboot ROM because it's already in flash, within that last 4MB. + +Flash a ROM image (hardware) +----------------- + +**REMOVE all power sources like battery, charger and so on, before doing this. +This is to prevent short circuiting and power surges while flashing.** + +For general information, please refer to [25xx NOR flash +instructions](../install/spi.md). + +At this present time, disassembly instructions are unavailable from the +Libreboot project, but you can search for HP's own hardware maintenance manual +or look at videos online showing disassembly. + +The flash chip is visible by removing the "bottom door" panel. But the +frame makes it hard to put a clip on it, so it's recommended to follow the +HP [service manual](https://h10032.www1.hp.com/ctg/Manual/c03015458.pdf) +to remove the **bottom cover**, as it's called. + +First, dump both flashes for backup, using the `-r` option (instead of `-w`) +in flashrom. Two dumps of each flash, make sure both dumps match for each chip. + +We will assume that your system flash (16MB) dump is named `dump.bin`. + +This gives you everything, including the final 4MB. Now insert your new ROM +into a copy of `dump.bin`: + +``` +cp -R dump.bin new.bin +dd if=libreboot.rom of=new.bin bs=12M count=1 conv=notrunc +``` + +Flash `new.bin` to system flash (16MB IC) using the `-w` option in flashrom, +and erase the private (2MB) flash IC, +using the `--erase` option (instead of `-w filename.rom`) in flashrom. + +It's very important that you *erase* the 2MB flash. Be careful *not* to +erase the system (16MB flash). This is yet another reason why you should keep +a backup of both flash ICs, just in case (dumped using `-r` in flashrom). + +![](https://av.libreboot.org/hp820g2/hp820g2.jpg) + +![](https://av.libreboot.org/hp820g2/hp820g2_inside.jpg) + +And that's all. Refer to other documents on Libreboot's website for how +to handle Linux/BSD systems and generally use your machine. + +References +========== + +See: + +Libreboot's build system automatically pulls down the MRC/refcode files, and +modifies the refcode to enable the onboard Intel Gigabit Ethernet (GbE). You +don't need to mess with this at all, when you build Libreboot yourself. + +You can see how this works, by looking at the patch which added 820 G2 support: + + +If you're using release builds, the MRC, refcode and (neutered) ME images are +missing from flash, and must be re-inserted, using the instructions +on [this page](../install/ivy_has_common.md). diff --git a/site/docs/hardware/index.md b/site/docs/hardware/index.md index 99173da..c80ffba 100644 --- a/site/docs/hardware/index.md +++ b/site/docs/hardware/index.md @@ -43,6 +43,7 @@ libreboot currently supports the following systems in this release: - [HP EliteBook 2170p](hp2170p.md) (**socketed flash IC**) - [HP EliteBook 2560p](hp2560p.md) - [HP EliteBook 2570p](hp2570p.md) +- [HP EliteBook 820 G2](hp820g2.md) - [HP EliteBook 8460p](hp8460p.md) - [HP EliteBook 8470p](hp8470p.md) - [HP EliteBook Folio 9470m](hp9470m.md) diff --git a/site/docs/hardware/index.zh-cn.md b/site/docs/hardware/index.zh-cn.md index 85c1ba0..8a154df 100644 --- a/site/docs/hardware/index.zh-cn.md +++ b/site/docs/hardware/index.zh-cn.md @@ -52,6 +52,7 @@ x-toc-enable: true - [HP EliteBook 2170p](hp2170p.md) - [HP EliteBook 2560p](hp2560p.md) - [HP EliteBook 2570p](hp2570p.md) +- [HP EliteBook 820 G2](hp820g2.md) - [HP EliteBook 8460p](hp8460p.md) - [HP EliteBook 8470p](hp8470p.md) - [HP EliteBook Folio 9470m](hp9470m.md) diff --git a/site/docs/install/index.md b/site/docs/install/index.md index 44163e5..395e155 100644 --- a/site/docs/install/index.md +++ b/site/docs/install/index.md @@ -658,6 +658,7 @@ Links to specific HP laptop pages: * [HP EliteBook 2170p](../hardware/hp2170p.md) * [HP EliteBook 2560p](../hardware/hp2560p.md) * [HP EliteBook 2570p](../hardware/hp2570p.md) +* [HP EliteBook 820 G2](../hardware/hp820g2.md) * [HP EliteBook 8460p](../hardware/hp8460p.md) * [HP EliteBook 8470p](../hardware/hp8470p.md) * [HP EliteBook Folio 9470m](../hardware/hp9470m.md) diff --git a/site/freedom-status.md b/site/freedom-status.md index a4ce5a4..70da7ee 100644 --- a/site/freedom-status.md +++ b/site/freedom-status.md @@ -242,8 +242,8 @@ Neutered ME required on these targets: `t420_8mb`, `t420s_8mb`, `t430_12mb`, `t440p_12mb`, `t440pmrc_12mb`, `t520_8mb`, `t530_12mb`, `w530_12mb`, `w541_12mb`, `w541mrc_12mb`, `x220_8mb`, `x230_12mb`, `x230_16mb`, `x230edp_12mb`, `x230t_12mb`, `x230t_16mb`, `hp8200sff`, `hp2560p_8mb`, -`hp2570p_16mb`, `hp8300usdt_16mb`, `hp2170p_16mb`, `hp9470m_16mb` -and `t1650_12mb`. +`hp2570p_16mb`, `hp8300usdt_16mb`, `hp2170p_16mb`, `hp9470m_16mb`, +`hp820g2_12mb` and `t1650_12mb`. As stated, Libreboot provides this in a state where the ME is no longer a threat to security. It initialises itself, but then does nothing, so it's diff --git a/site/freedom-status.uk.md b/site/freedom-status.uk.md index 2f1950e..9534360 100644 --- a/site/freedom-status.uk.md +++ b/site/freedom-status.uk.md @@ -333,7 +333,7 @@ Intel/x86 `t440p_12mb`, `t440pmrc_12mb`, `t520_8mb`, `t530_12mb`, `w530_12mb`, `w541_12mb`, `w541mrc_12mb`, `x220_8mb`, `x230_12mb`, `x230_16mb`, `x230edp_12mb`, `x230t_12mb`, `x230t_16mb`, `hp8200sff_8mb`, `hp2560p_8mb`, -`hp2570p_16mb`, `hp2170p_16mb`, `hp9470m_16mb` та `t1650_12mb`. +`hp2570p_16mb`, `hp2170p_16mb`, `hp9470m_16mb`, `hp820g2_12mb` та `t1650_12mb`. Як заявлено, Libreboot надає це в стані, де ME більше не є загрозою для безпеки. Він ініціалізує себе, але потім нічого не робить, тому його diff --git a/site/tasks/index.md b/site/tasks/index.md index 326e70a..f4b0526 100644 --- a/site/tasks/index.md +++ b/site/tasks/index.md @@ -2121,3 +2121,21 @@ Also see: We already are very strict in how we handle errors, but lbmk does indeed used piped logic in a few areas. An audit is in order, to fix any potential lack of error handling in such cases. + +HP 820 G2 TPM +============= + +TODO: check that it can be upgraded to TPM 2.0 (default is 1.2). +It's a SLB 9660 TPM + + + + + +Apparently, this can be upgraded to TPM 2.0. Riku linked this on IRC: + + + +And also this, straight from the horse's mouth: + +