8.4 KiB
From Libreboot 20241206 revision 8 onwards, pre-compiled ROM images are now available. Previous releases excluded images for this board, because vendor file insertion was not reproducible, so you would get checksum errors. This has been fixed with the following patch:
https://browse.libreboot.org/lbmk.git/commit/?id=e8799310db26df89720e8476a701f1904932234b
The refcode is inserted uncompressed, whereas upstream uses LZMA compression.
We can't predict how the implementation will change in the future, and any
behavioural changes would probably affect the checksum on insertion. Older
releases also didn't handle rmodtool
on refcode insertion, which is used
to make the file relocatable in CBFS. See:
https://doc.coreboot.org/lib/rmodules.html
As of Libreboot 20241206 rev8, you can now use pre-compiled release images and insert vendor files.
The lack of refcode compression costs about 110KB, because the refcode file is about 180KB uncompressed, but would be about 70KB compressed in flash. We insert it uncompressed, so it's 180KB in flash. This is a small sacrifice, considering that you still have about 10MB of unused flash space left, at least as of the 20241206 rev8 release.
HP Sure Start
There is a 16MB flash and a 2MB flash. Read this page for info: https://doc.coreboot.org/mainboard/hp/hp_sure_start.html
The page makes it seem more complicated than necessary, from a user's point
of view. What you really need to do is just erase the 2MB flash IC, and flash
only the first 12MB of the 16MB flash IC. A photo is shown below. Consult
the SPI flashing guide and act as if you were flashing,
but leave out -w libreboot.rom
(don't write an image), and instead
use the --erase
option, with your clip connected to the private flash (2MB
flash IC).
You might want to dump the private flash first, just in case (use -r priv.rom
or whatever filename you want to dump to, and take two dumps, ensuring that
the hashes match); one dump for the first erase, and another for the next
erase. If they match, then the erase was likely a success. The private (2MB)
flash is inaccessible from your OS. The
system stores hashes of the IFD, GbE and a copy of IFD/GbE in private flash,
restoring them if they were modified, but erasing the private flash disables
this security mechanism.
Coreboot has its own page about this machine:
https://doc.coreboot.org/mainboard/hp/elitebook_820_g2.html
Make sure to read and understand all of this first, before attempting the Libreboot installation, because it's also important when updating Libreboot later on.
Installation of Libreboot
Make sure to set the MAC address in the flash: Modify MAC addresses with nvmutil.
Refer to the Libreboot flashing guides
Here are the flash ICs:
When you flash the 12MB image, please do the following with it:
dd if=/dev/zero of=4mb.bin bs=4M count=1
cat libreboot.rom 4mb.bin > libreboot16.rom
Be careful: do not fully flash libreboot16.rom
Flash it like this, instead:
flashprog -p PROGRAMMER --ifd -i gbe -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i bios -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i me -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i fd -w libreboot16.rom --noverify-all
Replace PROGRAMMER
according to whichever flasher you're using. You could
also replace it with internal
, if later flashing internally to update an
existing Libreboot installation.
If you're flashing internally, add --noverify-all
to the flashprog
command.
To erase the 2MB flash, do this:
flashprog -p PROGRAMMER --erase
Refer generally to the main flashing guide and to the external flashing guide so that you can learn how to actually flash it.
TPM 2.0 potentially supported
The onboard TPM is an SLB 9660, which supports TPM 1.2 but it is known to be compatible with TPM 2.0 via firmware upgrade. Although not yet tested, we have some notes about that here:
Not yet used meaningfully by Libreboot itself, but the TPM can be used to implement things like measured boot.
References
See: https://doc.coreboot.org/soc/intel/broadwell/blobs.html
Libreboot's build system automatically pulls down the MRC/refcode files, and modifies the refcode to enable the onboard Intel Gigabit Ethernet (GbE). You don't need to mess with this at all, when you build Libreboot yourself.
You can see how this works, by looking at the patch which added 820 G2 support: https://browse.libreboot.org/lbmk.git/commit/?id=401c0882aaec059eab62b5ce467d3efbc1472d1f
Yay. If you see this boot screen, you should be proud. This is a really hard machine to flash.