lbwww/site/docs/install/hp820g2.md

8.4 KiB

From Libreboot 20241206 revision 8 onwards, pre-compiled ROM images are now available. Previous releases excluded images for this board, because vendor file insertion was not reproducible, so you would get checksum errors. This has been fixed with the following patch:

https://browse.libreboot.org/lbmk.git/commit/?id=e8799310db26df89720e8476a701f1904932234b

The refcode is inserted uncompressed, whereas upstream uses LZMA compression. We can't predict how the implementation will change in the future, and any behavioural changes would probably affect the checksum on insertion. Older releases also didn't handle rmodtool on refcode insertion, which is used to make the file relocatable in CBFS. See:

https://doc.coreboot.org/lib/rmodules.html

As of Libreboot 20241206 rev8, you can now use pre-compiled release images and insert vendor files.

The lack of refcode compression costs about 110KB, because the refcode file is about 180KB uncompressed, but would be about 70KB compressed in flash. We insert it uncompressed, so it's 180KB in flash. This is a small sacrifice, considering that you still have about 10MB of unused flash space left, at least as of the 20241206 rev8 release.

HP Sure Start

There is a 16MB flash and a 2MB flash. Read this page for info: https://doc.coreboot.org/mainboard/hp/hp_sure_start.html

The page makes it seem more complicated than necessary, from a user's point of view. What you really need to do is just erase the 2MB flash IC, and flash only the first 12MB of the 16MB flash IC. A photo is shown below. Consult the SPI flashing guide and act as if you were flashing, but leave out -w libreboot.rom (don't write an image), and instead use the --erase option, with your clip connected to the private flash (2MB flash IC).

You might want to dump the private flash first, just in case (use -r priv.rom or whatever filename you want to dump to, and take two dumps, ensuring that the hashes match); one dump for the first erase, and another for the next erase. If they match, then the erase was likely a success. The private (2MB) flash is inaccessible from your OS. The system stores hashes of the IFD, GbE and a copy of IFD/GbE in private flash, restoring them if they were modified, but erasing the private flash disables this security mechanism.

Coreboot has its own page about this machine:

https://doc.coreboot.org/mainboard/hp/elitebook_820_g2.html

Make sure to read and understand all of this first, before attempting the Libreboot installation, because it's also important when updating Libreboot later on.

Installation of Libreboot

Make sure to set the MAC address in the flash: Modify MAC addresses with nvmutil.

Refer to the Libreboot flashing guides

Here are the flash ICs:

When you flash the 12MB image, please do the following with it:

dd if=/dev/zero of=4mb.bin bs=4M count=1
cat libreboot.rom 4mb.bin > libreboot16.rom

Be careful: do not fully flash libreboot16.rom

Flash it like this, instead:

flashprog -p PROGRAMMER --ifd -i gbe -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i bios -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i me -w libreboot16.rom --noverify-all
flashprog -p PROGRAMMER --ifd -i fd -w libreboot16.rom --noverify-all

Replace PROGRAMMER according to whichever flasher you're using. You could also replace it with internal, if later flashing internally to update an existing Libreboot installation.

If you're flashing internally, add --noverify-all to the flashprog command.

To erase the 2MB flash, do this:

flashprog -p PROGRAMMER --erase

Refer generally to the main flashing guide and to the external flashing guide so that you can learn how to actually flash it.

TPM 2.0 potentially supported

The onboard TPM is an SLB 9660, which supports TPM 1.2 but it is known to be compatible with TPM 2.0 via firmware upgrade. Although not yet tested, we have some notes about that here:

../../tasks/#hp-820-g2-tpm

Not yet used meaningfully by Libreboot itself, but the TPM can be used to implement things like measured boot.

References

See: https://doc.coreboot.org/soc/intel/broadwell/blobs.html

Libreboot's build system automatically pulls down the MRC/refcode files, and modifies the refcode to enable the onboard Intel Gigabit Ethernet (GbE). You don't need to mess with this at all, when you build Libreboot yourself.

You can see how this works, by looking at the patch which added 820 G2 support: https://browse.libreboot.org/lbmk.git/commit/?id=401c0882aaec059eab62b5ce467d3efbc1472d1f

Yay. If you see this boot screen, you should be proud. This is a really hard machine to flash.