libreboot-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Libreboot-dev] C201 Chromebook (veyron_speedy) port and Chromium OS


From: Paul Kocialkowski
Subject: Re: [Libreboot-dev] C201 Chromebook (veyron_speedy) port and Chromium OS security model
Date: Sat, 31 Oct 2015 12:37:29 +0100

Le lundi 12 octobre 2015 à 01:55 +0100, Gammel Holte a écrit :
> Excellent! I'm really glad there's a port for the C201.

Glad to see such enthusiasm about it!

> Libreboot aside, how far is it from being completely blob-less? It's
> only about finalising the (stalled) Lima driver for Mali?

Well, the current state of free software on the device is described at:
http://libreboot.org/docs/hcl/c201.html
> 
> On Sat, Oct 10, 2015 at 10:55 PM, Paul Kocialkowski <address@hidden>
> wrote:
>         Since I've been asked countless times for a status update on
>         the
>         Chromebook C201 port to Libreboot, here is a summary of what
>         is going
>         on and what is planned for the future.
>         
>         First off, the code to rebuild coreboot, depthcharge and vboot
>         in libreboot is ready. This includes the scripts to download,
>         patch, build and prepare each of those, in the right order.
>         The process produces a RO image of coreboot that can be
>         flashed to the first MiB of the SPI flash (the image won't try
>         to jump to any of the coreboot stages that are stored on the
>         RW part of the SPI flash, thus, it is completely standalone).
>         This comes with an image containing a string of the libreboot
>         version (to be stored on a dedicated fmap partition on the SPI
>         flash). Most importantly, a script to ease the replacement of
>         those images in a full SPI flash image is provided, along with
>         a description of the partitions .
>         
>         While the code is ready, installation instructions are still
>         at a draft stage. Even though they have already been tested
>         successfully on a brand new device, some parts still need some
>         more attention. Suggestions about it are welcome (replying to
>         this thread is just fine for this purpose).
>         
>         The libreboot repo[0] with those changes is available at my
>         personal git repository. Expect it to be rebased from time to
>         time!
>         
>         When installation instructions are done, it will be time to
>         merge those changes with the main libreboot repository, start
>         building release images for the C201 (codename veyron_speedy)
>         and update the documentation on the libreboot website!
>         
>         However, there is still a lot more left to accomplish after
>         that milestone. The current state of the code only replaces
>         part of the SPI flash. In the long run, it would be nice to
>         rebuild and replace each and every part of software that lives
>         on the SPI flash. As described in an earlier email to the
>         list, there are many things in there, thus a lot of work
>         ahead.
>         
>         The first challenge will be to replace the RW stages of
>         coreboot. Those are signed with a private key and their
>         signatures are checked before being executed. If we want to
>         release full images that can be installed as-is (or nearly),
>         those will have to be signed with some keys. Those can either
>         be test keys that are publicly available, which voids the
>         whole security model, or keys that are kept secret by the
>         libreboot project, which implies that users trust the project
>         and have a way to verify that images signed that way do in
>         fact originate from libreboot. Of course, we want to encourage
>         users to generate and use their own keys instead, which offers
>         the best security guarantees (provided they keep the private
>         keys, well, private)! Writing up documentation for this will
>         also be greatly needed.
>         
>         Another important step will be to rebuild and release the
>         embedded controller firmware. It is not strictly related to
>         libreboot, since it lives outside of the main processor.
>         Still, it's good to have it integrated with the libreboot
>         build process since it is all free software as well. This will
>         also make it easier to modify and rebuild it, as early
>         investigation shows that it is not trivial to rebuild at all.
>         The embedded controller firmware and its hash are also stored
>         on the SPI flash, so we need to release them too in order to
>         release a full flash image. This is part of a process called
>         EC software sync, that updates the RW firmware part of the EC
>         internal memory with the firmware stored on the SPI flash when
>         the hashes of the two firmwares mismatch. The EC also has a RO
>         firmware that should be considered fail-safe. Of course,
>         libreboot will also release a rebuilt free firmware for the RO
>         EC firmware.
>         
>         With all that achieved, it'll only be a few bits and pieces to
>         include to produce a full image that can replace the whole SPI
>         flash chip!
>         
>         Stay tuned for more information on the port!
>         
>         
>         --Paul Kocialkowski, Replicant developer
>         Replicant is a fully free Android distribution running on
>         several
>         devices, a free software mobile operating system putting the
>         emphasis
>         on freedom and privacy/security.
>         Website: https://www.replicant.us/Blog:
>         https://blog.replicant.us/Wiki/tracker/forums:
>         https://redmine.replicant.us/
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]