From fcfca1da5ea4eee266c830948ec117f06a3553cd Mon Sep 17 00:00:00 2001 From: Patrick Rudolph Date: Thu, 27 Feb 2020 14:55:50 +0100 Subject: Documentation: Add vboot on Lenovo devices Describe vboot implementation details for retrofitted Lenovo ThinkPad devices. Change-Id: Ibabcc939d9d01f00a93fd42adc48057966ad877e Signed-off-by: Patrick Rudolph Signed-off-by: Marcello Sylvester Bauer Reviewed-on: https://review.coreboot.org/c/coreboot/+/39151 Reviewed-by: Paul Menzel Reviewed-by: Patrick Rudolph Tested-by: build bot (Jenkins) --- Documentation/mainboard/lenovo/vboot.md | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 Documentation/mainboard/lenovo/vboot.md (limited to 'Documentation/mainboard/lenovo') diff --git a/Documentation/mainboard/lenovo/vboot.md b/Documentation/mainboard/lenovo/vboot.md new file mode 100644 index 0000000000..3e4d43bd14 --- /dev/null +++ b/Documentation/mainboard/lenovo/vboot.md @@ -0,0 +1,39 @@ +# Using coreboot's verified boot on Lenovo devices + +By default a single instance of coreboot is present in the firmware flash, +no verification is done and the flash is not write-protected, so as to allow +firmware updates from the OS. +The verified boot mechanism also called [VBOOT] allows secure firmware +updates using an A/B partitioning scheme once enabled. + +## Enabling VBOOT +You can enable [VBOOT] in Kconfig's *Security* section. Besides a verified +boot you can also enable a measured boot by setting +`CONFIG_VBOOT_MEASURED_BOOT`. Both options need a working TPM, which is +present on all recent Lenovo devices. + +## Updating and recovery +As the A/B partition is writeable you can still update them from the OS. +By using the [VBOOT] mechanism you store a copy of coreboot in the `RO` +partition that acts as failsafe in case the regular firmware update, that +goes to the `A` or `B` partition fails. + +**Note:** The `RO` partition isn't write-protected by default. There's a patch +pending on gerrit [CB:32705] that write-protects the `RO` partition. + +On *Lenovo* devices you can enable the *Fn* key as recovery mode switch, by +enabling `CONFIG_H8_FN_KEY_AS_VBOOT_RECOVERY_SW`. +Holding the *Fn* at boot will then switch to the recovery image, allowing +to boot and flash a working image to the A/B partition. + +## 8 MiB ROM limitation +*Lenovo* devices with 8 MiB ROM only have a `RO`+`A` partition enabled in the +default FMAP. They are missing the `B` partition, due to size constaints. +You can still provide your own FMAP if you need `RO`+`A`+`B` partitions. + +## CMOS +[VBOOT] on *Lenovo* devices uses the CMOS to store configuration data, like +boot failures and the last successfully booted partition. + +[VBOOT]: ../../security/vboot/index.md +[CB:32705]: https://review.coreboot.org/32705 -- cgit v1.2.3