summaryrefslogtreecommitdiff
path: root/Documentation/getting_started/faq.md
blob: 494fa6b9ec9605b22f26e33dfc6f6fd82ce450c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
# coreboot FAQ

## General coreboot questions


### What is coreboot?

coreboot is a free and open software project designed to initialize
computers and embedded systems in a fast, secure, and auditable fashion.
The focus is on minimal hardware initialization: to do only what is
absolutely needed, then pass control to other software (a payload, in
coreboot parlance) in order to boot the operating system securely.


### What is a coreboot payload?

coreboot itself does not deal with boot media such as hard-drives,
SSDs, or USB flash-drives, beyond initializing the underlying hardware.
So in order to actually boot an operating system, another piece of
software which does do those things must be used. coreboot supports
a large number of diverse payloads; see below for more details.


### Is coreboot the same as UEFI?

No. coreboot and UEFI are both system firmware that handle the
initialization of the hardware, but are otherwise not similar.
coreboot’s goal is to **just** initialize the hardware and exit.
This makes coreboot smaller and simpler, leading to faster boot times,
and making it easier to find and fix bugs. The result is a higher
overall security.


### What's the difference between coreboot and UEFI?

UEFI is actually a firmware specification, not a specific software
implementation. Intel, along with the rest of the Tianocore project,
has released an open-source implementation of the overall framework,
EDK2, but it does not come with hardware support. Most hardware running
UEFI uses a proprietary implementation built on top of EDK2.

coreboot does not implement the UEFI specification, but it can be used to
initialize the system, then launch a UEFI payload such as EDK2 in order
to provide UEFI boot services.

The UEFI specification also defines and allows for many things that are
outside of coreboot’s scope, including (but not limited to):

* Boot device selection
* Updating the firmware
* A CLI shell
* Network communication
* An integrated setup menu


### Can coreboot boot operating systems that require UEFI?

Yes, but... again, coreboot **just** initializes the hardware. coreboot
itself doesn’t load operating systems from storage media other than the
flash chip. Unlike UEFI, coreboot does not, and will not contain a Wi-Fi
driver or communicate directly with any sort of network. That sort of
functionality is not related to hardware initialization.

To boot operating systems that require UEFI, coreboot can be compiled with
EDK2 as the payload. This allows coreboot to perform the hardware init,
with EDK2 supplying the UEFI boot interface and runtime services to
the operating system.


### What non-UEFI payloads does coreboot support?

* SeaBIOS, behaves like a classic BIOS, allowing you to boot operating
  systems that rely on the legacy interrupts.

* GRUB can be used as a coreboot payload, and is currently the most
  common approach to full disk encryption (FDE).

* A Linux kernel and initramfs stored alongside coreboot in the boot
  ROM can also be used as a payload. In this scenario coreboot
  initializes hardware, loads Linux from boot ROM into RAM, and
  executes it. The embedded Linux environment can look for a target OS
  kernel to load from local storage or over a network and execute it
  using kexec. This is sometimes called LinuxBoot.

* U-boot, depthcharge, FILO, etc.

There’s [https://doc.coreboot.org/payloads.html](https://doc.coreboot.org/payloads.html)
with a list, although it’s not complete.


### What does coreboot leave in memory after it's done initializing the hardware?

While coreboot tries to remove itself completely from memory after
finishing, some tables and data need to remain for the OS. coreboot
reserves an area in memory known as CBMEM, to save this data after it
has finished booting. This contains things such as the boot log, tables
that get passed to the payload, SMBIOS, and ACPI tables for the OS.

In addition to CBMEM, on X86 systems, coreboot will typically set up
SMM, which will remain resident after coreboot exits.


## Platforms

### What’s the best coreboot platform for a user?

The choice of the best coreboot platform for a user can vary depending
on their specific needs, preferences, and use cases.

Typically, people who want a system with a minimum of proprietary
firmware are restricted to older systems like the Lenovo X220, or more
expensive, non-x86 solutions like TALOS, from Raptor Engineering.

There are a number of companies selling modern systems, but those all
require more proprietary binaries in addition to coreboot (e.g., Intel
FSP). However, unlike the older ThinkPads, many of these newer devices
use open-source embedded controller (EC) firmware, so there are
tradeoffs with either option.

The coreboot project mantains a list of companies selling machines
which use coreboot on the [website](https://coreboot.org/users.html).


### What’s the best platform for coreboot development?

Similar to the best platform for users, the best platform for
developers very much depends on what a developer is trying to do.

* QEMU is generally the easiest platform for coreboot development, just
  because it’s easy to run anywhere. However, it’s possible for things
  to work properly in QEMU but fail miserably on actual hardware.

While laptops tend to be harder to develop than desktop platforms, a
majority of newer platforms on coreboot tend to be laptops. The
development difficulty is due to a few different factors:

1. The EC (Embedded Controller) is a specialized microcontroller that
   typically handles keyboard and sometimes mouse input for a laptop.
   It also controls many power management functions such as fans, USB-C
   power delivery, etc. ECs run mainboard-specific firmware, which is
   typically undocumented.
2. ThinkPads (X230, 30-series, 20-series, T430, T540, T520). Sandy
   Bridge and Ivy Bridge are well-supported. Some may have
   difficult-to-reach SPI flash chips. Boards with two flash chips (e.g.
   30-series ThinkPads) are harder to externally reflash as one needs to
   make sure the non-targeted flash chip remains disabled at all times.
   The X230 is notoriously sensitive to external reflashing issues.
3. Laptops often lack a convenient method to obtain firmware boot logs.
   One can use EHCI debug on older systems and Chromebook-specific
   solutions for Chromebooks, but one often has to resort to flashconsole
   (writing coreboot logs to the flash chip where coreboot resides). On
   the other hand, several desktop mainboards still have a RS-232 serial
   port.

Some of the easiest physical systems to use for coreboot development
are Chromebooks. Newer Chromebooks allow for debug without opening the
case. Look for SuzyQ Cables or SuzyQables or instructions on how to
build one. These cables only work on a specific port in a specific
orientation. Google [supplies
specifications](https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/master/docs/ccd.md#SuzyQ-SuzyQable)
for these cables.


### What platforms does coreboot support?

The most accurate way to determine what systems coreboot supports is by
browsing the src/mainboard tree or running “make menuconfig” and going
through the “Mainboard” submenu. You can also search Gerrit to see if
there are any unmerged ports for your board.

There is also the board status page
([https://coreboot.org/status/board-status.html](https://coreboot.org/status/board-status.html)),
however this does not currently show supported board variants.


## coreboot Development

### Can coreboot be ported to [this board]?

The best way to determine if coreboot can be ported to a system is to
see if the processor and chipset is supported. The next step is to see
whether the system is locked to the proprietary firmware which comes
with the board.

Intel Platforms:

* coreboot only supports a few northbridges (back when northbridges
  were on a separate package), and there's next to no support for
  "server" platforms (multi-socket and similar things). Here's a list
  of more recent supported Intel processors:
    * Alder Lake (2021 - Core Gen 12)
    * Apollo Lake (2016 - Atom)
    * Baytrail (2014 - Atom)
    * Braswell (2016 - Atom)
    * Broadwell (2014 - Core Gen 5)
    * Comet Lake (2019 - Core Gen 10)
    * Cannon Lake (2018 - Core Gen 8/9)
    * Denverton (2017)
    * Elkhart lake (2021 - Atom)
    * Haswell (2013 - Core Gen 4)
    * Ivy Bridge (2012 - Core Gen 3)
    * Jasper Lake (2021 - Atom)
    * Kaby Lake (2016 - Core Gen 7/8)
    * Meteor Lake (2023 - Gen 1 Ultra-mobile)
    * Sandy Bridge (2011 - Core Gen 2)
    * Sky Lake (2015 - Core Gen 6)
    * Tiger Lake (2020 - Core Gen 11)
    * Whiskey Lake (2018 - Core Gen 8)

* Intel Boot Guard is a security feature which tries to prevent loading
  unauthorized firmware by the mainboard. If supported by the platform,
  and the platform is supported by intelmetool, you should check if Boot
  Guard is enabled. If it is, then getting coreboot to run will be
  difficult or impossible even if it is ported. You can run
  `intelmetool -b` on supported platforms to see if Boot Guard is
  enabled (although it can fail because it wants to probe the ME
  beforehand).

AMD Ryzen-based platforms:

* The AMD platforms Ryzen-based platforms unfortunately are currently
  not well supported outside of the Chromebooks (and AMD reference
  boards) currently in the tree.
  The responsible teams are trying to fix this, but currently it's
  **very** difficult to do a new port. Recent supported SoCs:
    * Stoney Ridge
    * Picasso
    * Cezanne
    * Mendocino
    * Phoenix

General notes:

* Check the output of `lspci` to determine what processor/chipset
  family your system has. Processor/chipset support is the most
  important to determine if a board can be ported.
* Check the output of `superiotool` to see if it detects the Super I/O
  on the system. You can also check board schematics and/or boardviews
  if you can find them, or physically look at the mainboard for a chip
  from one of the common superio vendors.
* Check what EC your system has (mostly applicable to laptops, but some
  desktops have EC-like chips). You will likely need to refer to the
  actual board or schematics/boardviews for this. Physical observation
  is the most accurate identification procedure; software detection can
  then be used to double-check if the chip is correct, but one should
  not rely on software detection alone to identify an EC.


### How do I port coreboot to [this board]?

A critical piece for anyone attempting to do a board port is to make
sure that you have a method to recover your system from a failed flash.

We need an updated motherboard porting guide, but currently the guide
on the [wiki](https://www.coreboot.org/Motherboard_Porting_Guide) looks
to be the best reference.

At the moment, the best answer to this question is to ask for help on
one of the [various community
forums](https://doc.coreboot.org/community/forums.html).


### What about the Intel ME?

There seems to be a lot of FUD about what the ME can and can’t do.
coreboot currently does not have a clear recommendation on how to
handle the ME. We understand that there are serious concerns about the
ME, and would like to flatly recommend removing as much as possible,
however modifying the ME can cause serious stability issues.

Additionally, coreboot and the Intel ME are completely separate entites
which in many cases simply happen to occupy the same flash chip. It is
not necessary to run coreboot to modify the ME, and running coreboot
does not imply anything about the ME's operational state.


#### A word of caution about the modifying ME

Messing with the ME firmware can cause issues, and this is outside the
scope of the coreboot project.

If you do decide to modify the ME firmware, please make sure coreboot
works **before** messing with it. Even if the vendor boot firmware
works when the ME isn't operating normally, it's possible that coreboot
doesn't handle it the same way and something breaks. If someone asks
for help with coreboot and we think the ME state may be a factor, we'll
ask them to try reproducing the issue with the ME running normally to
reduce the number of variables involved. This is especially important
when flashing coreboot for the first time, as it's best for newbies to
start with small steps: start by flashing coreboot to the BIOS region
and leaving the remaining regions untouched, then tinker around with
coreboot options (e.g. other payloads, bootsplash, RAM overclock...),
or try messing with the ME firmware **without changing coreboot**.

Most people don't understand the implications of messing with the ME
firmware, especially the use of `me_cleaner`. We admit that we don't
know everything about the ME, but we try to understand it as much as
possible. The ME is designed to operate correctly with the HAP (or
AltMeDisable) bit set, and it will gracefully enter a debug state (not
normal, but not an error). However, when using `me_cleaner` to remove
parts of the ME firmware, the ME will often end up in an error state
because parts of its FW are missing. It is known that removing some of
these parts ([`EFFS` and `FCRS` on Cougar Point,
c.f.](https://review.coreboot.org/c/coreboot/+/27798/6/src/mainboard/asus/p8h61-m_lx/Kconfig#63))
can cause problems. We do not know whether the state the ME ends up in
after applying `me_cleaner` is as secure as the state the ME goes to
when only the HAP bit is set: the removed FW modules could contain
steps to lock down important settings for security reasons.

To sum up, **we do not recommend messing with the ME firmware**. But if
you have to, please use `ifdtool` to set the HAP bit initially before
progressing to `me_cleaner` if necessary.