(Backdoor) Free BIOSes with Libreboot
Kyle Rankin
VP of Engineering Operations
Final, Inc.
Agenda
- What is Libreboot?
- Intel Management Engine
- Intel Active Management Technology
- Supported Hardware
- Why Libreboot?
- Why Not Libreboot?
- Initial Installation: Easy (X60)
- Initial Installation: Hardcore (X200)
- Raspberry Pi as Flashrom Platform
- Questions?
What is Libreboot?
- To understand Libreboot, you must first understand Coreboot.
What is Coreboot?
- Open Source BIOS replacement
- Wide range of hardware support
- BIOS of choice for Chromebooks
- Often requires binary blobs to work:
- VGA BIOS support
- Intel Management Engine
- Other Hardware Support
- Can sometimes be difficult to install.
Intel Management Engine
- Firmware and coprocessor required to initialize hardware
- Also initializes network hardware w/ MAC address
- Required binary blob for Coreboot post X60
- Includes nifty features like Active Management Technology.
Intel Active Management Technology
- Designed for out-of-band management of hardware
- Runs independently of BIOS or OS if computer has power
- Allows IT to remotely:
- Power up, power down, boot
- Redirect console and keyboard/mouse/video
- Flash and update BIOS
- Access unique hardware IDs before boot
- Monitor packet headers for security threats
- So much more!
- Fantastic place to put a back door!
What is Libreboot?
- Completely Free Software distribution of Coreboot
- Coreboot minus all binary blobs
- Created by separate team (many from Gluglug)
- Has limited hardware support
- Includes simplified installer
- Uses GRUB to boot directly.
Supported Hardware
- ASUS KFSN4-DRE server/workstation board
- Lenovo ThinkPad X60/X60s
- Lenovo ThinkPad X60 Tablet
- Lenovo ThinkPad T60*
- Lenovo ThinkPad X200
- Lenovo ThinkPad R400
- Lenovo ThinkPad T400
- Lenovo ThinkPad T500
- Apple MacBook1,1
- Apple MacBook2,1
Why Libreboot?
- Support Free Software
- Faster boot times
- Concerned about backdoors in proprietary software
- No Management Engine in Libreboot*
- Supported hardware is relatively cheap used.
Why Not Libreboot?
- Supported hardware older, slower
- Changing boot settings == reflash BIOS
- Simpler than coreboot, but still complicated
- Initial install requires overwriting original BIOS
- Risk of bricking your laptop
- May require hardware flashing.
Initial Installation: Easy (X60)
- X60 has widest Libreboot support
- No Intel Management Engine to bypass
- Can flash in completely in software
- Two well-known BIOS chip types, scripts for both
- Still risk of bricking
- Can find for around $30 used.
X60 Install: Get Binaries, Backup BIOS
- Can also build from source if you want
- Download latest libreboot_util.tar.xz from http://libreboot.org/download/
- Download latest libreboot_x60.tar.xz from rom directory
- Extract files, then cd to libreboot_util
- Backup existing BIOS:
sudo ./flashrom/i686/flashrom_lenovobios_sst -p internal -r factory.bin
sudo ./flashrom/i686/flashrom_lenovobios_macronix -p internal -r factory.bin
One will fail, other will create factory.bin
Back up factory.bin somewhere!
X60 Install: First Flash
- Two flash stages
- First stage bootstraps Libreboot, keeps old BIOS recoverable
- If running 20150518, apply x60flashscript.patch
- From libreboot_util dir:
sudo ./flash i945lenovo_firstflash ../x60/x60_usqwerty_vesafb.rom
Should see scary and confusing output:
"Updated BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped".
. . .
"Your flash chip is in an unknown state", "FAILED" and "DO NOT REBOOT OR POWEROFF"
If you see the first output, the second scary warning means it worked
Now shut down, wait a few seconds, then boot into OS with Libreboot
If won't boot, remove CMOS battery, wait, then boot.
X60 Install: Second Flash
- Second flash completely overwrites BIOS with Libreboot
- cd to libreboot_util:
sudo ./flash i945lenovo_secondflash ../x60/x60_usqwerty_vesafb.rom
Less scary output:
"Updated BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is untranslated"
. . .
"Verifying flash... VERIFIED."
Initial Installation: Hardcore (X200)
- X200 more involved, but newer hardware
- Has Intel ME. Libreboot team replaces with their code
- No software bootstrapping, requires hardware flash
- X200 has 4Mb and 8Mb BIOS options, to see what you have:
sudo dmidecode | grep ROM\ Size
ROM Size: 8192 kB
Will have to order an 8- or 16-pin Pomona clip
4Mb BIOS chip = 8 pin, 8Mb = 16 pin.
X200 Install: Build ROM
- Download latest libreboot_util.tar.xz from http://libreboot.org/download/
- Download libreboot_x200_(4|8)mb.tar.xz to match your X200
- Extract both files
- Default X200 ROM has generic MAC in free ME replacement
- Need to generate a new image with your MAC:
cd libreboot_util
./ich9deblob/x86_64/ich9gen --macaddress XX:XX:XX:XX:XX:XX
creates two files, ich9fdgbe_4m.bin and ich9fdgbe_8m.bin
Pick the one that matches your chip, create a copy of the x200 rom, and overwrite it:
cp ../x200_8mb/x200_8mb_usqwerty_vesafb.rom x200_8mb-custom.rom
dd if=ich9fdgbe_8m.bin of=x200_8mb-custom.rom bs=1 count=12k conv=notrunc
Now you are ready to flash.
Raspberry Pi as Flashrom Platform
Raspberry Pi as Flashrom Platform
X200 Install: Flashing
- Open up X200 and identify BIOS chip, connect Pomona clip
- Make sure SPI modules are loaded:
sudo modprobe spi_bcm2708
sudo modprobe spidev
Use flashrom to copy down old BIOS:
sudo ./flashrom -p linux_spi:dev=/dev/spidev0.0 -r factory1.rom
May not work first time, repeat until succeeds
Make at least 3 successful copies (factory[123].rom) and compare:
sha512sum factory*.rom
Make sure at least two agree, those are your valid copies to backup
Flash new BIOS:
sudo /path/to/flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 \
-w /path/to/x200_8mb-custom.rom -V
Repeat until succeeds:
Verifying flash... VERIFIED.
Questions?
Additional Resources