RocketGit

libreboot / lbwww (public) (License: Unspecified) (since 2023-04-11) (hash sha1)

libreboot website (markdown files). https://libreboot.org/

Clone URLs: https://rocketgit.com/user/libreboot/lbwww ssh://rocketgit@ssh.rocketgit.com/user/libreboot/lbwww git://git.rocketgit.com/user/libreboot/lbwww

25.04 25.06 master

List of commits:

Subject	Hash	Author	Date (UTC)
deguard page	4252ddd1cd7665e4472b59d37871b015840342a6	Leah Rowe	2024-12-05 19:02:46
"software"	b8c5061c4058d7dda7074be2208b62b3c53c8adb	Leah Rowe	2024-12-05 17:49:42
remove link for now	398b561be6444d329caf85ba978937203d88594a	Leah Rowe	2024-12-05 17:45:44
add missing credit	0e5f22ed49dc7267730be21002e44f5ffb634d4b	Leah Rowe	2024-12-05 17:44:12
ThinkPad T480 information	1894f05981cde840f47cbf4f3d17961409181a85	Leah Rowe	2024-12-05 17:30:33
link correction	e6e5b19fde6f17ce48070c21da47e6e1ad61d7be	Leah Rowe	2024-11-29 08:07:11
examples	dffa2df965688d05b38bf69d1ec9ac0fbe4a22d5	Leah Rowe	2024-11-29 08:00:13
remove mentions of thinkpad w530/w520	5896b5c167325f75cb15977bf949790dfd4a451f	Leah Rowe	2024-11-27 20:58:51
Tweak docs to not assert that W520/T520 are the same	21e897ed5d8fff380cec7911b3c7c7a85c8fac54	Leah Rowe	2024-11-27 14:59:57
fix typo in hp 820 elitebook flashing info	3616f9ca86117291510c379904cbccc9805534bf	Leah Rowe	2024-11-17 23:35:58
Dell OptiPlex 780 documentation	f4c3c6a25cac105bf06a770bbdef8e9ce113331a	Leah Rowe	2024-11-02 06:37:04
tasks page: add note about 3050micro hang workaround	640e8981e85335274778cc2f3ada7eb74fa869b0	Leah Rowe	2024-10-27 18:42:17
fix dell3050 compatibility notes	d362563e615872e38ae63718f1c8f399e39d604c	Leah Rowe	2024-10-25 04:49:15
dell3050: fix note about flash chip size (16MB)	de314093929f8f0ecf710579504f17a22406645a	Leah Rowe	2024-10-14 15:12:52
notes about dell precision t1700	92057903870ebcf0da67422635c72938c1889a44	Leah Rowe	2024-10-11 22:33:01
update notes about dell 3050 micro	d4203520d0b5eb6fecaee38d4f64373d3c7cd148	Leah Rowe	2024-10-11 16:21:59
grammar	163876482fbe2d2a69b5945e666f502e332b598a	Leah Rowe	2024-10-08 22:59:07
typo: notifications, not notificatios	9e233dbc4a61970eeaf3b7601a00bdaf1f406cd1	Leah Rowe	2024-10-08 22:50:31
make the 7010 announcement a link	3be1e15f4a3f36e1c05b230678ecce2c73384711	Leah Rowe	2024-10-08 22:49:55
update download page references	ede57eb22a427284710031ae59c23826fe89860b	Leah Rowe	2024-10-08 22:39:03

Commit 4252ddd1cd7665e4472b59d37871b015840342a6 - deguard page

more of a philosophical rant but eh

Signed-off-by: Leah Rowe <info@minifree.org>

Author: Leah Rowe
Author date (UTC): 2024-12-05 19:02
Committer name: Leah Rowe
Committer date (UTC): 2024-12-05 19:02
Parent(s): b8c5061c4058d7dda7074be2208b62b3c53c8adb
Signer:
Signing key:
Signing status: N
Tree: e5da7b18cf2631b4461ff183616998f0df67f9ce

File	Lines added	Lines deleted
site/docs/install/deguard.md	78	0

File site/docs/install/deguard.md added (mode: 100644) (index 0000000..95ced55)
	1	---
	2	title: Disabling Intel Boot Guard on MEv11
	3	x-toc-enable: true
	4	...
	5
	6	This covers Intel Skylake, Kaby Lake and Kaby Lake Refresh / Coffeelake
	7	machines; note that Coffeelake includes KabyLake Refresh and may have MEv12.
	8	This page concerns only those platforms that have Intel MEv11, not MEv12. The
	9	facts on this page are applicable to both mobile and desktop platforms.
	10
	11	The Intel Boot Guard is a security mechanism implemented by intel, but not all
	12	vendors enable it. If enabled, the bootblock in the flash is protected at boot
	13	time by cryptographic signature verification; this means only the vendor can
	14	update the flash.
	15
	16	On systems with MEv11, a bug exists in older versions (of MEv11) that allows
	17	for unsigned code execution, at a very early stage in the boot process, to the
	18	point that almost all of the ME firmware in flash can be fully replaced. The
	19	ME is also what implements Boot Guard, and the hack is possible before Boot
	20	Guard is enforced, allowing for it to be disabled.
	21
	22	See: [CVE-2017-5705](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html)
	23
	24	Mate Kukri, who authored the ThinkPad T480/T480 and OptiPlex 3050 Micro ports,
	25	wrote a tool called deguard, which Libreboot uses on these boards. This tool
	26	reconfigures the ME, exploiting it so as to disable the Boot Guard.
	27
	28	This is done by externally flashing an older version. Libreboot's build system
	29	automatically downloads this older version, runs `me_cleaner` on it, and applies
	30	the deguard hack; this includes machine-specific ME configuration, which is
	31	added per machine by extracting it from a dump of the original flash. The
	32	resulting configuration (for the MFS partition in the ME) is then inserted into
	33	the generic ME image.
	34
	35	Note that the deguard utility can also be used on MEv11 setups that don't
	36	have Boot Guard, if you simply want to auto-download and neuter a generic ME
	37	image, and then provide machine configuration. It is essentially doing the same
	38	thing that Intel's own FITC utility does (Intel Flash Image Tool), which is
	39	normally only available to vendors; the deguard utility written by Mate Kukri
	40	is available under a free software license, and included by default in Libreboot
	41	releases. It can be used for any MEv11-based system.
	42
	43	To download deguard in lbmk (Libreboot's build system), do this:
	44
	45	./mk -f deguard
	46
	47	Then go in `src/deguard/` and the `README.md` file in there tells you more
	48	information about how it works, and how to use it. You do not need to run
	49	this tool yourself, unless you're adding a new board, because Libreboot is
	50	programmed to use it automatically, during the build process (or during
	51	insertion of vendor files after the fact, on release images).
	52
	53	With deguard, the machine is operating in a state as though the Boot Guard keys
	54	were never fused, even if they were. [Previous work](https://trmm.net/TOCTOU/)
	55	has been done by others, related to the Boot Guard, but nothing quite so
	56	thorough and easy to use as deguard existed previously!
	57
	58	Mate Kukri was able to figure this out and implement deguard, using existing
	59	work done by PT Research and Youness El Alaoui, exploiting the Intel SA 00086
	60	bug which you can read more about here:
	61
	62	<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html>
	63
	64	<https://www.intel.com/content/www/us/en/support/articles/000025619/software.html>
	65
	66	Note that Intel refers to this as a means of a so-called attacker running
	67	so-called malicious code; while this may also be possible in the strictest
	68	sense, flash write protection is possible on these machines, which you can
	69	read about on the [GRUB hardening](../linux/grub_hardening.md) page. Intel made
	70	the Boot Guard without giving users control of it, so people have worked for
	71	years to try to hack around it, as a matter of user freedom. So remember: when
	72	Intel is talking about security, they mean their security, not yours. To them,
	73	you are simply flashing malicious code. But they are the ones with malice.
	74
	75	Mate Kukri and others who work on such hacks are heroes, and they have done a
	76	great service to the Libreboot project.
	77
	78	Many more machines are now possible to port to coreboot, thanks to this hack.

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/libreboot/lbwww

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/libreboot/lbwww

Clone this repository using git:

git clone git://git.rocketgit.com/user/libreboot/lbwww

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main