RocketGit

libreboot / lbwww (public) (License: Unspecified) (since 2023-04-11) (hash sha1)

libreboot website (markdown files). https://libreboot.org/

Clone URLs: https://rocketgit.com/user/libreboot/lbwww ssh://rocketgit@ssh.rocketgit.com/user/libreboot/lbwww git://git.rocketgit.com/user/libreboot/lbwww

25.04 master

List of commits:

Subject	Hash	Author	Date (UTC)
update the 820 g2 hp guide	a6d33c415884f109b4b040e92bea2d31730f3704	Leah Rowe	2024-08-30 01:36:57
hp2560.md: remove note about wifi	002b0520f4b361e59b480fa971acfca3f73ea90b	Leah Rowe	2024-08-30 00:47:04
clarify pre-install requirement for latitudes	406f9f03529764bf3a2011e08653b36b64310c84	Leah Rowe	2024-08-29 22:59:28
actually add latitude.md	1b938fa4147b6734c29ed8e83a65a319794a88ac	Leah Rowe	2024-08-29 22:57:10
unified dell latitude instructions	ac0e6833360bd9b0e7ccd51b07bd0c80ce5168da	Leah Rowe	2024-08-29 22:54:48
update commands on the porting page	040a918adf09eac5ed119bcb7d721dbace29ff2f	Leah Rowe	2024-08-29 21:21:02
add safety link on the e6400 news page	1687ff6e98205ce7f430fdc42e7089882903c2c0	Leah Rowe	2024-08-29 21:20:29
add safety link on the 20240612 page	a2e2d85ca17e070f93a9d955c505034b08cc0deb	Leah Rowe	2024-08-29 21:19:58
maintain/style: update err reference	d450d080ffd70161feaa7734140378987c834d58	Leah Rowe	2024-08-29 20:11:48
ivy_has_common: explicitly mention latitudes	9909590362282181f8507320d0738171e9e270b1	Leah Rowe	2024-08-29 00:00:37
grammar	feda02a728026e6e3dd92d0d957bbe4a4c433d0d	Leah Rowe	2024-08-27 15:29:19
policy: re-add section saying why fsdg sucks	e8aaa24fb8b747f790a26931d7ba669a5f30ec97	Leah Rowe	2024-08-27 15:27:19
add safety instructions on ivy_has_common	3c4f5d78e314e405cdb1215230c7ae9d490805e4	Leah Rowe	2024-08-27 03:12:07
shorten ivy_has_common.md	87fb10032cdd73a1880478c0467c92fd9c68f93a	Leah Rowe	2024-08-27 03:06:28
complete cleanup of grub.cfg docs	c50c0e16768ac5e62a3a4cb8d0f6455bf280afdd	Leah Rowe	2024-08-27 00:38:53
make grub_cbfs.md a bit clearer	30cae6536afde27d05c2e5c8c44a51ae2b89590c	Leah Rowe	2024-08-26 21:36:21
grub_hardening: document addition security/safety	c6fde88de753766836a7ab5d579671b9853e4a7d	Leah Rowe	2024-08-26 20:55:49
clarifification about flash descriptor override	a54283de34b7a676ca92c18dbe25b81f81467399	Leah Rowe	2024-08-26 20:24:32
clarify ifdtool location for grub hardening	972de7d8405dace7601046e76a1057369b4a0b84	Leah Rowe	2024-08-26 17:53:47
improved grub hardening guide	2e6ed95570fd8997179085a7619148e25df11093	Leah Rowe	2024-08-26 17:51:02

Commit a6d33c415884f109b4b040e92bea2d31730f3704 - update the 820 g2 hp guide

make it easier to read

Signed-off-by: Leah Rowe <info@minifree.org>

Author: Leah Rowe
Author date (UTC): 2024-08-30 01:36
Committer name: Leah Rowe
Committer date (UTC): 2024-08-30 01:36
Parent(s): 002b0520f4b361e59b480fa971acfca3f73ea90b
Signer:
Signing key:
Signing status: N
Tree: dc379676aeeb110613fbace07b91b99f09c0b528

File	Lines added	Lines deleted
site/docs/hardware/hp820g2.md	51	188

File site/docs/hardware/hp820g2.md changed (mode: 100644) (index f5bacb0..45b0bc5)
...	...	P: Partially works with blobs*
59	59	\| SeaBIOS with GRUB \| Works \|	\| SeaBIOS with GRUB \| Works \|
60	60	</div>	</div>
61	61
	62		Brief board info:
	63
62	64	Full hardware specifications can be found on HP's own website:	Full hardware specifications can be found on HP's own website:
63	65
64	66	<https://support.hp.com/gb-en/document/c04543492>	<https://support.hp.com/gb-en/document/c04543492>

...	...	Full hardware specifications can be found on HP's own website:
66	68	Introduction	Introduction
67	69	============	============
68	70
69		**Unavailable in Libreboot 20231106 or earlier. You must [compile from
70		source](../build/), or use a release newer than 20231106.**
71
72		This is a beastly 12.5" Broadwell machine from HP, the main benefit of which is
73		greater power efficiency (compared to Ivybridge and Haswell platforms), while
74		offering similar CPU performance but much higher graphics performance.
75
76		Variants exist with either Intel Core i5-5200U, i5-5300U, i7-5500U or
77		i7-5600U and it comes with a plethora of ports; 3x USB 3.0, DisplayPort (which
78		can do 4K 60Hz), a VGA port, can be expanded to 32GB RAM, has 3 slots which
79		can take SSDs (PCIe, M2 and regular SATA), also has a side dock connector (for
80		a docking station). The screen is eDP type and can be upgraded to 1920x1080.
81
82		This is a nice portable machine, with very reasonable performance. Most people
83		should be very satisfied with it, in daily use. It is widely available in
84		online market places. This page will tell you how to flash it!
85
86		All variants of this mainboard will come with Intel HD 5500 graphics, which has
87		completely free software initialisation in coreboot, provided by libgfxinit.
88
89		Build ROM image from source
90		---------------------------
91
92	71	First, install the build dependencies and initialise git, using the	First, install the build dependencies and initialise git, using the
93	72	instructions in [building from source](../build/). Unless you're using a	instructions in [building from source](../build/). Unless you're using a
94	73	release after Libreboot 20231106, you must use the latest `lbmk.git`.	release after Libreboot 20231106, you must use the latest `lbmk.git`.
95	74
96		The build target, when building from source, is thus:
	75		Please build this from source with lbmk:
97	76
98	77	./mk -b coreboot hp820g2_12mb	./mk -b coreboot hp820g2_12mb
99	78
100		NOTE: The actual flash is 16MB, but you must flash only the first 12MB of it.
101		The ROM images provided by Libreboot are 12MB.
102
103		There is a separate 2MB system flash that you must erase, prior to
104		installing Libreboot. This, along with Libreboot's modified IFD, bypasses
105		the security (HP Sure Start) that the vendor put there, allowing you to
106		use coreboot-based firmware such as Libreboot.
107
108		Installation
109		============
110
111		Insert binary files
112		-------------------
113
114		If you're using a release ROM, please ensure that you've inserted extra firmware
115		required refer to the [guide](../install/ivy_has_common.md) for that. (**failure
116		to adhere to this advice will result in a bricked machine**)
117
118		If you're building from source (using lbmk), the steps takes above are done
119		for you automatically, inserting all of the required files. The above link is
120		only relevant for release images, which lack some of these files.
121
122		Set MAC address
123		---------------
124
125		This platform uses an Intel Flash Descriptor, and defines an Intel GbE NVM
126		region. As such, release/build ROMs will contain the same MAC address. To
127		change the MAC address, please read [nvmutil documentation](../install/nvmutil.md).
128
129		Update an existing Libreboot installation
130		-----------------
131
132		<img class="l" tabindex=1 alt="HP EliteBook 820 G2" class="p" src="https://av.libreboot.org/hp820g2/hp820g2_backlit.jpg" /><span class="f"><img src="https://av.libreboot.org/hp820g2/hp820g2_backlit.jpg" /></span>
133
134		NOTE: This section only applies if you haven't enabled write protection. You
135		can otherwise use the external flashing instructions (see below) for both the
136		initial installation and updates, but for updates you don't need to re-erase
137		the private flash, if it was already erased.
138
139		If you're already running Libreboot, and you don't have flash protection
140		turned on, [internal flashing](../install/) is possible, but please note:
141
142		You must only flash the first 12MB, and nothing in the final 4MB of the flash.
143		This is because the EC firmware is in flash, and we don't touch that during
144		initial installation or during updates.
145
146		Update it like so:
147
148		Create a dummy 16MB ROM like so:
149
150		```
151		dd if=/dev/zero of=new.bin bs=16M count=1
152		```
153
154		Then insert your 12MB Libreboot ROM image into the dummy file:
155
156		```
157		dd if=libreboot.rom of=new.bin bs=12M count=1 conv=notrunc
158		```
159
160		The `libreboot.rom` file is the 12MB image from Libreboot. The `new.bin`
161		file is the Libreboot ROM, padded to 16MB. You will not flash the entire 16MB
162		file, but flashprog detects a 16MB flash IC. This just makes flashrom not
163		complain about mismatching ROM/chip size.
164
165		NOTE: Libreboot standardises on [flashprog](https://flashprog.org/wiki/Flashprog)
166		now, as of 27 January 2024, which is a fork of flashrom.
167
168		You should flash each region individually:
169
170		```
171		flashprog -p internal --ifd -i gbe -w new.bin --noverify-all
172		flashprog -p internal --ifd -i bios -w new.bin --noverify-all
173		flashprog -p internal --ifd -i me -w new.bin --noverify-all
174		flashprog -p internal --ifd -i ifd -w new.bin --noverify-all
175		```
176
177		NOTE: The `--ifd` option uses the regions defined in the flashed IFD, so
178		they must match the ROM. You can otherwise dump a layout file and use that,
179		using the instructions below (using `-l layout.txt` instead of `--ifd`).
180
181		NOTE: If you already did an installation before, and you don't want to
182		[change the MAC address](../install/nvmutil.html) stored in the gbe region,
183		you can skip the gbe/ifd/me regions as above, and flash just the BIOS region.
184
185		NOTE: Use of `--ifd` requires flashrom 1.2 or higher. If you have an older
186		version, or you don't have `--ifd`, you could instead do:
187
188		```
189		ifdtool -f layout.txt libreboot.rom
190		```
191
192		Then, instead of `--ifd` you would use `-l layout.txt`.
193
194		ALSO: The `--ifd` option makes flashrom flash regions based on what's in
195		the current flashed IFD.
196
197		Flashing Libreboot first time (hardware)
198		========================================
199
200		**PLEASE ENSURE that you dump a copy of both flash ICs (system flash and
201		private flash). Take two dumps of each, and make sure each has two good hashes.
202		This is because there are certain files that, while you may not need for a
203		regular Libreboot installation, may be useful for recovery purposes. You have
204		been warned!**
205
206		This section is relevant to you if you're still running the original HP
207		firmware. You must [flash externally](../install/spi.md).
208
209		Take stock of these further notes, because there are extra steps that you
210		must take.
	79		More information is available in the [build guide](../build/), including how
	80		to install build dependencies. Building from source is required, because there
	81		aren't any ROM images for this board, in regular Libreboot releases. The
	82		reason is that the vendor inject scripts don't currently work, because coreboot
	83		compresses the refcode when inserting it at build time, and the process of
	84		compression is not yet reproducible; it's not feasible to do so, and making
	85		it not be compressed in flash would not be ideal either, so this is simply
	86		a source-only port in Libreboot.
211	87
212	88	HP Sure Start	HP Sure Start
213		-------------
	89		=============
214	90
215	91	There is a 16MB flash and a 2MB flash. Read this page for info:	There is a 16MB flash and a 2MB flash. Read this page for info:
216	92	<https://doc.coreboot.org/mainboard/hp/hp_sure_start.html>	<https://doc.coreboot.org/mainboard/hp/hp_sure_start.html>

...	...	flash IC).
225	101
226	102	You might want to dump the private flash first, just in case (use `-r priv.rom`	You might want to dump the private flash first, just in case (use `-r priv.rom`
227	103	or whatever filename you want to dump to, and take two dumps, ensuring that	or whatever filename you want to dump to, and take two dumps, ensuring that
228		the hashes match). The private (2MB) flash is inaccessible from your OS. The
	104		the hashes match); one dump for the first erase, and another for the next
	105		erase. If they match, then the erase was likely a success. The private (2MB)
	106		flash is inaccessible from your OS. The
229	107	system stores hashes of the IFD, GbE and a copy of IFD/GbE in private flash,	system stores hashes of the IFD, GbE and a copy of IFD/GbE in private flash,
230	108	restoring them if they were modified, but erasing the private flash disables	restoring them if they were modified, but erasing the private flash disables
231	109	this security mechanism.	this security mechanism.

...	...	Here is a photo of the board, with the flashes:
234	112
235	113	![HP 820 G2 flash](https://av.libreboot.org/hp820g2/hp820g2_flash.jpg)	![HP 820 G2 flash](https://av.libreboot.org/hp820g2/hp820g2_flash.jpg)
236	114
237		HP bootblock
238		------------
	115		<https://doc.coreboot.org/mainboard/hp/elitebook_820_g2.html>
239	116
240		See: <https://doc.coreboot.org/mainboard/hp/elitebook_820_g2.html?highlight=elitebook>
	117		Make sure to read and understand all of this first, before attempting
	118		the Libreboot installation, because it's also important when updating
	119		Libreboot later on.
241	120
242		In this page it talks about HP's own bootblock and EC firmware. These are in
243		the final 4MB of the flash. You must not modify these, because you will brick
244		your machine unless the IFD is modified;
	121		Installation of Libreboot
	122		=========================
245	123
246		This is why Libreboot provides 12MB images. The IFD in Libreboot is modified, as
247		per this coreboot documentation, to make the BIOS region end at the last byte
248		of the first 12MB in flash, bypassing HP's security entirely. In other words,
249		you can run whatever you want (such as Libreboot) in the first 12MB of flash,
250		so long as the upper 4MB is untouched and the private 2MB flash has been erased.
	124		Make sure to set the MAC address in the flash:
	125		[Modify MAC addresses with nvmutil](../install/nvmutil.md).
251	126
252		With Libreboot's modified IFD, HP's own bootblock is never executed, but the
253		EC firmware is, and must be left alone. You do not to insert it in your
254		Libreboot ROM because it's already in flash, within that last 4MB.
	127		Refer to the [Libreboot flashing guides](../install/spi.md)
255	128
256		Flash a ROM image (hardware)
257		-----------------
	129		Here are the flash ICs:
258	130
259		**REMOVE all power sources like battery, charger and so on, before doing this.
260		This is to prevent short circuiting and power surges while flashing.**
	131		![](https://av.libreboot.org/hp820g2/hp820g2_flash.jpg)
261	132
262		For general information, please refer to [25xx NOR flash
263		instructions](../install/spi.md).
	133		When you flash the 12MB image, please do the following with it:
264	134
265		Remove the bottom cover via the latch, and the flashes are accessible.
266		First, dump both flashes for backup, using the `-r` option (instead of `-w`)
267		in flashrom. Two dumps of each flash, make sure both dumps match for each chip.
	135		dd if=/dev/zero of=4mb.bin bs=4M count=1
	136		cat libreboot.rom 4mb.bin > libreboot16.rom
268	137
269		We will assume that your system flash (16MB) dump is named `dump.bin`. This is
270		the dump of your 16MB flash, containing HP's firmware, including the final
271		bootblock and EC firmware.
	138		Be careful: do not fully flash `libreboot16.rom`
272	139
273		This gives you everything, including the final 4MB. Now insert your new ROM
274		into a copy of `dump.bin`:
	140		Flash it like this, instead:
275	141
276	142	```	```
277		cp -R dump.bin new.bin
278		dd if=libreboot.rom of=new.bin bs=12M count=1 conv=notrunc
	143		flashprog -p PROGRAMMER --ifd -i gbe -w libreboot16.rom --noverify-all
	144		flashprog -p PROGRAMMER --ifd -i bios -w libreboot16.rom --noverify-all
	145		flashprog -p PROGRAMMER --ifd -i me -w libreboot16.rom --noverify-all
	146		flashprog -p PROGRAMMER --ifd -i ifd -w libreboot16.rom --noverify-all
279	147	```	```
280	148
281		Flash `new.bin` to system flash (16MB IC) using the `-w` option in flashrom,
282		and erase the private (2MB) flash IC,
283		using the `--erase` option (instead of `-w filename.rom`) in flashrom.
	149		Replace `PROGRAMMER` according to whichever flasher you're using. You could
	150		also replace it with `internal`, if later flashing internally to update an
	151		existing Libreboot installation.
284	152
285		In the above example, you replaced the first 12MB of the HP dump with that of
286		your Libreboot image, but leaving the final 4MB intact which contains the EC
287		firmware. Libreboot's custom IFD sets everything so that all regions, from
288		IFD to GbE, ME and then BIOS region, exist within the first 12MB of flash.
289		This makes the machine boot from the end of the 12MB section, containing the
290		coreboot bootblock, instead of the HP bootblock (which is never executed but
291		must remain intact).
	153		If you're flashing internally, add `--noverify-all` to the flashprog
	154		command.
292	155
293		It's very important that you erase the 2MB flash. Be careful not to
294		erase the system (16MB flash). This is yet another reason why you should keep
295		a backup of both flash ICs, just in case (dumped using `-r` in flashrom).
	156		To erase the 2MB flash, do this:
296	157
297		![](https://av.libreboot.org/hp820g2/hp820g2.jpg)
298
299		![](https://av.libreboot.org/hp820g2/hp820g2_inside.jpg)
	158		```
	159		flashprog -p PROGRAMMER --erase
	160		```
300	161
301		And that's all. Refer to other documents on Libreboot's website for how
302		to handle Linux/BSD systems and generally use your machine.
	162		Refer generally to the [main flashing guide](../install/) and to
	163		the [external flashing guide](../install/spi.md) so that you can learn how
	164		to actually flash it.
303	165
304	166	TPM 2.0 potentially supported	TPM 2.0 potentially supported
305	167	==============================	==============================

...	...	don't need to mess with this at all, when you build Libreboot yourself.
325	187	You can see how this works, by looking at the patch which added 820 G2 support:	You can see how this works, by looking at the patch which added 820 G2 support:
326	188	<https://browse.libreboot.org/lbmk.git/commit/?id=401c0882aaec059eab62b5ce467d3efbc1472d1f>	<https://browse.libreboot.org/lbmk.git/commit/?id=401c0882aaec059eab62b5ce467d3efbc1472d1f>
327	189
328		If you're using release builds, the MRC, refcode and (neutered) ME images are
329		missing from flash, and must be re-inserted, using the instructions
330		on [this page](../install/ivy_has_common.md).
	190		![](https://av.libreboot.org/hp820g2/hp820g2.jpg)
	191
	192		Yay. If you see this boot screen, you should be proud. This is a really
	193		hard machine to flash.

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/libreboot/lbwww

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/libreboot/lbwww

Clone this repository using git:

git clone git://git.rocketgit.com/user/libreboot/lbwww

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main