libreboot website (markdown files). https://libreboot.org/
List of commits:
| Subject | Hash | Author | Date (UTC) |
|---|---|---|---|
| grub_hardening: document addition security/safety | c6fde88de753766836a7ab5d579671b9853e4a7d | Leah Rowe | 2024-08-26 20:55:49 |
| clarifification about flash descriptor override | a54283de34b7a676ca92c18dbe25b81f81467399 | Leah Rowe | 2024-08-26 20:24:32 |
| clarify ifdtool location for grub hardening | 972de7d8405dace7601046e76a1057369b4a0b84 | Leah Rowe | 2024-08-26 17:53:47 |
| improved grub hardening guide | 2e6ed95570fd8997179085a7619148e25df11093 | Leah Rowe | 2024-08-26 17:51:02 |
| remove redundant i945 thinkpad unbrick info | 9bc8fb3eba363f5d68086d55fb6ad8222c4de687 | Leah Rowe | 2024-08-26 02:47:30 |
| move devmem.md to correct location | 41861ae96f70d243634198c19c4353ed1d529bc1 | Leah Rowe | 2024-08-26 02:14:08 |
| unified iomem=relaxed instructions | 1a330900d4b5934e043047d1c6dc7ea4b7702189 | Leah Rowe | 2024-08-26 02:12:42 |
| unified internal dell latitude flashing guide | d2e8cda2d111f9316c6d24086cdc079af179fba6 | Leah Rowe | 2024-08-26 01:22:04 |
| delete unused page | 82120ac94e131f56d965bbacabf016f502e224e2 | Leah Rowe | 2024-08-25 13:08:18 |
| update freedom-status | f8f58a679e6e9ecdcf67cbc2fbdb2c74bda3cb65 | Leah Rowe | 2024-08-25 11:05:23 |
| rounded borders on images | 111405dfe70c79b9da02dddc5ff8e801e9d0979c | Leah Rowe | 2024-08-24 13:46:29 |
| make text a bit darker (#ccc, not #eee) | 918b8a968a716a74eea575050df3010a35764a81 | Leah Rowe | 2024-08-23 14:30:41 |
| switch libreboot.org back to purple | bae3fad52cb2c9527024f7b0bd340e452b112057 | Leah Rowe | 2024-08-23 11:14:00 |
| snip | a2164297b94a5cc348a61af3e3ea3daa0329b23e | Leah Rowe | 2024-08-23 00:28:08 |
| re-add news/10.md | b5ca9e1686854c4c75fe90b0d18975319b726d9c | Leah Rowe | 2024-08-22 23:38:56 |
| w541: clarify notes about chip select | b7c7fd53e48b2300048b298191ce41cb49a47718 | Leah Rowe | 2024-08-18 00:26:14 |
| install/w541_external: new guide | f1151c0f3e620907bebf708efe1251c1aba894f9 | Leah Rowe | 2024-08-18 00:20:56 |
| ivy_has_common: add clarification | 47c02c29b71c7a08c06344b310841e8b53255c32 | Leah Rowe | 2024-08-18 00:09:45 |
| fix toc on ru homepage | 18940ed35d8610ccea7d90ef40df75a00a35ac21 | Leah Rowe | 2024-08-18 00:03:32 |
| fix link | 649118fc65522729306a5077cd4a5acadd950fbd | Leah Rowe | 2024-08-18 00:02:29 |
Commit c6fde88de753766836a7ab5d579671b9853e4a7d
- grub_hardening: document addition security/safety
Author date (UTC): 2024-08-26 20:55
Committer name: Leah Rowe
Committer date (UTC): 2024-08-26 20:55
Parent(s): a54283de34b7a676ca92c18dbe25b81f81467399
Signer:
Signing key:
Signing status: N
Tree: aaa64f5677e7d161471bb5598209baa0ba9adf1f
Signed-off-by: Leah Rowe <info@minifree.org>
Author: Leah RoweAuthor date (UTC): 2024-08-26 20:55
Committer name: Leah Rowe
Committer date (UTC): 2024-08-26 20:55
Parent(s): a54283de34b7a676ca92c18dbe25b81f81467399
Signer:
Signing key:
Signing status: N
Tree: aaa64f5677e7d161471bb5598209baa0ba9adf1f
| File | Lines added | Lines deleted |
|---|---|---|
| site/docs/linux/grub_hardening.md | 55 | 0 |
| File site/docs/linux/grub_hardening.md changed (mode: 100644) (index 18afe0f..6469e98) | |||
| ... | ... | to verify all files that it accesses. | |
| 16 | 16 | ||
| 17 | 17 | Let's begin. | Let's begin. |
| 18 | 18 | ||
| 19 | **Disable security before flashing** | ||
| 20 | ================================ | ||
| 21 | |||
| 22 | **Before internal flashing, you must first disable `/dev/mem` protections. Make | ||
| 23 | sure to re-enable them after you're finished.** | ||
| 24 | |||
| 25 | **See: [Disabling /dev/mem protection](../install/devmem.md)** | ||
| 26 | |||
| 27 | This only applies if you're following these instructions via internal | ||
| 28 | flashing, from an existing installation. | ||
| 29 | |||
| 30 | Back up your flash first! | ||
| 31 | ========================= | ||
| 32 | |||
| 33 | Make sure you also back up the current flash contents, before you proceed with | ||
| 34 | this guide. See: [Libreboot flashing guides](../install/) (it also says how | ||
| 35 | to read the flash, in addition to writing it) | ||
| 36 | |||
| 19 | 37 | Build dependencies | Build dependencies |
| 20 | 38 | ================== | ================== |
| 21 | 39 | ||
| ... | ... | Enable `CONFIG_STRICT_DEVMEM` in your Linux kernel, or set `securelevel` above | |
| 338 | 356 | zero on your BSD setup (but BSD cannot be booted with GRUB very easily so | zero on your BSD setup (but BSD cannot be booted with GRUB very easily so |
| 339 | 357 | it's a moot point). | it's a moot point). |
| 340 | 358 | ||
| 359 | Other write-protect methods | ||
| 360 | --------------------------- | ||
| 361 | |||
| 362 | The steps above do not require recompilation of the Libreboot images. However, | ||
| 363 | coreboot offers additional security at build time, which you can select if you | ||
| 364 | wish. | ||
| 365 | |||
| 366 | Let's assume your board is `x200_8mb`, do: | ||
| 367 | |||
| 368 | ./mk -m coreboot x200_8mb | ||
| 369 | |||
| 370 | Find this section: Security -> Boot media protection mechanism | ||
| 371 | |||
| 372 | In the above example, I found: | ||
| 373 | |||
| 374 | * Lock boot media using the controller | ||
| 375 | * Lock boot media using the chip | ||
| 376 | |||
| 377 | Which one to pick depends on your board. Let's pick "controller". | ||
| 378 | |||
| 379 | Now we can see: Security -> Boot media protected regions | ||
| 380 | |||
| 381 | In there, there is the option to ban writes, or to ban both reads and writes. | ||
| 382 | Banning reads may be desirable, for example if you have a salt hashed password | ||
| 383 | stored in `grub.cfg`! (as this guide told you to do) | ||
| 384 | |||
| 385 | You'll have to play around with this yourself. These options are not enabled | ||
| 386 | by default, because Libreboot images are supposed to allow writes by default, | ||
| 387 | when booted. You have to enable such security yourself, because the design of | ||
| 388 | Libreboot is to be as easy to use as possible by defalut, which include updates, | ||
| 389 | thus implying read-write flash permissions. | ||
| 390 | |||
| 391 | This example was for `x200_8mb`, but other boards may look different in config. | ||
| 392 | Anyway, when you're done, save the config and then build it from source in lbmk. | ||
| 393 | |||
| 394 | See: [build from source](../build/) | ||
| 395 | |||
| 341 | 396 | Install the new image | Install the new image |
| 342 | 397 | ===================== | ===================== |
| 343 | 398 | ||
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/libreboot/lbwww
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/libreboot/lbwww
Clone this repository using git:
git clone git://git.rocketgit.com/user/libreboot/lbwww
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!