Blob Matrix: Difference between revisions

From coreboot
Jump to navigation Jump to search
No edit summary
No edit summary
Line 72: Line 72:
| We make a key, Intel signs the key, we use the signing tool to sign our binary.
| We make a key, Intel signs the key, we use the signing tool to sign our binary.
  The signing utility is part of the BSP on communities.intel.com.
  The signing utility is part of the BSP on communities.intel.com.
( https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23197)
The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
*      Each RSA keypair shall be 2048 bits in length.
*      Each RSA keypair shall be 2048 bits in length.

Revision as of 16:36, 17 February 2014

This the the Blob Matrix. What is the Blob Matrix? It is a table in which we define, for different systems, what blobs there are. The goal is to have a common reference of types of blobs. Until we're sure we have the right list we don't need the matrix yet.

Consider, for example, the Google Pixel laptop. We can identify the following CPUs that affect coreboot or that it uses: EC, ME, main CPU.

For this example, we have the following blobs: ME, blob from Intel (replaceable, signed); main CPU: microcode (not practically replaceable), MRC (not practically replaceable), VGA BIOS (replaceable, proof of concept in repo).

Here is another system, the Snow Chromebook. It has an EC and a main CPU. The blobs are main CPU: BL0 (not replaceable), and BL1 (replaceable, signed).

My old x60, with coreboot on it: EC: EC OS (not replaceable); ME, blob from Intel (replaceable, signed); main CPU: microcode, BIOS, VGA BIOS

Let's consider the first coreboot systems, the l440gx, PowerPC, and Alpha

The l440GX had no CPUs save the main CPU, and all of linuxbios was open. There was no ACPI or SMM.

The PowerPC was, similarly, blob free.

We think the Alpha had an EC, which was closed and had a blob; it was otherwise blob free.

So:


Mainboard Chipset EC Blob ME Blob / Signed & Type Mask ROM blob Reset vector blob / Signed? Microcode Blob VGA blob SMM Blob ACPI Blob Runtime Blob Notes
Google Pixel Sandybridge No Yes / Yes; Unknown No No Yes Yes No No No
Intel Galileo Quark No EC No ME Yes Yes; see notes Yes Yes Yes Yes Yes EFI We make a key, Intel signs the key, we use the signing tool to sign our binary.
The signing utility is part of the BSP on communities.intel.com.
( https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23197)

The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:

  • Each RSA keypair shall be 2048 bits in length.
  • Each RSA keypair shall be formatted as an ASN1 RSAPrivateKey DER certificate as defined in the RSA PKCS#1 document.

We expect to receive a .pem file that contains only the public components of the Customer RSA 2048 key.