Work in progress
Please keep in mind that this tutorial is a work in progress. Configuration files will be added and changed.
Implementations of Linux payloads
- The buildrom utility can download and compile all required components, but it is not compatible with modern Coreboot.
- https://github.com/osresearch/heads is also a good example of Linux payloads in practice.
- There is a page on Coreboot about PetitBoot. See Petitboot.
Quick and easy Linux payloads with Buildroot
What is Buildroot?
Buildroot is a series of makefiles and a simple configuration interface (kconfig, etc) which makes it easy to build very small embedded systems. The tool is readily available, so we should make use of it to create highly-customized payloads for Coreboot. And yes, we can have sl in our boot firmware!
This is useful as a Coreboot payload because we can incorporate components like kexec, flashrom, cryptsetup, full gnupg, and embedded tools like Busybox to create a usable system image intended to allow us to boot our computer, or something else entirely.
Buildroot's build system verifies all of its downloaded packages hashes, including the toolchain, so it's build system is reasonably secure. It does have support for reproducible builds, but more extensive testing is required. It also provides stable releases.
As a very simple example to build from, let's consider the [board:lenovo/x230|ThinkPad X230]. It has a 4M flash chip and an 8M flash chip, summed together into a "virtual" 12M flash chip. This poses a problem - the BIOS region is 7M, but this is including the 4M chip. It is possible to flash internally, and not have to attach a programmer to each chip and "split" a complete Coreboot image across the two flash chips.
Due to space constraints, networking doesn't seem possible to incorporate. We need to reduce the size of the compressed initrd image to around 900k. In this tutorial, we create a simple payload that includes Flashrom and the means to mount USB drives, in order to flash an image that takes advantage of the full 7M region (or more, if we reduce the ME region using https://github.com/corna/me_cleaner).
In order to reduce space, the Musl standard C library was used. This can produce noticeably smaller binaries than uclibc-ng. Furthermore, ncurses was not installed, so no C++ library was included.
We elect to remove all the networking utilities and certain other utilities. Components like udhcpcd and ip took up a lot of space relatively.
The only package added was Flashrom. This selected dmidecode, pciutils, libusb, and libftdi.
All non-essential components were removed. We are left with basic support for Intel processors, no network support, and support for ext4 and a few miscellaneous filesystems. It's trivial to enable these again.
We simply select a Linux payload as our payload, and point to the initrd and kernel image to the respective Buildroot rootfs and bzImage.
Future things to think about
- Add an additional option to Coreboot's kconfig to use a stable Buildroot release and include configuration files for a "simple" initrd with support for networking, kexec, flashrom and miscellaneous system utilities.