Difference between revisions of "Blob Matrix"

From coreboot
Jump to: navigation, search
(add link to h8s ec GSoC project)
 
(39 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
== Introduction ==
 
This the the Blob Matrix. What is the Blob Matrix? It is a table in which we define, for different systems, what blobs there are. The goal is to have a common reference of types of blobs. Until we're sure we have the right list we don't need the matrix yet.
 
This the the Blob Matrix. What is the Blob Matrix? It is a table in which we define, for different systems, what blobs there are. The goal is to have a common reference of types of blobs. Until we're sure we have the right list we don't need the matrix yet.
  
Line 15: Line 16:
 
My old x60, with coreboot on it:
 
My old x60, with coreboot on it:
 
EC: EC OS (not replaceable);
 
EC: EC OS (not replaceable);
ME, blob from Intel (replaceable, signed);
 
 
main CPU: microcode, BIOS, VGA BIOS
 
main CPU: microcode, BIOS, VGA BIOS
  
Line 26: Line 26:
 
We think the Alpha had an EC, which was closed and had a blob; it was otherwise blob free.
 
We think the Alpha had an EC, which was closed and had a blob; it was otherwise blob free.
  
So:
+
== Blob Matrix ==
 
 
 
 
 
{| border="0" style="font-size: smaller"
 
{| border="0" style="font-size: smaller"
 
|- bgcolor="#6699ff"
 
|- bgcolor="#6699ff"
! align="left" | Mainboard
+
! rowspan="2" align="left" | Mainboard
! align="left" | Chipset
+
! rowspan="2" align="left" | Chipset
! align="left" | EC Blob
+
! colspan="9" align="center" | Blobs
! align="left" | ME Blob / Signed & Type
+
! rowspan="2" align="left" | Notes
! align="left" | Mask ROM blob
+
|-
! align="left" | Reset vector blob / Signed?
+
|- bgcolor="#6699ff"
! align="left" | Microcode Blob
+
! align="left" | [[Embedded_controller|EC]]
! align="left" | VGA blob
+
! align="left" | ME / Signed & Type
! align="left" | SMM Blob
+
! align="left" | Mask ROM
! align="left" | ACPI Blob
+
! align="left" | Reset vector / Signed?
! align="left" | Runtime Blob
+
! align="left" | Microcode
! align="left" | Notes
+
! align="left" | [[VGA support|VGA]]
 
+
! align="left" | [https://en.wikipedia.org/wiki/System_Management_Mode SMM]
 +
! align="left" | [https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface ACPI]
 +
! align="left" | Runtime  
 
|- bgcolor="#dddddd"
 
|- bgcolor="#dddddd"
 
| Google Pixel
 
| Google Pixel
 
| Sandybridge
 
| Sandybridge
| No
+
| {{ButNo|[https://git.chromium.org/git/chromiumos/platform/ec.git FLOSS]}}
| Yes / Yes; Unknown
+
| {{Panic|level=high|Yes / Yes; Unknown}}
 
| No
 
| No
 
| No
 
| No
Line 61: Line 61:
 
| Intel Galileo
 
| Intel Galileo
 
| Quark
 
| Quark
| No EC
+
| {{ButNo|No EC}}
| No ME
+
| {{ButNo|No ME<ref name="Galileo-RMU">but a Remote Management Unit</ref>}}
 
| Yes
 
| Yes
| Yes; see notes
+
| No<ref name="Galileo-signatures">Intel Quark exists in two different versions, a "Base" SKU and a "Secure" SKU. The following applies to the Secure SKU, but Galileo comes with the "Base" model.
| Yes
+
 
| Yes
+
We make a key, Intel signs the key, we use the signing tool to sign our binary.
| Yes
 
| Yes
 
| Yes EFI
 
| We make a key, Intel signs the key, we use the signing tool to sign our binary.
 
 
  The signing utility is part of the BSP on communities.intel.com.
 
  The signing utility is part of the BSP on communities.intel.com.
 +
( https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23197)
 
The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
 
The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
 
*      Each RSA keypair shall be 2048 bits in length.
 
*      Each RSA keypair shall be 2048 bits in length.
Line 77: Line 74:
  
 
We expect to receive a .pem file that contains only the public components of the Customer RSA 2048 key.
 
We expect to receive a .pem file that contains only the public components of the Customer RSA 2048 key.
 +
</ref>
 +
| Yes
 +
| Yes
 +
| Yes
 +
| Yes
 +
| Yes: EFI
 +
|
 +
|- bgcolor="#dddddd"
 +
| Lenovo
 +
* x60
 +
* x60s
 +
* x60t
 +
| i945
 +
| Yes, probably inside the ec's flash. <ref name="h8s-floss-ec>FLOSS replacement being worked on. see [http://blogs.coreboot.org/blog/2015/05/19/gsoc-2015-h8s-ec-firmware/ GSoC 2015 H8S EC firmware]</ref>
 +
| {{ButNo|No ME}}
 +
|
 +
* [[Intel_82573_Ethernet_controller#Hardware_description|NIC]]
 +
| {{ButNo|None}}
 +
| Yes <ref name="microcode">Intel microcode, some CPU do work without it, but they will be affected by the erratas fixed by the microcode. Note that selecting "Include CPU microcode in CBFS (Do not include microcode updates)" often still includes the microcode. The microcode is removed by [http://libreboot.org/ libreboot.org] </ref>
 +
| {{ButNo|Can be replaced<ref name="patches-remaining">Can be replaced in coreboot. Some remaining patches need to be merged.</ref>}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
|
 +
|- bgcolor="#dddddd"
 +
| Lenovo
 +
* x200
 +
* x200t
 +
| GM45
 +
| Yes, probably inside the ec's flash. <ref name="h8s-floss-ec>FLOSS replacement being worked on. see [http://blogs.coreboot.org/blog/2015/05/19/gsoc-2015-h8s-ec-firmware/ GSoC 2015 H8S EC firmware]</ref>
 +
| {{ButNo|Possible to disable}}
 +
|
 +
* Intel 82567LM [http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf] (Note that Libreboot has a tool (ich9gen) to t least generate a new gbe rom section, but the default one is just data and documented.)
 +
| {{ButNo|None}}
 +
| Yes <ref name="microcode">Intel microcode, some CPU do work without it, but they will be affected by the erratas fixed by the microcode. Note that selecting "Include CPU microcode in CBFS (Do not include microcode updates)" often still includes the microcode. The microcode is removed by [http://libreboot.org/ libreboot.org] </ref>
 +
| {{ButNo|Can be replaced<ref name="patches-remaining">Can be replaced in coreboot. Some remaining patches need to be merged.</ref>}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
|
 +
|- bgcolor="#dddddd"
 +
| Lenovo
 +
* x220
 +
* x220t
 +
| QM67
 +
| Yes, probably inside the ec's flash. <ref name="h8s-floss-ec>FLOSS replacement being worked on. see [http://blogs.coreboot.org/blog/2015/05/19/gsoc-2015-h8s-ec-firmware/ GSoC 2015 H8S EC firmware]</ref>
 +
| {{Panic|level=high|Yes / Yes; Unknown}}
 +
|
 +
* Intel 82579LM / Unknown
 +
| {{ButNo|None}}
 +
| Yes
 +
| {{ButNo|Can be replaced}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
| {{ButNo|None}}
 +
|
 +
|}
 +
 +
== References ==
 +
<references/>
 +
 +
[[Category:Blobs|Blobs]]

Latest revision as of 18:13, 25 July 2015

Introduction

This the the Blob Matrix. What is the Blob Matrix? It is a table in which we define, for different systems, what blobs there are. The goal is to have a common reference of types of blobs. Until we're sure we have the right list we don't need the matrix yet.

Consider, for example, the Google Pixel laptop. We can identify the following CPUs that affect coreboot or that it uses: EC, ME, main CPU.

For this example, we have the following blobs: ME, blob from Intel (replaceable, signed); main CPU: microcode (not practically replaceable), MRC (not practically replaceable), VGA BIOS (replaceable, proof of concept in repo).

Here is another system, the Snow Chromebook. It has an EC and a main CPU. The blobs are main CPU: BL0 (not replaceable), and BL1 (replaceable, signed).

My old x60, with coreboot on it: EC: EC OS (not replaceable); main CPU: microcode, BIOS, VGA BIOS

Let's consider the first coreboot systems, the l440gx, PowerPC, and Alpha

The l440GX had no CPUs save the main CPU, and all of linuxbios was open. There was no ACPI or SMM.

The PowerPC was, similarly, blob free.

We think the Alpha had an EC, which was closed and had a blob; it was otherwise blob free.

Blob Matrix

Mainboard Chipset Blobs Notes
EC ME / Signed & Type Mask ROM Reset vector / Signed? Microcode VGA SMM ACPI Runtime
Google Pixel Sandybridge FLOSS

Yes / Yes; Unknown



No No Yes Yes No No No
Intel Galileo Quark No EC No ME[1] Yes No[2] Yes Yes Yes Yes Yes: EFI
Lenovo
  • x60
  • x60s
  • x60t
i945 Yes, probably inside the ec's flash. [3] No ME None Yes [4] Can be replaced[5] None None None
Lenovo
  • x200
  • x200t
GM45 Yes, probably inside the ec's flash. [3] Possible to disable
  • Intel 82567LM [1] (Note that Libreboot has a tool (ich9gen) to t least generate a new gbe rom section, but the default one is just data and documented.)
None Yes [4] Can be replaced[5] None None None
Lenovo
  • x220
  • x220t
QM67 Yes, probably inside the ec's flash. [3]

Yes / Yes; Unknown



  • Intel 82579LM / Unknown
None Yes Can be replaced None None None

References

  1. but a Remote Management Unit
  2. Intel Quark exists in two different versions, a "Base" SKU and a "Secure" SKU. The following applies to the Secure SKU, but Galileo comes with the "Base" model. We make a key, Intel signs the key, we use the signing tool to sign our binary. The signing utility is part of the BSP on communities.intel.com. ( https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23197) The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
    • Each RSA keypair shall be 2048 bits in length.
    • Each RSA keypair shall be formatted as an ASN1 RSAPrivateKey DER certificate as defined in the RSA PKCS#1 document.
    We expect to receive a .pem file that contains only the public components of the Customer RSA 2048 key.
  3. 3.0 3.1 3.2 FLOSS replacement being worked on. see GSoC 2015 H8S EC firmware
  4. 4.0 4.1 Intel microcode, some CPU do work without it, but they will be affected by the erratas fixed by the microcode. Note that selecting "Include CPU microcode in CBFS (Do not include microcode updates)" often still includes the microcode. The microcode is removed by libreboot.org
  5. 5.0 5.1 Can be replaced in coreboot. Some remaining patches need to be merged.