The wiki is being retired!
Documentation is now handled by the same processes we use for code: Add something to the Documentation/ directory in the coreboot repo, and it will be rendered to https://doc.coreboot.org/. Contributions welcome!
This the the Blob Matrix. What is the Blob Matrix? It is a table in which we define, for different systems, what blobs there are. The goal is to have a common reference of types of blobs. Until we're sure we have the right list we don't need the matrix yet.
Consider, for example, the Google Pixel laptop. We can identify the following CPUs that affect coreboot or that it uses: EC, ME, main CPU.
For this example, we have the following blobs: ME, blob from Intel (replaceable, signed); main CPU: microcode (not practically replaceable), MRC (not practically replaceable), VGA BIOS (replaceable, proof of concept in repo).
Here is another system, the Snow Chromebook. It has an EC and a main CPU. The blobs are main CPU: BL0 (not replaceable), and BL1 (replaceable, signed).
My old x60, with coreboot on it: EC: EC OS (not replaceable); main CPU: microcode, BIOS, VGA BIOS
Let's consider the first coreboot systems, the l440gx, PowerPC, and Alpha
The l440GX had no CPUs save the main CPU, and all of linuxbios was open. There was no ACPI or SMM.
The PowerPC was, similarly, blob free.
We think the Alpha had an EC, which was closed and had a blob; it was otherwise blob free.
|EC||ME / Signed & Type||Mask ROM||Reset vector / Signed?||Microcode||VGA||SMM||ACPI||Runtime|
Yes / Yes; Unknown
|Intel Galileo||Quark||No EC||No ME||Yes||No||Yes||Yes||Yes||Yes||Yes: EFI|
||i945||Yes, probably inside the ec's flash.||No ME||None||Yes ||Can be replaced||None||None||None|
||GM45||Yes, probably inside the ec's flash.||Possible to disable||
||None||Yes ||Can be replaced||None||None||None|
- but a Remote Management Unit
- Intel Quark exists in two different versions, a "Base" SKU and a "Secure" SKU. The following applies to the Secure SKU, but Galileo comes with the "Base" model.
We make a key, Intel signs the key, we use the signing tool to sign our binary.
The signing utility is part of the BSP on communities.intel.com.
The Customer is required to provide a public RSA key that is derived from a Private key that conforms to the following:
- Each RSA keypair shall be 2048 bits in length.
- Each RSA keypair shall be formatted as an ASN1 RSAPrivateKey DER certificate as defined in the RSA PKCS#1 document.
- Intel microcode, some CPU do work without it, but they will be affected by the erratas fixed by the microcode. Note that selecting "Include CPU microcode in CBFS (Do not include microcode updates)" often still includes the microcode. The microcode is removed by libreboot.org
- Can be replaced in coreboot. Some remaining patches need to be merged.