Gentoo Archives: gentoo-dev

From: Peter Stuge <peter@×××××.se>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: Killing UEFI Secure Boot
Date: Thu, 21 Jun 2012 19:11:22
In Reply to: Re: [gentoo-dev] Re: Killing UEFI Secure Boot by Roy Bamford
Roy Bamford wrote:
> > > I take it the above statement is based on the kernel being > > > directly placed within the BIOS/firmware/nvram on the board,
This is sometimes called Linux-as-bootloader (LAB/lab for short) in the coreboot project.
> > > such that you couldn't boot anything else but that kernel?
Yes and no. A kernel can kexec() another program.
> So when you build a dud kernel and flash your BIOS with it, and we > all build the odd dud, your motherboard is bricked.
Any firmware modification has potential to brick, and shouldn't be done unless you are comfortable with the modification, or with solving a brick problem. :) Keep backup flash chips, if your boot flash is socketed. There are also several software techniques to eliminate and/or reduce the brick risk. Again, if you flash nothing but a kernel into the boot flash then the machine will just laugh at you in your face and not start. coreboot has infrastructure for separating normal boot from fallback boot, for when the normal boot fails. Writing to the flash chip is not an all-or-nothing operation. coreboot uses a super simple filesystem for the boot flash, which can be aligned to eraseblocks in the flash chip, such that only ever the normal boot "files" are erased and rewritten, while leaving fallback contents untouched. Even a power outage during flashing will not brick your machine.
> Get out your JTAG adaptor and another PC I suppose.
PCs don't usually have JTAG as convenient as embedded systems, but the boot flash can always be written with other suitable dedicated hardware, from "the outside", as you write. //Peter


Subject Author
Re: [gentoo-dev] Re: Killing UEFI Secure Boot Rich Freeman <rich0@g.o>