ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-04-24 04:55:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
heads/blobs/xx80
History
Thierry Laurion c627965397
bugfix: modules/coreboot + blobs/xx80: rely on github for git, not review.coreboot.org 
https://review.coreboot.org is having HTTPS issue. Reported on coreboot matrix channel, but need to build.

Log from CircleCI failing when trying to pull deguard: https://app.circleci.com/pipelines/github/tlaurion/heads/3267/workflows/588f8aeb-4d73-4f71-9e6e-fd286e46353e/jobs/66442/parallel-runs/0/steps/0-111

Reasoning:
We might dislike GitHub, but when comes maintaining a project and using free systems for bandwidth and CI because no money, we need to rely on systems that don't randomly fall.
Using github does that purpose here

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-04-03 11:09:17 -04:00
..
.gitignore
create tb.bin blob when creating me.bin blob
2025-02-27 02:40:12 +01:00
download_clean_deguard_me_pad_tb.sh
bugfix: modules/coreboot + blobs/xx80: rely on github for git, not review.coreboot.org
2025-04-03 11:09:17 -04:00
gbe.bin
set the mac address to 00🇩🇪ad:c0:ff:ee in the gbe.bin blob for the t480
2025-02-14 09:57:59 -05:00
hashes.txt
changes the tb.bin Thunderbolt blob script to create the same blob as libreboot
2025-03-02 23:30:39 +01:00
ifd.bin
add t480 board
2025-02-12 00:56:17 +01:00
README.md
add documentation for tb.bin Thunderbolt flashing on the T480
2025-02-28 12:05:55 +01:00

README.md

T480 Blobs

The following blobs are needed:

  • ifd.bin
  • gbe.bin
  • me.bin
  • tb.bin (optional but recommended flashing this blob to the separate Thunderbolt SPI chip to fix a bug in the original firmware)

me.bin: automatically extract, neuter and deguard

download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin

The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe

This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed. See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html Therefore, Bootguard can be disabled by deguard with a patched ME.

As specified in the first link, this ME can be deployed to:

  • T480
  • T480s

ifd.bin and gbe.bin

Both blobs were taken from libreboot: 68ebde2f03/config/ifd/t480

The GBE MAC address was forged to: 00:DE:AD:C0:FF:EE MAC

tb.bin

This blob was extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip, which is not the same as the 16MB chip to which the heads rom is flashed. External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip. You can find a guide here: https://osresearch.net/T430-maximized-flashing/

Integrity

Sha256sums: blobs/xx80/hashes.txt

CAVEATS for the board:

See the board configs boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config:

This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. Also it can be used to extract FDE keys from a TPM. The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 Make sure you understand the implications of the attack for your threat model before using this board.

Documentation

A guide on how to flash this board (both the Heads rom and the Thunderbolt tb.bin blob) can be found here: https://osresearch.net/T430-maximized-flashing/