forked from website/openpower.foundation
Add 'content/blog/coreboot-on-talos2.md'
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>remotes/1732662139196008604/master
parent
7ba4f59833
commit
dd5453e36d
Binary file not shown.
After Width: | Height: | Size: 207 KiB |
@ -0,0 +1,3 @@
|
||||
<svg xmlns="http://www.w3.org/2000/svg" width="196.053" height="150.759" viewBox="0 0 196.053 150.759">
|
||||
<path d="M148.419 40.725c-10.576-6.285-13.657-4.1-23.153-11.671C110.441 17.237 92.488 3.794 74.861 0c0 0 4.307 3.492 12.283 9.822.559.465.705.684.595.867-.169.287-.928-.046-.928-.046-6.163-2.345-13.123-3.675-17.839-3.37-1.561.1-2.061.352-2.283.797-.104.209-.119.772.405 1.469 2.061 2.725 7.024 8.064 15.281 13.132 8.486 5.206 23.472 12.592 36.726 18.489 5.932 2.638 10.207 6.164 8.846 10.232-1.52 4.533-7.387 5.15-12.074 3.275-3.808-1.523-7.367-6.297-13.148-12.701-10.016-11.098-14.769-15.525-31.39-12.141-8.332 1.697-16.194 8.516-22.482 15.713-4.196 5.292-6.213 9.694-6.821 15.002 0 0-1.146-2.105-.008-7.49 1.989-9.407-2.341-13.447-2.341-13.447-21.925 31.092 9.261 59.202 33.301 32.281 0 0-7.865 17.467-7.21 22.906-3.355 1.1-4.845 4.186.176 7.91 5.486 4.068 18.961 3.716 29.59-.852 19.845-8.529 32.213-24.423 38.344-34.516 1.432-2.36 2.947-3.508 3.996-3.883 1.591-.574 12.537.086 17.662-2.824.713.347 1.621.533 2.817.442 3.714-.282 5.976-4.727 5.976-4.727s-4.687-8.941-15.916-15.615zm-41.142 44.652c-10.166 7.24-21.192 9.26-28.008 6.262 10.782-7.818 30.624-27.373 30.624-27.373s-3.302-8.318-9.257-3.225c-5.76 4.925-11.081 11.078-13.184 13.043-1.301 1.213-3.508 3.506-4.812 2.52-1.587-1.199 3.137-11.825 6.749-20.631 4.928-12.01-.742-15.762-7.379-15.429-5.947.299-14.071 3.903-19.891 7.462-1.648 1.009-2.773 1.629-3.189 1.244-.364-.339.021-.977 1.102-1.89 15.471-13.108 37.549-12.767 39.523-3.175 1.571 7.65-14.771 26.914-13.697 27.223.104.029.338-.088.68-.322 5.364-7.021 15.521-17.801 19.331-17.384 6.827.746 9.183 9.794 9.183 9.794L92.291 84.034c4.701 1.277 9.842 1.738 14.986 1.343zm-84.43 40.124l-2.686 4.695c-1.473-1.389-3.449-2.084-5.925-2.084-2.377 0-4.256.791-5.637 2.373-1.381 1.582-2.072 3.77-2.072 6.565 0 5.641 2.687 8.461 8.06 8.461 2.326 0 4.377-.771 6.151-2.31l2.309 4.945c-1.824 1.139-3.418 1.857-4.782 2.159-1.365.302-2.975.452-4.833.452-4.15 0-7.428-1.209-9.829-3.629C1.201 144.712 0 141.353 0 137.051c0-4.235 1.313-7.657 3.942-10.269 2.628-2.611 6.209-3.916 10.746-3.916 3.129 0 5.849.878 8.159 2.635zm1.1 11.248c0-4.101 1.184-7.439 3.552-10.017s5.494-3.866 9.377-3.866c4.084 0 7.255 1.238 9.516 3.715 2.259 2.478 3.389 5.867 3.389 10.168 0 4.285-1.151 7.691-3.452 10.219-2.302 2.527-5.452 3.791-9.453 3.791-4.083 0-7.26-1.275-9.527-3.829-2.269-2.552-3.402-5.946-3.402-10.181zm6.527 0c0 5.926 2.134 8.889 6.402 8.889 1.958 0 3.511-.771 4.658-2.311 1.146-1.539 1.72-3.732 1.72-6.578 0-5.84-2.126-8.762-6.377-8.762-1.958 0-3.514.77-4.669 2.31-1.156 1.54-1.734 3.69-1.734 6.452zm38.841-7.531c-1.121-.736-2.352-1.105-3.69-1.105-1.457 0-2.749.662-3.879 1.984-1.129 1.321-1.694 2.937-1.694 4.846v15.314h-6.277v-26.89h6.277v2.462c1.757-1.977 4.092-2.963 7.004-2.963 2.142 0 3.783.326 4.921.979l-2.662 5.373zm26.83 9.515H76.938c.117 2.143.854 3.808 2.209 4.996 1.355 1.188 3.18 1.782 5.473 1.782 2.862 0 5.038-.745 6.527-2.235l2.436 4.795c-2.21 1.792-5.507 2.688-9.892 2.688-4.102 0-7.344-1.201-9.729-3.603-2.385-2.401-3.578-5.754-3.578-10.056 0-4.234 1.31-7.665 3.929-10.293 2.62-2.629 5.762-3.941 9.428-3.941 3.899 0 7.03 1.162 9.391 3.489 2.359 2.327 3.539 5.289 3.539 8.888.001.77-.175 1.933-.526 3.49zm-18.981-4.72h13.207c-.436-3.933-2.612-5.9-6.528-5.9-3.582-.001-5.809 1.967-6.679 5.9zm26.916 14.761l-1.406 1.984h-3.539V113.35l6.276-1.507v12.553c1.673-1.021 3.497-1.53 5.474-1.53 3.932 0 7.104 1.242 9.515 3.728 2.411 2.485 3.615 5.671 3.615 9.554 0 4.502-1.214 8.062-3.64 10.683-2.428 2.62-5.717 3.929-9.867 3.929-2.494-.001-4.637-.662-6.428-1.986zm1.331-19.003v14.033c.92 1.088 2.167 1.633 3.741 1.633 3.028 0 5.175-.72 6.439-2.16 1.264-1.438 1.895-3.74 1.895-6.904 0-5.455-2.609-8.184-7.832-8.184-1.858-.001-3.272.526-4.243 1.582zm20.314 6.978c0-4.101 1.184-7.439 3.553-10.017 2.367-2.577 5.493-3.866 9.376-3.866 4.085 0 7.257 1.238 9.517 3.715 2.259 2.478 3.389 5.867 3.389 10.168 0 4.285-1.15 7.691-3.451 10.219-2.303 2.527-5.453 3.791-9.454 3.791-4.083 0-7.26-1.275-9.527-3.829-2.271-2.552-3.403-5.946-3.403-10.181zm6.527 0c0 5.926 2.134 8.889 6.401 8.889 1.959 0 3.511-.771 4.657-2.311 1.146-1.539 1.721-3.732 1.721-6.578 0-5.84-2.127-8.762-6.378-8.762-1.958 0-3.515.77-4.669 2.31-1.155 1.54-1.732 3.69-1.732 6.452zm20.514 0c0-4.101 1.184-7.439 3.553-10.017s5.494-3.866 9.377-3.866c4.084 0 7.256 1.238 9.516 3.715 2.26 2.478 3.39 5.867 3.39 10.168 0 4.285-1.151 7.691-3.452 10.219-2.302 2.527-5.452 3.791-9.453 3.791-4.083 0-7.26-1.275-9.527-3.829-2.271-2.552-3.404-5.946-3.404-10.181zm6.528 0c0 5.926 2.134 8.889 6.401 8.889 1.959 0 3.512-.771 4.658-2.311 1.146-1.539 1.719-3.732 1.719-6.578 0-5.84-2.125-8.762-6.377-8.762-1.957 0-3.514.77-4.669 2.31s-1.732 3.69-1.732 6.452zm22.196-8.335h-3.112v-5.047h3.112v-5.473l6.277-2.31v7.782h7.381v5.047h-7.381v11.774c0 1.926.301 3.285.903 4.08s1.657 1.193 3.163 1.193c1.508 0 2.912-.41 4.219-1.23v5.773c-1.457.502-3.531.754-6.227.754-2.678 0-4.736-.758-6.176-2.272s-2.16-3.669-2.16-6.464v-13.607z"/>
|
||||
</svg>
|
After Width: | Height: | Size: 4.9 KiB |
@ -0,0 +1,307 @@
|
||||
---
|
||||
title: coreboot and Heads as an alternative firmware for OpenPOWER Talos II
|
||||
author: Krystian Hebel
|
||||
tags:
|
||||
- openpower
|
||||
- power9
|
||||
- firmware
|
||||
- coreboot
|
||||
- hostboot
|
||||
date: 2024-07-09
|
||||
draft: true
|
||||
---
|
||||
|
||||
This blog post presents coreboot ([spelled in lower case characters](https://doc.coreboot.org/#spelling-of-coreboot),
|
||||
even when it is the first word in a sentence) and Heads as an alternative to
|
||||
Hostboot and Skiroot/Petitboot, respectively.
|
||||
|
||||
As described on the [project's page](https://coreboot.org),
|
||||
|
||||
> coreboot is an extended firmware platform that delivers a lightning fast and
|
||||
> secure boot experience on modern computers and embedded systems.
|
||||
|
||||
{{< image src="blog/coreboot.svg" >}}
|
||||
|
||||
It aims to do the bare minimum required to make the hardware usable and pass
|
||||
the control to next program, called the payload. In case of Talos II, that
|
||||
payload is Skiboot, with [few changes on top](https://github.com/Dasharo/skiboot/tree/raptor-cs_talos-2)
|
||||
to make it play along with Heads.
|
||||
|
||||
Speaking of [Heads](https://github.com/linuxboot/heads), it is:
|
||||
|
||||
> a minimal Linux that (...) provides a secure, flexible boot environment for
|
||||
laptops, workstations and servers.
|
||||
|
||||
Heads provides a bootloader menu that starts final operating system through
|
||||
kexec call. This is very similar to what Petitboot does, but Heads puts
|
||||
security above everything else.
|
||||
|
||||
It is possible to use coreboot without Heads, but not the other way around.
|
||||
Heads depends on structures created by coreboot, which just aren't present when
|
||||
booting with Hostboot.
|
||||
|
||||
## Building and flashing coreboot
|
||||
|
||||
To build coreboot image, follow the steps below:
|
||||
|
||||
1. Clone the coreboot repository:
|
||||
|
||||
```
|
||||
git clone https://github.com/Dasharo/coreboot.git \
|
||||
--depth=1 -b raptor-cs_talos-2/rel_v0.7.0
|
||||
```
|
||||
|
||||
2. Start docker container:
|
||||
|
||||
```
|
||||
cd coreboot
|
||||
docker run --rm -it \
|
||||
-v $PWD:/home/coreboot/coreboot \
|
||||
-w /home/coreboot/coreboot \
|
||||
-u "$(id -u):$(id -g)" \
|
||||
coreboot/coreboot-sdk:0ad5fbd48d /bin/bash
|
||||
```
|
||||
|
||||
3. Configure and start the build process inside of the container:
|
||||
|
||||
```
|
||||
(docker) cp configs/config.raptor-cs-talos-2 .config
|
||||
(docker) make olddefconfig
|
||||
(docker) make
|
||||
```
|
||||
|
||||
After image is built you can exit the container, either with `exit` or Ctrl+D.
|
||||
To flash it to your platform:
|
||||
|
||||
0. Make sure you're running System Package v2.00, if not, get it from
|
||||
[here](https://wiki.raptorcs.com/wiki/Talos_II/Firmware) and
|
||||
[update/downgrade](https://wiki.raptorcs.com/wiki/Updating_Firmware#Updating_the_OpenPOWER_firmware).
|
||||
Start the platform once so SEEPROM is also updated, then power off.
|
||||
|
||||
1. Copy images to BMC:
|
||||
|
||||
```
|
||||
scp -O build/bootblock.signed.ecc root@<BMC_IP>:/tmp/bootblock.signed.ecc
|
||||
scp -O build/coreboot.rom.signed.ecc root@<BMC_IP>:/tmp/coreboot.rom.signed.ecc
|
||||
```
|
||||
|
||||
2. Log in to BMC through SSH:
|
||||
|
||||
```
|
||||
ssh root@<BMC_IP>
|
||||
```
|
||||
|
||||
3. Flash both partitions:
|
||||
|
||||
```
|
||||
pflash -e -P HBB -p /tmp/bootblock.signed.ecc
|
||||
pflash -e -P HBI -p /tmp/coreboot.rom.signed.ecc
|
||||
```
|
||||
|
||||
4. Boot the platform as usual and enjoy coreboot running on Talos II:
|
||||
|
||||
[![asciicast](https://asciinema.org/a/zkQV1KhxY4n6IrlzssuvFHHS5.svg)]https://asciinema.org/a/zkQV1KhxY4n6IrlzssuvFHHS5
|
||||
|
||||
## Building and flashing Heads
|
||||
|
||||
Reminder: Heads requires coreboot. Instructions above **must** be performed
|
||||
before flashing Heads. It also requires a [compatible USB security dongle](https://osresearch.net/Prerequisites#usb-security-dongles-aka-security-token-aka-smartcard)
|
||||
and TPM (more about it later).
|
||||
|
||||
> Technically, TPM isn't a hard requirement of Heads, however its usefulness
|
||||
> without it is very limited, up to a point where it doesn't have any advantages
|
||||
> over Petitboot.
|
||||
|
||||
1. Just as earlier, start with cloning the repository:
|
||||
|
||||
```
|
||||
git clone https://github.com/Dasharo/heads.git \
|
||||
--depth=1 -b raptor-cs_talos-2/release
|
||||
```
|
||||
|
||||
2. Start docker container:
|
||||
|
||||
```
|
||||
cd heads
|
||||
docker run --rm -it \
|
||||
-v $PWD:/home/heads/heads \
|
||||
-w /home/heads/heads \
|
||||
-u "$(id -u):$(id -g)" \
|
||||
3mdeb/heads-docker:2.4.0 /bin/bash
|
||||
```
|
||||
|
||||
3. Build:
|
||||
|
||||
```
|
||||
(docker) make BOARD=talos-2
|
||||
```
|
||||
|
||||
This will take a while, wait for it to finish and then exit the container. In
|
||||
the process, a coreboot image will also be built, but with slightly different
|
||||
configuration. For security and reproducible images, `BUILD_TIMELESS` is always
|
||||
enabled. While it actually strips file paths, it also removes file names and
|
||||
line numbers from asserts in the code. It makes reporting and debugging
|
||||
potential issues harder, so we suggest using coreboot built manually, at least
|
||||
for the time being.
|
||||
|
||||
Steps for flashing Heads are similar to those done for coreboot.
|
||||
|
||||
1. Copy the Heads binary to the BMC (assuming in the Heads root directory):
|
||||
|
||||
```
|
||||
scp -O build/zImage.bundled root@<BMC_IP>:/tmp/zImage.bundled
|
||||
```
|
||||
|
||||
2. Log in to the BMC:
|
||||
|
||||
```
|
||||
ssh root@<BMC_IP>
|
||||
```
|
||||
|
||||
3. Flash the BOOTKERNEL partition with Heads:
|
||||
|
||||
```
|
||||
pflash -e -P BOOTKERNEL -p /tmp/zImage.bundled
|
||||
```
|
||||
|
||||
Answer yes to the prompt and wait for the process to finish. After that, start
|
||||
the platform and begin [configuring Heads](https://osresearch.net/Configuring-Keys/).
|
||||
|
||||
## PNOR emulation
|
||||
|
||||
Flash device can be emulated by BMC, which is something we were often using for
|
||||
development and testing. This saves a lot of time which would be spent flashing,
|
||||
as well as reduces the wear of flash device.
|
||||
|
||||
However, this still requires System Package v2.00, and if this is different than
|
||||
what real flash holds, SEEPROM will have to be updated when switching between
|
||||
physical and emulated image. Also, this approach doesn't survive BMC reboots and
|
||||
power losses. BMC doesn't have enough space to keep full PNOR image in
|
||||
non-volatile memory, so `tmpfs` must be used for emulation. Don't try to put
|
||||
more than one image in `tmpfs` or BMC **will** run out of RAM, which most likely
|
||||
will require manual power cycle.
|
||||
|
||||
To start, obtain full flash image, either by downloading it from
|
||||
[RaptorCS release page](https://wiki.raptorcs.com/wiki/Talos_II/Firmware) or
|
||||
reading from existing image on BMC with:
|
||||
|
||||
```
|
||||
pflash -r /tmp/talos.pnor
|
||||
```
|
||||
|
||||
After that, you can "flash" the partitions mentioned earlier by adding
|
||||
additional parameters to use the file instead of physical flash:
|
||||
|
||||
```
|
||||
pflash -f -P <partition> -p <image_file> -F /tmp/talos.pnor
|
||||
```
|
||||
|
||||
Change `<partition>` to one of `HBB`, `HBI`, `BOOTKERNEL` and `<image_file>` to
|
||||
`/tmp/bootblock.signed.ecc`, `/tmp/coreboot.rom.signed.ecc` or
|
||||
`/tmp/zImage.bundled`, respectively.
|
||||
|
||||
To tell BMC to present the contents of this file as flash, run:
|
||||
|
||||
```
|
||||
mboxctl --backend file:/tmp/talos.pnor
|
||||
```
|
||||
|
||||
Sometimes this command fails with a timeout, in that case run it again until it
|
||||
succeeds.
|
||||
|
||||
> We've noticed that sometimes, despite no error message printed, physical flash
|
||||
> was used anyway. It is easy to spot when one copy has Hostboot and the other
|
||||
> has coreboot, but it can be missed when both images have different versions of
|
||||
> coreboot. It caused us few hours of unnecessary debugging of issues that were
|
||||
> already fixed...
|
||||
|
||||
With the file now mounted, platform can be started. Host firmware and OS
|
||||
shouldn't be able to tell the difference, except for different reported erase
|
||||
block size and maybe different access times.
|
||||
|
||||
To get back to original flash, run:
|
||||
|
||||
```
|
||||
mboxctl --backend vpnor
|
||||
```
|
||||
|
||||
It will report an error (`Failed to post message: Connection timed out`), but
|
||||
will revert to physical device nonetheless. This can be confirmed by checking
|
||||
the output of `mboxctl --lpc-state`:
|
||||
|
||||
```
|
||||
root@talos:~# mboxctl --lpc-state
|
||||
LPC Bus Maps: Flash Device
|
||||
```
|
||||
|
||||
Since the file is now the full image with coreboot (and optionally Heads), it
|
||||
can be simply written to flash, should you choose to accept it:
|
||||
|
||||
```
|
||||
pflash -E -p /tmp/talos.pnor
|
||||
```
|
||||
|
||||
## Noticeable differences between Hostboot and coreboot
|
||||
|
||||
For those wondering why we even started this project, here are some of the
|
||||
differences between Hostboot and coreboot.
|
||||
|
||||
First of all, coreboot uses C, while Hostboot was written in C++. The latter can
|
||||
be viewed as a complete operating system - it can use multiple threads
|
||||
simultaneously, manages virtual memory and uses memory swapping (even before RAM
|
||||
is trained). Each major [istep](https://wiki.raptorcs.com/w/images/b/bd/IPL-Flow-POWER9.pdf)
|
||||
(IPL Step, which in turn stands for Initial Program Load) is a separate
|
||||
application, with some common dynamically loaded libraries. coreboot, on the
|
||||
other hand, runs all of the code in just 3 separate stages - bootblock, romstage
|
||||
and ramstage. This allows for tighter linking process, which reduces the final
|
||||
size of the code.
|
||||
|
||||
Another significant difference is reduced amount of RAS (Reliability,
|
||||
Availability, Serviceability) features enabled in coreboot. Talos II is often
|
||||
used as a workstation, and while RAS has its uses in servers (it is preferred
|
||||
to start with partially working hardware than not starting at all), for home
|
||||
users booting fast is usually more important. Because of that coreboot doesn't
|
||||
support bad DQ masking for DRAM, it can also optionally skip initial RAM
|
||||
scrubbing. Because of these reasons, as well as smaller size of code in general,
|
||||
booting coreboot is significantly faster than Hostboot - some preliminary
|
||||
results can be found [here](https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/user_perspective.md).
|
||||
|
||||
Another technical difference is the way data is passed to Skiboot. Hostboot uses
|
||||
HDAT - a format specific to this particular firmware. For coreboot, a device
|
||||
tree conforming to a well-defined specification is used. In fact, Skiboot
|
||||
internally converts HDAT to device tree anyway. At the moment, some information
|
||||
is not presented by coreboot (https://github.com/Dasharo/dasharo-issues/issues/446,
|
||||
https://github.com/Dasharo/dasharo-issues/issues/32), but those seem to be
|
||||
rather cosmetic than anything else - if you know about something that requires
|
||||
those pieces of information to be present, let us know.
|
||||
|
||||
## TPM
|
||||
|
||||
TPM is an integral part of security mechanisms added by Heads. As existing I2C
|
||||
TPMs were [hard to obtain](https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/tpm_over_i2c.md)
|
||||
at the time we were working on this part of the project, and LPC TPMs couldn't
|
||||
be used [due to the way POWER9 processor exposed access to LPC bus](https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/tpm_over_lpc.md#tpm-over-lpc-interface),
|
||||
we had to [consider other options](https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/tpm.md).
|
||||
|
||||
The solution we ended up with was to create our own [I2C TPM 1.2 module](https://docs.dasharo.com/variants/talos_2/tpm-support/),
|
||||
based on Infineon SLB9645TT1.2 chip. This chip isn't supported by drivers in
|
||||
Hostboot and upstream Skiboot, to make use of it you have to use coreboot and
|
||||
Dasharo's fork of Skiboot.
|
||||
|
||||
{{< image src="blog/TPM-1.2-Talos-II.jpg" >}}
|
||||
|
||||
## Links and references
|
||||
|
||||
Here are some links to documentation related to this project:
|
||||
|
||||
- [main user documentation page](https://docs.dasharo.com/variants/talos_2/overview/)
|
||||
- [release notes and binaries](https://docs.dasharo.com/variants/talos_2/releases/)
|
||||
- [list of known issues](https://github.com/Dasharo/dasharo-issues/labels/raptor-cs_talos-2),
|
||||
if you want to create new issue remember to add proper tag
|
||||
- [scripts for dumping debug data and logs](https://github.com/3mdeb/openpower-coreboot-docs/tree/main/devnotes/scripts)
|
||||
- [dump of SCOM accesses and other debug output divided by isteps](https://github.com/3mdeb/openpower-coreboot-docs/tree/main/logs/scom_dumps)
|
||||
- [other uncategorized developer notes](https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes)
|
||||
- [Open Source Firmware Slack channel dedicated to coreboot on OpenPOWER](https://osfw.slack.com/archives/C01BHE47JSW)
|
||||
|
||||
We invite you to test for yourselves and share the results, both good and bad,
|
||||
either on channels listed above or in issue.
|
Loading…
Reference in New Issue