Documentation is now handled by the same processes we use for code: Add something to the Documentation/ directory in the coreboot repo, and it will be rendered to https://doc.coreboot.org/. Contributions welcome!
This tutorial a work in progress and is not finished yet.
Once you successfully flashed a Coreboot image that corresponds to its source code, there is again an issue of chicken and egg when wanting to install an operating system.
An easy way to deal with it is to make the boot firmware verify the checksums of the OS installer. This however has several issues: Verifying the checksum of an image that is installed on a storage device is not very reliable due to a variety of factors such as:
Coreboot supports many payloads. Since this is payload-specific, there is the need of having one section per payload.
Since we will diverge from the default configurations, a recovery mechanism is required. The best way is to have an external flash programmer. Using the fallback recovery mechanism could also be used as an alternative, but it is less safe than an external flash programmer.
This is the most straightforward way since iPXE supports computing sha1 checksums with its "sha1sum" command. The user will then download the installer image trough iPXE (the image will then be stored inside the target computer's RAM) and run sha1sum on that image.
The most straightforward way to use it, is to add SeaBIOS as payload, and iPXE as an option rom.
Since SeaBIOS tend to execute code from a variety of sources, care must be taken to only allow it to execute iPXE.
To produce a configuration that fits, download SeaBIOS, select the option to build it for Xoreboot, and then un-select the options loading code externally. then produce a minimal configuration with:
$ make savedefconfig
The configuration file will then be called defconfig. Copy it to the coreboot source tree as seabios_defconfig
Alternatively you can create the seabios_defconfig file with the following content:
CONFIG_COREBOOT=y # CONFIG_ATA is not set # CONFIG_SDCARD is not set # CONFIG_MEGASAS is not set # CONFIG_FLOPPY is not set # CONFIG_USB_MSC is not set # CONFIG_USB_UAS is not set
This works at the time of writing and may need to be updated later.
Then pass the path of the seabios configuration file to coreboot with the "() SeaBIOS config file" option which appears in the payload section, when selecting SeaBIOS.
"SeaBIOS config file" looks by default in the mainboard directory, with "seabios_defconfig" it will look in:
"$(top)/src/mainboard/$(MAINBOARDDIR)/seabios_defconfig"
Since we have put the file inside coreboot's top directory we will prepend the path with "../../../". It will then look like that:
(../../../seabios_defconfig) SeaBIOS config file
To build iPXE with checksum utilities run the following:
$ cd src $ echo "#define DIGEST_CMD" > config/local/general.h $ make bin/<pci-ids>.rom
Replace <pci-ids> by the PCI ids of your NIC. They can be found by using "lspci -nn" Here's an example for a specific intel card:
$ make bin/8086100e.rom
Using iso files is problematic for our use case:
The patch for adding the sha256sum command has been sent to the iPXE mailing list.
We will use Debian in this example since it publishes kernel and initramfs images. jessie/main/installer-i386/current/images/SHA256SUMS has:
aed809c620d36967d16f248bb1b8ebe4208aa539064a180be0c5f8cfd82ef2e0 ./netboot/gtk/debian-installer/i386/initrd.gz 97729b2938f969431e1b5c24a3f2364a4d075279fafd0d7724e66e857d467257 ./netboot/gtk/debian-installer/i386/linux
Write down the checksums, and verify that it's the same on different computers, internet connections, mirror, etc.
Ideally such checksums should somehow be verified with gpg.
In iPXE, setup the network:
dhcp
Then download the files:
imgfetch http://http.us.debian.org/debian/dists/jessie/main/installer-i386/current/images/netboot/debian-installer/i386/linux imgfetch http://http.us.debian.org/debian/dists/jessie/main/installer-i386/current/images/netboot/debian-installer/i386/initrd.gz
After waiting for the files to download, we can finally check the checksum with:
sha256sum linux sha256sum initrd.gz
Verify that the printed checksum corresponds to the checksum we wrote down earlier( aed809c620d36967d16f248bb1b8ebe4208aa539064a180be0c5f8cfd82ef2e0 and 97729b2938f969431e1b5c24a3f2364a4d075279fafd0d7724e66e857d467257 )
With the following:
kernel linux boot
the installer should boot.
Grub supports checking signatures, but to prevent TOCTOU attacks, it must be made mandatory.
We can use that to safely boot an installer:
The following payload may be able to fit but were not checked.