Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

Coreboot on the X210

Old(er) Thinkpads with New(er) Intestines: X62 / T50 / T70 / etc.
Message
Author
flyingfishfinger
Junior Member
Junior Member
Posts: 318
Joined: Sun Nov 18, 2012 5:42 pm
Location: San Francisco Bay Area

Re: Coreboot on the X210

#61 Post by flyingfishfinger » Mon Oct 21, 2019 3:58 pm

verynice wrote:
Sat Oct 19, 2019 5:51 am
Can you post this here? https://review.coreboot.org/c/coreboot/+/32531/
At risk of revealing my lack of "software prowess", I'm not actually sure how to do that properly / safely :eek:

But I also made a mistake in my above post, it should be:

register "usb2_ports[2]" = "USB2_PORT_FLEX(OC1)" # FPR
register "usb2_ports[3]" = "USB2_PORT_FLEX(OC1)" # SD

Port 4 appears to be the internal one. I had enabled all three and both the SD and the fingerprint worked.

I've now confirmed that both of the above are correct and work cross-platform.

@harryk I saw that you added these changes to your repo already, sorry for the mistake. Please update.

R

harryK
Sophomore Member
Posts: 146
Joined: Fri Jun 13, 2014 6:28 pm
Location: Glasgow, Scotland

Re: Coreboot on the X210

#62 Post by harryK » Tue Oct 22, 2019 2:15 pm

flyingfishfinger wrote:
Mon Oct 21, 2019 3:58 pm
verynice wrote:
Sat Oct 19, 2019 5:51 am
Can you post this here? https://review.coreboot.org/c/coreboot/+/32531/
At risk of revealing my lack of "software prowess", I'm not actually sure how to do that properly / safely :eek:

But I also made a mistake in my above post, it should be:

register "usb2_ports[2]" = "USB2_PORT_FLEX(OC1)" # FPR
register "usb2_ports[3]" = "USB2_PORT_FLEX(OC1)" # SD

Port 4 appears to be the internal one. I had enabled all three and both the SD and the fingerprint worked.

I've now confirmed that both of the above are correct and work cross-platform.

@harryk I saw that you added these changes to your repo already, sorry for the mistake. Please update.

R
Hi,
I updated the repository with the correct port. SD card and FPR are still not working for me, but they weren't working with the stock bios either, so I trusted you :-)
I also built a new image with the current coreboot revision and the updated devicetree, if someone wants to try it and maybe confirm that SD card and FPR are working it's here https://github.com/harrykipper/x210

flyingfishfinger
Junior Member
Junior Member
Posts: 318
Joined: Sun Nov 18, 2012 5:42 pm
Location: San Francisco Bay Area

Re: Coreboot on the X210

#63 Post by flyingfishfinger » Tue Oct 22, 2019 3:06 pm

I just logged in to Win10 with my fingerprint and downloaded some photos from an SD card, so I'm pretty sure it works :p

Note that when I first received the machine the SD card didn't work either. Turns out the sub-card they chose seems to have been busted, so I swapped in the one from my old X201. Now it works.

R

evil
Posts: 18
Joined: Sun Nov 29, 2009 10:55 am
Location: Cracow, Poland

Re: Coreboot on the X210

#64 Post by evil » Sun Nov 10, 2019 4:48 pm

harryK wrote:
Fri Jul 26, 2019 4:54 am
and included the latest CPU microcode from Intel
It really sucks, because newer firmware decreses performance(so it will suck more battery to do same operations). so I've locked intel microcode in package manager to stay at "20171117". It's the last version that will allow using full capabilities of Intel CPUs (a bit less secure, but as laptops tends to be single user only, then who cares really?...)
It's also goode idea to add
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mitigations=off mds=off noibrs noibpb nopti spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier kvm-intel.vmentry_l1d_flush=never "
to /etc/default/grub

Otherwise great job. I hope I will be able to use that (but Jacky is keeping my $3800 from nearly two years and not sending me any of paid machines[claiming that some were confiscated at boarder{it doesn't matter that they were never shipped}] and responding less often than 2 months...)
IBM Thinkpad T60p [200893G]: 15" UXGA FlexView, Core 2 Duo T7200, 4GB DDR2, Spinpoint M7 HM500JI 500GB, Advanced mini dock II, PLD Th

skx
Sophomore Member
Posts: 149
Joined: Mon Jul 09, 2018 6:25 pm
Location: Colombia

Re: Coreboot on the X210

#65 Post by skx » Sun Nov 10, 2019 7:04 pm

evil wrote:
Sun Nov 10, 2019 4:48 pm
It really sucks, because newer firmware decreses performance(so it will suck more battery to do same operations). so I've locked intel microcode in package manager to stay at "20171117". It's the last version that will allow using full capabilities of Intel CPUs (a bit less secure, but as laptops tends to be single user only, then who cares really?...)
I don't know why single user machine is not important to be secure. The latest intel microcode updates are to partially prevent the intel clusterfck. Having access to full ram memory is making all your security measures worthless. I would say it is important for any vulnerable intel machine.
ThinkPad X220: i5-2520M CPU 2.5GHz - 8GB RAM 1333 MHz - SSD 860 EVO 250GB - Debian - ME_cleaned
ThinkPad X230: i5-3320M CPU 3.3GHz - 8GB RAM 1600 MHz - SSD 860 EVO 500GB - Debian - ME_cleaned

verynice
Posts: 41
Joined: Wed May 22, 2019 1:59 pm
Location: Moscow, Russia

Re: Coreboot on the X210

#66 Post by verynice » Mon Nov 11, 2019 4:20 pm

skx wrote:
Sun Nov 10, 2019 7:04 pm
evil wrote:
Sun Nov 10, 2019 4:48 pm
It really sucks, because newer firmware decreses performance(so it will suck more battery to do same operations). so I've locked intel microcode in package manager to stay at "20171117". It's the last version that will allow using full capabilities of Intel CPUs (a bit less secure, but as laptops tends to be single user only, then who cares really?...)
I don't know why single user machine is not important to be secure. The latest intel microcode updates are to partially prevent the intel clusterfck. Having access to full ram memory is making all your security measures worthless. I would say it is important for any vulnerable intel machine.
can you elaborate your statement?
Why should user care of xxx mitigations?
there is _no_ real-world exploits for such cases, and even if there were:
a) one must use unsafe code from 3rd parties (and this leads to more some reeaaaaly dangerous problems)
b) be a server with multiple VMs which are used by different users
c) almost every browser has patches for spec/meltd or patched js, and even better Pale Moon had js implementation which _wasn't_ affected by those
so, why should one care of so called _pseudosecurity_
this kind of security (through obscurity) only makes the whole world worse because almost everyone starts to sing that song even though they can't name a _single_ attack vector.
Last edited by verynice on Mon Nov 11, 2019 4:28 pm, edited 4 times in total.

verynice
Posts: 41
Joined: Wed May 22, 2019 1:59 pm
Location: Moscow, Russia

Re: Coreboot on the X210

#67 Post by verynice » Mon Nov 11, 2019 4:23 pm

flyingfishfinger wrote:
Mon Oct 21, 2019 3:58 pm
I had enabled all three and both the SD and the fingerprint worked.
register "usb2_ports[2]" = "USB2_PORT_FLEX(OC1)" # FPR
register "usb2_ports[3]" = "USB2_PORT_FLEX(OC1)" # SD
register "usb2_ports[4]" = "USB2_PORT_FLEX(OC1)" # INT
is this correct?

flyingfishfinger
Junior Member
Junior Member
Posts: 318
Joined: Sun Nov 18, 2012 5:42 pm
Location: San Francisco Bay Area

Re: Coreboot on the X210

#68 Post by flyingfishfinger » Mon Nov 11, 2019 6:01 pm

verynice wrote:
Mon Nov 11, 2019 4:23 pm
is this correct?
I haven't tested the internal port, but the other two are working for me yes.

R

mjg59
Posts: 32
Joined: Sat Aug 21, 2004 7:53 am

Re: Coreboot on the X210

#69 Post by mjg59 » Mon Nov 11, 2019 10:06 pm

verynice wrote:
Mon Nov 11, 2019 4:20 pm

can you elaborate your statement?
Why should user care of xxx mitigations?
there is _no_ real-world exploits for such cases, and even if there were:
a) one must use unsafe code from 3rd parties (and this leads to more some reeaaaaly dangerous problems)
b) be a server with multiple VMs which are used by different users
c) almost every browser has patches for spec/meltd or patched js, and even better Pale Moon had js implementation which _wasn't_ affected by those
so, why should one care of so called _pseudosecurity_
this kind of security (through obscurity) only makes the whole world worse because almost everyone starts to sing that song even though they can't name a _single_ attack vector.
It's entirely possible to exploit Spectre via in-browser code (tough with Javascript, but certainly possible with WASM). It's not a purely VM attack, if your browser is running on one thread then an attacker can extract information from processes running on the other thread on the same core.

verynice
Posts: 41
Joined: Wed May 22, 2019 1:59 pm
Location: Moscow, Russia

Re: Coreboot on the X210

#70 Post by verynice » Tue Nov 12, 2019 12:27 am

mjg59 wrote:
Mon Nov 11, 2019 10:06 pm
It's entirely possible to exploit Spectre via in-browser code (tough with Javascript, but certainly possible with WASM). It's not a purely VM attack, if your browser is running on one thread then an attacker can extract information from processes running on the other thread on the same core.
First of all, glad to hear from you!
Second, can you update boardconfig on review.coreboot? I haven't tested the fixes provided earlier but it would be great to have working sd.
---
Now, let's go to the business:
Right you are, about WASM (I thought about WASM too) but WASM is a dangerous technology in itself (and nothing justifies the usage of it), there are numerous things which one could exploit through the usage of it
and miners are only the beginning. Still I prefer to ban WASM (I even ban sockets ws wss) and use only 1st party js, or don't use it at all. But we're not talking about me,
we talk about users (and this is wide) 1. I don't know how Chrome/Firefox fixed WASM 2. Do the new compiler flags help against "bad" usage of WASM and I don't want to speculate.

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “51nb and other modded Thinkpads”

Who is online

Users browsing this forum: No registered users and 4 guests