UEFI status

[krbvroc1]

What is the status of UEFI in the latest firmware?

1. I followed the instructions to build the latest v4.13.0.5 with UEFI payload. The instructions indicate to use a payload of tianocore origin/coreboot-4.7.x-uefi - does that indicate a very old version?

2. In device manager it shows an empty device list - where are the options to manipulate the Secure Boot platform keys, etc?

3. I tried to use Linux based 'efibootmgr' to add a boot item, but it didn't seem like the changes were saved to NVRAM properly. Is NVRAM working? I could not even force booting from a hard disk only.

4. Does this work fully with TPM2.0 module (the one it appears pcengines makes, but it has disappeared from their website)?

[pietrushnic]

What is the status of UEFI in the latest firmware?

UEFI was never support and there are no plans to support it in scope of coreboot maintainership services package which 3mdeb provide to PC Engines. If you need that support you may inquiry PC Engines or hack it yourself - contribution is welcome.

We getting inquiries about UEFI and Secure Boot support for PC Engines, but we address that as part of our Dasharo product lines.

1. I followed the instructions to build the latest v4.13.0.5 with UEFI payload. The instructions indicate to use a payload of tianocore origin/coreboot-4.7.x-uefi - does that indicate a very old version?

Yes, and it may have its own issues related to toolchain comaptibility and completnes of feature set exposed and support in UEFI.

2. In device manager it shows an empty device list - where are the options to manipulate the Secure Boot platform keys, etc?

I doubt if Secure Boot is enabled by default - that may be the reason.

3. I tried to use Linux based 'efibootmgr' to add a boot item, but it didn't seem like the changes were saved to NVRAM properly. Is NVRAM working? I could not even force booting from a hard disk only.

I assume problem is that there is no code that can handle saving to NVRAM.

4. Does this work fully with TPM2.0 module (the one it appears pcengines makes, but it has disappeared from their website)?

It depends how you define "work fully", can you explain your use case?

[krbvroc1]

I had seen several videos and documents from 2017 about pcengines (or was it you?) getting UEFI working on the APU2. So I 'assumed' it was a supported concept.

Our use case is using TPM to store crypttab encryption secrets. And in order to secure that, it means only allowing images signed by us to be booted on the platform.

Also, is Dasharo an actual shipping product or something for the future. Few details on that website other than 'request a quote'.

Thanks

[pietrushnic]

I had seen several videos and documents from 2017 about pcengines (or was it you?) getting UEFI working on the APU2. So I 'assumed' it was a supported concept.

I assume you mean European coreboot Conference 2017 - coreboot and ecosystem around change a lot since that time. We detected and fixed quite a lot of bugs to make UEFI work better. UEFI on PC Engines is supported, but as commercial line of Dasharo not as part of PC Engines paid service. Please note it was not full UEFI from reset vector to operating system, this was UEFI Payload.

Our use case is using TPM to store crypttab encryption secrets. And in order to secure that, it means only allowing images signed by us to be booted on the platform.

UEFI Secure Boot by itself doesn't make much sense, unless you dealing with some weird threat model. Even if you sign images, but you will not have some Static Root of Trust (eg. Intel Boot Guard, AMD Hardware Validated Boot etc.), then someone can replace or modify firmware and it would not detected malicious code. We fixed that using special SPI chip and locking initial part of coreboot in parallel enabling Verified Boot (through vboot) and Secure Boot - in that way platform is reasonably secure. There are also other ways to achieve that like Dynamic Root of Trust like TrenchBoot. About both things you can see research papers SRT DRT from OSFC2019.

There are even more problem to security of UEFI Secure Boot eg. revocation lists maintenance.

Also, is Dasharo an actual shipping product or something for the future. Few details on that website other than 'request a quote'.

This is product that we already shipping and maintaining pay-as-you-go model. Website and documentation would be improved as soon as we will clean our backlog.

Feel free to book a call with us: https://calendly.com/3mdeb/consulting-remote-meeting

[jailbird777]

I tried following the doc, and it appears that the current github repo that the config points to no longer has a coreboot-4.7.x-uefi branch. I'm not sure if the github repo in the config is wrong or if the repo is correct and the branch got removed :(.

[bn82]

I tried with latest tianocore and it kinds of work well, i could boot pfsense in UEFI with coreboot 4.17.0.1
I used :

• repo https://github.com/tianocore/edk2
• branch edk2-stable202205

[pietrushnic]

@bn82 thank you for test report.

[bn82]

IT's not building anymore for 4.7.0.2, it stops for logo. It seems to be linked to this commit : coreboot/coreboot@108e537

HEAD is now at a0a03b5154 BaseTools/GenSec: Fix typo
Your branch is up to date with 'origin/master'.
make[1]: *** No rule to make target '/home/coreboot/coreboot/payloads/external/tianocore/tianocore/edk2', needed by 'logo'. Stop.
make: *** [payloads/external/Makefile.inc:220: build/UEFIPAYLOAD.fd] Error 2

[miczyg1]

There is a lot of movement around Tianocore payload recently. Additionally, we do not actively maintain Tianocore payload support for PC Engines platforms, so the build may break at any time actually. Moreover origin/master is subject to change pretty often so if you look at stable builds I would recommend fixed commit hashes

[bn82]

Hello, this is ok for me, this was more for information.
This issue seems to be linked to the pce-fw-builder, where imagemagick is required for the logo functionality.
It build without using pce-fw-builder environment.

[miczyg1]

Ahh right. It uses convert to create an EDK2-compliant BMP image for Logo. No point in Logo on a headless system though.

[afreof]

This seems to be the most active thread on the UEFI topic. Just following https://github.com/pcengines/apu2-documentation/blob/master/docs/tianocore_build.md did not work for me.

The pce-fw-builder misses the convert command. To add it, I changed the Dockerfile and rebuilt the OCI image.

git diff Dockerfile
diff --git a/Dockerfile b/Dockerfile
index f489421..9312fed 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,5 +2,5 @@ FROM coreboot/coreboot-sdk:2021-04-06_7014f8258e
 MAINTAINER Piotr Król <[email protected]>
 USER root
 COPY ./scripts/entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
+RUN apt-get -qq update && apt-get -y install graphicsmagick-imagemagick-compat && chmod +x /entrypoint.sh

Rebuilding the container:

docker build -t pcengines/pce-fw-builder -f Dockerfile .

Use the new container:

SDK_VER=latest
export SDK_VER

With 4.17.0.3 the menuconfig looks different, but this configuration worked for me:

  Add a payload (edk2 payload)  --->
 (build/UEFIPAYLOAD.fd) edk2 binary
     Tianocore's EDK II payload (UEFIPayload)  --->
 (https://github.com/mrchromebox/edk2) URL to git repository for edk2
 (origin/uefipayload_202207) Insert a commit's SHA-1 or a branch name
     edk2 build (Generate edk2 release build)  --->
 [ ] Enable above 4G memory
 (Documentation/coreboot_logo.bmp) edk2 Bootsplash path and filename
 [ ] Use Escape key for Boot Manager
 (2) Set the timeout for boot menu prompt
 [ ] Enable edk2 logging to CBMEM
 [ ] Center logo 38.2% from the top of screen
 [*] Use the full screen for the edk2 frontpage
 [*] Include EFI Shell
 [*] Prioritize internal boot devices
 [ ] Support PS/2 Keyboards
 (10) Timeout in ms for initializing SD and eMMC devices
 [*] Support serial output
 ()  edk2 additional custom build parameters
 [ ] Add a PXE ROM
     Payload compression algorithm (Use LZMA compression for payloads)  --->
 [*] Use LZMA compression for secondary payloads
     Secondary Payloads

[Asiderr]

We regret to inform you that PC Engines has discontinued its sponsorship of open-source firmware. #319