GNUBoot/coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
coreboot-kgpe-d16/Documentation/mainboard/lenovo/vboot.md
Martin Roth 6c3ece9c9e Documentation: Fix spelling errors 
These issues were found and fixed by codespell, a useful tool for
finding spelling errors.

Signed-off-by: Martin Roth <martin@coreboot.org>
Change-Id: If2a8e97911420c19e9365d5c28810b998f2c2ac8
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58078
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2021-10-05 18:06:24 +00:00

38 lines
1.7 KiB
Markdown
Raw Blame History

# Using coreboot's verified boot on Lenovo devices
By default a single instance of coreboot is present in the firmware flash,
no verification is done and the flash is not write-protected, so as to allow
firmware updates from the OS.
The verified boot mechanism also called [vboot] allows secure firmware
updates using an A/B partitioning scheme once enabled.
## Enabling vboot
You can enable [vboot] in Kconfig's *Security* section. Besides a verified
boot you can also enable a measured boot by setting
`CONFIG_VBOOT_MEASURED_BOOT`. Both options need a working TPM, which is
present on all recent Lenovo devices.
## Updating and recovery
As the A/B partition is writeable you can still update them from the OS.
By using the [vboot] mechanism you store a copy of coreboot in the `RO`
partition that acts as failsafe in case the regular firmware update, that
goes to the `A` or `B` partition fails.
**Note:** The `RO` partition isn't write-protected by default, therefore you
have to enable the protection in the security Kconfig menu by yourself.
On *Lenovo* devices you can enable the *Fn* key as recovery mode switch, by
enabling `CONFIG_H8_FN_KEY_AS_VBOOT_RECOVERY_SW`.
Holding the *Fn* at boot will then switch to the recovery image, allowing
to boot and flash a working image to the A/B partition.
## 8 MiB ROM limitation
*Lenovo* devices with 8 MiB ROM only have a `RO`+`A` partition enabled in the
default FMAP. They are missing the `B` partition, due to size constraints.
You can still provide your own FMAP if you need `RO`+`A`+`B` partitions.
## CMOS
[vboot] on *Lenovo* devices uses the CMOS to store configuration data, like
boot failures and the last successfully booted partition.
[vboot]: ../../security/vboot/index.md
Reference in a new issue View git blame Copy permalink