Project

General

Profile

Actions

Support #387

closed

Support Framework Laptop

Added by Jun Aruga over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
board support
Target version:
Start date:
06/05/2022
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Framework Laptop
Affected OS:

Description

Dear coreboot developers,

I am a user of Framework Laptop[1][2]. Thank you for working to make coreboot work on Framework Laptop! This ticket is to track the task, as I didn't see any other issue tickets about Framework Laptop here. According to the Framework founder's comment[3] below, Framework provided Framework Laptops to the coreboot community.

We've handed three systems that can boot unsigned bootloaders to folks in the coreboot community. Our plan in the near term is to help them create a shim loader that can be signed to run on any Framework Laptop, which then enables anyone to do further coreboot development.

Then I saw Matthew's try to make the coreboot work on Framework Laptop,[4] but unfortunately it didn't work at that time.[5]

How is the current status? What prevents coreboot from working on the Framework Laptop? How can we, people in the Framework community, help you? As a reference, there is a coreboot specific thread on the Framework community forum.[6]

References


Files

Emails_with_Framework_customer_support_about_coreboot.pdf (283 KB) Emails_with_Framework_customer_support_about_coreboot.pdf Full emails with Framework customer support about coreboot. Jun Aruga, 06/25/2022 06:47 PM
Actions #1

Updated by Martin Roth over 2 years ago

Can we find out who the framework laptops were supplied to? It's great that these individuals have agreed to work on the port, but the coreboot community as a whole hasn't signed up to support the framework laptop.

There are a number of professional consulting groups that do coreboot ports. If framework is actually interested in getting a port done, might I suggest that these might be a better way to go about getting a port done?
https://www.coreboot.org/consulting.html

Actions #2

Updated by Jun Aruga over 2 years ago

Martin Roth wrote in #note-1:

Can we find out who the framework laptops were supplied to? It's great that these individuals have agreed to work on the port, but the coreboot community as a whole hasn't signed up to support the framework laptop.

Sure. Let me ask it to the Framework on the Framework community forum. I will let you know here.

There are a number of professional consulting groups that do coreboot ports. If framework is actually interested in getting a port done, might I suggest that these might be a better way to go about getting a port done?
https://www.coreboot.org/consulting.html

Thank you for the info. I would like to communicate with the coreboot community or the consulting groups openly as much as possible here or somewhere, even when I may need to email someone as a close communication temporarily. Because in this case, though Framework is possibly interested in the port, I know Framework community is really interested in it. People in the community should be able to know the progress and involve the task.

I am not sure what prevents coreboot's port to the Framework Laptop. But if a funding to the coreboot solves, I mean if some coreboot developers can get the port done by working intensively for example for 1 month by a funding, I am happy to act to collect the money from people who want to see the port done by using an OSS funding platform[1] that fits coreboot. For example, you might know "Tidelift" and "GitHub Sponsors".

What do you think? Anyway, first I want to know what prevents coreboot's port to the Framework Laptop.

References

Actions #3

Updated by Matt DeVillier over 2 years ago

Jun Aruga wrote in #note-2:

People in the community should be able to know the progress and involve the task.

That's on Framework, not the coreboot commmunity.

Anyway, first I want to know what prevents coreboot's port to the Framework Laptop.

Intel BootGuard is active/enabled on the Framework laptop. That means that the system firmware (vendor UEFI, coreboot, etc) must be cryptographically signed with the same key fused into the PCH. Framework controls this key, and has proposed creating both a signed "official" coreboot image as well as signed shim which would allow user-built coreboot firmware to be used.

Where they are on that process is unknown, because there has been no official overture from Framework to the coreboot community. They supposedly sent out 3 dev units (which do not have Bootguard enabled) to individual developers. Matthew Garrett (mjg59) posted about his unsuccessful efforts a few months ago on Twitter but there has been nothing recent to my knowledge. Who else has dev boards is unknown.

Actions #4

Updated by Martin Roth over 2 years ago

Hey Jun, Please don't misunderstand any of this as hostility - it's definitely not meant that way.

I think we all would like a framework coreboot port, and would be excited to see it happen, but it takes quite a bit of work to get an initial port done and maintained. As a member of the coreboot community, I want to make sure that any issues in this process don't come back onto the community for any inadequacies of any work that's being done. The coreboot project is developed both by individuals and companies using it for their own needs. Those companies invest a significant amount to get that work done, and any work done by individuals is done on their own time.

We care intensely about the project, and keeping things running smoothly takes a very significant amount of work on our part. Any work that is done or promised by the people that have been supplied framework machines is being done as individuals, not as direct representatives of the coreboot project as a whole.

As far as fundraising to do a port, that is also something that would need to be done by individuals, not by the coreboot project. We have a number of different consulting companies who work on coreboot, and as a project, we're not going to discriminate between them by doing an official "coreboot" fundraiser for a particular project. We as a project will absolutely support anyone doing a fundraiser, but any expectations of deliverables need to be understood as being between the developers doing any paid work and the people contributing to that effort. The coreboot project is not a party to the transaction and cannot be held responsible for any failures, beyond trying to fix any normal breakages in ongoing development of the coreboot codebase.

Again, I very much appreciate the desire to have a coreboot port for the framework laptop, and I'm sure that something will be done at some point/ I just want everyone involved to have realistic expectations of how development works and how the platform would be maintained.

Thanks for setting this up as a place for a discussion to happen.

Actions #5

Updated by Nico Huber over 2 years ago

Framework controls this key, and has proposed creating both a signed "official" coreboot image as well as signed shim which would allow user-built coreboot firmware to be used.

I hope they know what they are talking about. I mean such a shim, wouldn't that effectively disable the whole BootGuard feature? It would be most welcome, though. Because without it,
it would be very hard for the community to maintain the port (and to be honest, if they make it hard, it won't happen). Alternatively, they could sell units with BootGuard disabled. That would also reduce the amount of blobs needed.

How can we, people in the Framework community, help you?

Get them to publish documentation. Or at least get them to offer a reasonable NDA to individuals. Without documentation, the community is unlikely to pick up the maintenance effort and they'll need to constantly pay somebody for it (if the goal is to have upstream coreboot support). Schematics are a minimum. What is controlled by the EC and how is also very valuable information. Without such documentation, one has to be very lucky. If unlucky, it's possible that the initial port costs some $10,000 more.

Actions #6

Updated by Simon Gaiser over 2 years ago

What is controlled by the EC and how is also very valuable information.

They have published the code of their EC, so I guess this part shouldn't be hard: https://github.com/FrameworkComputer/EmbeddedController

Actions #8

Updated by Nico Huber over 2 years ago

Raul Rangel wrote in #note-7:

Just FYI, the board schematics are here: https://github.com/FrameworkComputer/Mainboard/blob/main/Electrical/Mainboard_Interfaces_Schematic.pdf

That's just bits about the connectors, AFAICS.

Actions #9

Updated by Jun Aruga over 2 years ago

Nico Huber wrote in #note-8:

Raul Rangel wrote in #note-7:

Just FYI, the board schematics are here: https://github.com/FrameworkComputer/Mainboard/blob/main/Electrical/Mainboard_Interfaces_Schematic.pdf

That's just bits about the connectors, AFAICS.

Thanks for your comments, everyone! I will read and reply later. Just note that the full schematics and board views are available to "repair shops" under an agreement. I am not sure those are available for the coreboot community.

Actions #10

Updated by Jun Aruga over 2 years ago

First, I will comment on how to collaborate with people in the coreboot community. Martin Roth, great points. Thanks for sharing it. I agree. In my recognition, it is about the responsibility of the company, Framework, and the fairness with other companies who develop coreboot.

Responsibility: The coreboot community doesn't have a responsibility about the transaction and any features. Framework should have it.

Fairness: PC manufacture and consulting companies invest a significant amount to get that work done. If Framework works with people in the coreboot project, in my opinion, the possible choices are that a. Framework will invest a significant amount to the coreboot as well as other companies in the coreboot project do. b. Framework will work with individuals not with the entire coreboot project. For fundraising, I think a task driven and bounty type OSS funding platform may fit for this porting task. That means that when developers finish the work done, the platform pays the bounty to the developers.

I think the fairness is related to what Matt DeVillier said "That's on Framework, not the coreboot community.". I cannot use this ticket for everyone in the coreboot to see the progress and to see the task done. Because that means that the coreboot project discriminates between companies to work in/for the coreboot project. So, feel free to change the ticket's status to close if it is needed. However communicating here is really meaningful for me. It is great if I can continue the discussions, asking questions on this ticket.

Second, I will comment about some things to clarify. I am asking Framework with the following questions below now.

  • Whom the Framework founder provided the 3 Framework Laptops to in the coreboot community?
  • Do the 3 Framework Laptops which the Framework founder sent to the people in the coreboot disable Intel BootGuard fully?
  • Documentations: Is the current (not full) documentation without an agreement good enough to port coreboot? Can individuals in the coreboot community access the full schematics and board views with an agreement?

I am also asking Matthew Garrett what is the current status of his porting work by emailing him, introducing this ticket. As my next action, I will find a task driven bounty type OSS funding platform. Again, thanks for your comments! Let me know what you think.

Actions #11

Updated by Jun Aruga over 2 years ago

Matt DeVillier wrote in #note-3:

Jun Aruga wrote in #note-2:

People in the community should be able to know the progress and involve the task.

That's on Framework, not the coreboot commmunity.

I updated the coreboot specific thread on the Framework community forum above ("[6] Free the EC! and Coreboot Only"), renaming the thread title to a better one, and adding a summary to the first comment (wiki), for people to discuss easily there too. You are welcome to join.
https://community.frame.work/t/coreboot-on-the-framework-laptop/791

Actions #12

Updated by Jun Aruga over 2 years ago

Jun Aruga wrote in #note-10:

[...]
Second, I will comment about some things to clarify. I am asking Framework with the following questions below now.

I got some answers below from the Framework Support.

  • Whom the Framework founder provided the 3 Framework Laptops to in the coreboot community?

The Framework Support said that they didn’t answer this question due to their privacy policy.

  • Do the 3 Framework Laptops which the Framework founder sent to the people in the coreboot disable Intel BootGuard fully?

Yes or No. Framework didn’t enable the Intel BootGuard for the 3 Laptops. However, I am not sure that is equivalent to being fully disabled.
The Framework Support answered, "I can confirm that the three units provided didn't have Intel BootGuard enabled, however these were based on pre-production hardware designs.".

  • Documentations: Is the current (not full) documentation without an agreement good enough to port coreboot?

I am not sure. The Framework Support didn’t answer this question.

Can individuals in the coreboot community access the full schematics and board views with an agreement?

No. The Framework Support answered, "We did not provide full schematics, as these are only provided - under NDA - to repair partners.".

I am also asking Matthew Garrett what is the current status of his porting work by emailing him, introducing this ticket.

So far I have not received his reply by email, while he is active on his Twitter. As I don't have my Twitter account and I don't want to have it, it's great if someone asks him.

As my next action, I will find a task driven bounty type OSS funding platform.

This action above is pending or canceled status.

Other notable information from Framework Support

  • "While aligned with our mission, coreboot is not something we are actively developing at this time." [1]
  • "Sorry we do not have additional responses for you at this time. If and when we actively develop coreboot in the future, we will announce and discuss this on our community. " [1]

References

Actions #13

Updated by Simon Gaiser about 2 years ago

Framework recently announced the "Chromebook Edition" of their Laptop: https://frame.work/blog/introducing-the-framework-laptop-chromebook-edition. They write that it's running coreboot. According to a comment in https://review.coreboot.org/c/coreboot/+/62569 the code is even already upstream. Does someone know what's the state of Boot Guard on those devices?

Actions #14

Updated by Julius Werner about 2 years ago

Chromebooks never use BootGuard, so the firmware on those devices should be fully replaceable and they should support all the usual Chromebook developer features (e.g. https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/HEAD/docs/ccd.md).

Actions #15

Updated by Martin Roth almost 2 years ago

  • Status changed from New to Closed

Closing this issue. The framework chromebook will be supported in tree as typical for chromebooks.

If other versions of the framework laptops are to be supported, someone can add them to the tree, and we welcome those submissions.

Actions

Also available in: Atom PDF