Project

General

Profile

Actions

Feature #540

open

Support for Lenovo ThinkPad X250 - the competitor to the shortly added HP EliteBook 820 G2

Added by akjuxr3 akjuxr3 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
board support
Target version:
Start date:
05/22/2024
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Lenovo Thinkpad X250
Affected OS:

Description

Coreboot now have support for the HP EliteBook 820 G2. This is great, but sadly the keyboard is for a person using Thinkpad keyboards forever not usable.
The Thinkpad X250 is the competitor to the HP EliteBook 820 G2. https://www.notebookcheck.net/Face-Off-HP-EliteBook-820-G2-vs-Lenovo-ThinkPad-X250-vs-Dell-Latitude-12-E7250.144831.0.html

The X250 also have a Full-HD IPS screen. This would also fix the problems many people have with the X230 and spend much time and effort to get a Full-HD IPS screen running in the X230.

Nico Huber have(had?) such a X250: https://review.coreboot.org/c/coreboot/+/23820/7#message-04cf9f804c1292f457c61c71e63eaddaff083202

Other coreboot developer also seem to have a X250: https://review.coreboot.org/c/coreboot/+/51179

Have someone taken a deeper look into the Thinkpad X250? Is there something special why suddenly the HP EliteBook 820 G2 got supported instead of a typical Thinkpad like it was the case for years at coreboot?

Actions #1

Updated by Nicholas Chin 6 months ago

The reason there is no coreboot support for (Intel) ThinkPads newer than Haswell is because of Intel Boot Guard, an optional feature introduced with Haswell which prevents firmware that isn't signed by the vendor (so, coreboot) from booting. Once enabled, it cannot be disabled, as its configuration is permanently fused into the chipset. Boot Guard is intended to be the hardware root of trust from which all subsequent trust (like UEFI secureboot) is based on. It's generally been assumed that all ThinkPads Broadwell and newer have Boot Guard enabled, and generally it's not something listed in product pages. It's also not clear if every variant/configuration of a given model will have Boot Guard, but it's likely safe to assume that if one particular variant has it enabled then the vast majority will also have it. It is possible to check whether Boot Guard is enabled using tools like intelmetool, and there's a list of the BootGuard status of various systems here: https://github.com/felixsinger/bootguard-status

That said, there is some work being done to exploit known vulnerabilities in the Intel ME to bypass Boot Guard on Sky Lake/Kaby Lake (see https://review.coreboot.org/c/coreboot/+/82053), but such an exploit would need to be ported to Broadwell's ME firmware, and that's if it is even vulnerable to the same public vulnerability that allows Boot Guard bypass.

HP doesn't use Boot Guard and instead uses their own hardware root of trust solution known as HP Sure Start, but it (or at least the version on the 820 G2) does have vulnerabilities that allow it to be bypassed (refer to https://doc.coreboot.org/mainboard/hp/hp_sure_start.html)

Actions #2

Updated by Angel Pons 6 months ago

Even though bypassing Boot Guard is possible on Skylake, the ME on Broadwell uses a completely different ISA for its CPU core (Skylake uses a mini-x86 core, Broadwell and earlier use some ARCompact thing?). So backporting the bootguard bypass thing is significantly more complicated because of that.

Actions

Also available in: Atom PDF