Feature #540
open
Support for Lenovo ThinkPad X250 - the competitor to the shortly added HP EliteBook 820 G2
Added by akjuxr3 akjuxr3 7 months ago.
Updated 7 months ago.
Affected hardware:
Lenovo Thinkpad X250
The reason there is no coreboot support for (Intel) ThinkPads newer than Haswell is because of Intel Boot Guard, an optional feature introduced with Haswell which prevents firmware that isn't signed by the vendor (so, coreboot) from booting. Once enabled, it cannot be disabled, as its configuration is permanently fused into the chipset. Boot Guard is intended to be the hardware root of trust from which all subsequent trust (like UEFI secureboot) is based on. It's generally been assumed that all ThinkPads Broadwell and newer have Boot Guard enabled, and generally it's not something listed in product pages. It's also not clear if every variant/configuration of a given model will have Boot Guard, but it's likely safe to assume that if one particular variant has it enabled then the vast majority will also have it. It is possible to check whether Boot Guard is enabled using tools like intelmetool, and there's a list of the BootGuard status of various systems here: https://github.com/felixsinger/bootguard-status
That said, there is some work being done to exploit known vulnerabilities in the Intel ME to bypass Boot Guard on Sky Lake/Kaby Lake (see https://review.coreboot.org/c/coreboot/+/82053), but such an exploit would need to be ported to Broadwell's ME firmware, and that's if it is even vulnerable to the same public vulnerability that allows Boot Guard bypass.
HP doesn't use Boot Guard and instead uses their own hardware root of trust solution known as HP Sure Start, but it (or at least the version on the 820 G2) does have vulnerabilities that allow it to be bypassed (refer to https://doc.coreboot.org/mainboard/hp/hp_sure_start.html)
Even though bypassing Boot Guard is possible on Skylake, the ME on Broadwell uses a completely different ISA for its CPU core (Skylake uses a mini-x86 core, Broadwell and earlier use some ARCompact thing?). So backporting the bootguard bypass thing is significantly more complicated because of that.
Also available in: Atom
PDF