GRUB

Boot manually

For some setups the default GRUB script does not work. Either try updating the grub.cfg (next section) or boot manually (below).

#Open commandline in GRUB
cryptomount -a        #decrypt all HDDs (can also specify disk manually)
root=lvm/matrix-boot  #default boot partition, or use `ls` to list partitions
linux=/vmlinuz        #if (the symlink) not present, choose latest file, press TAB to list
initrd=/initrd        #if (the symlink) not present, choose latest file, press TAB to list
boot

Boot automatically

Add the below to the preferred boot option, in grub.cfg, for automatic boot. It is recommended to test any configuration with grubtest.cfg, before changing the main config grub.cfg

menuentry 'Boot to regular encrypted OS  [x]' --hotkey='x' {
#Simple setup to boot from encrypted boot partition
#LUKS -> LVM -> logical volumes
#LVM name matrix and boot volume rootvol or boot
#Might get weird if multiple lvm devices connected

    cryptomount -a

    #try boot first since rootvol might symlink to boot and break
    set root=(lvm/matrix-boot)
    if [ -f "/vmlinuz" ]; then
      if [ -f "/initrd.img" ]; then
        linux /vmlinuz
        initrd /initrd.img
      fi

   else
      echo "Trying to boot lvm/matrix-boot.."
      echo "Couldn't find kernel"
      echo "Trying to boot lvm/matrix-rootvol.."
      set root=(lvm/matrix-rootvol)
      if [ -f "/vmlinuz" ]; then
        if [ -f "/initrd.img" ]; then
          linux /vmlinuz
          initrd /initrd.img
        fi
      fi

    fi
}

Libreboot

Our external flashing setup

BeagleBone Black (BBB), powered by USB. 5A 2A Tip: Dont power anything from a regular (computer) ATX power supply, it will work but is unreliable and a time waster. Current setup is to connect to the BBB via ethernet to a router and thus SSH. Can also connect directly with the SPI interface, see Libreboot flashing guide.

Pomona chip holders

10cm wires

General

For flashing see this guide for a general idea, however each system has their own chip configuration which differs a little.

When installing an OS on a Libreboot (/Coreboot) system, use these guides.

When installing Debian I used this guide in particular. The guide uses LUKS->LVM->Partitions, thus everything is encrypted. You don’t need to install GRUB since it is already on the libreboot ROM (if you’re using the GRUB payload), however, using a local GRUB makes it possible to change GRUB config without reflashing ROM. But reflashing ROM can be done in the OS (boot with kernel flag iomem=relaxed). If you have an unencrypted /boot the default GRUB-scripts works better, i e it boots automatically (using Libreboot2016).

OpenBSD guide

When installing OpenBSD on the x200, the OS was first installed on the HDD then flashed. Then, add a “/grub” directory that allows grub to automatically boot into openbsd instead of going into command line.

The manual way is to press “c” when the grub menu appears:

grub> kopenbsd (usb0,openbsd1)/6.1/amd64/bsd.rd
grub> boot

The more nicer way (as root do):

mkdir /grub && cd grub
echo '''
default=0
timeout=3

menuentry "OpenBSD"{
      kopenbsd (usb0,openbsd1)/6.1/amd64/bsd.rd
}

''' > libreboot_grub.cfg

#cat libreboot_grub.cfg
default=0
timeout=3

menuentry "OpenBSD"{
      kopenbsd (usb0,openbsd1)/6.2/amd64/bsd.rd
}


#reboot

This works very good with openbsd6.0(and 6.2), read more here(use amd64, X is not working with i386)

[update] I have run openbsd 6.2 with libreboot on thinkpad x200 for about two months now without any errors, still no update on the harddisk crypto

Building Libreboot

This script worked 2019-04, however we noted that the cryptomount program had less features in the version from Git at that time, compared to the 2016 stable release. Unlike Coreboot, this build process is fairly automated and does not present any customization choices by default

#!/bin/bash -e
cd libreboot
./download flashrom
cd flashrom
sudo apt-get install libusb-1.0-0-dev libpci-dev linux-image-$(uname -r) -y
sudo apt install make gcc pkg-config libssl1.0-dev zlib1g-dev pciutils-dev libftdi-dev libusb-dev build-essential -y
make install #does this need sudo? 
make
cd ..
#backup current rom
sudo ./flashrom  -p internal -r ~/this_is_my0.rom


#build libreboot, for the ROM

#dependencies for Debian
sudo ./oldbuild dependencies trisquel7

#download and build necessary
./download grub coreboot crossgcc seabios

./oldbuild module crossgcc
./oldbuild module grub
./oldbuild module coreboot
./oldbuild module seabios


cd resources/utilities/ich9deblob
make
cd ../../../

cd ./crossgcc/util/cbfstool/
make
cd ../../../

#BUILD COMPLETE, now fix the image
#finally build the ROM we want
./oldbuild roms withgrub x200_8mb

cp bin/grub/x200_8mb/x200_8mb_usqwerty_vesafb.rom resources/utilities/ich9deblob/x200.rom
cd resources/utilities/ich9deblob/
./ich9gen --macaddress "00:DE:AD:BE:EF:00"
dd if=ich9fdgbe_8m.bin of=x200.rom bs=1 count=12K conv=notrunc
mv x200.rom ../../../
cd ../../../

#FINALLY add or change the files in the image for customization
#./cbfstool x200.rom extract -n grub.cfg -f grubtest.cfg
#./crossgcc/util/cbfstool/cbfstool x200_other_mac.rom remove -n grubtest.cfg
#./crossgcc/util/cbfstool/cbfstool x200_other_mac.rom add -n grubtest.cfg -f grubtest.cfg -t raw

## LASTLY FLASH TO CHIP (here internally)
#sudo ./flashrom/flashrom -p internal -w x200.rom

X200

Flashing Internally

To internally flash your ROM use the kernel parameter “iomem=relaxed”. Thus, if you boot manually you would enter e g “linux=vmlinuz.. iomem=relaxed”.

Get a newer version of flashrom than in Debian repo. In my case the older version did not detect the exact chip on x200, which was fixed by getting most recent version

Note these tools are built and ready at or similar

#backup current rom
sudo ./flashrom  -p internal -r libreboot.rom 

#Optional: remove old GRUB (test) config
./cbfstool libreboot.rom remove -n grubtest.cfg
#Optional: get the new GRUB (test) config into your ROM
./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw   

#Optional: change background in GRUB menu (dest must be called background.png /jpg)
#./cbfstool yourrom.rom remove background.png -n background.png
#./cbfstool yourrom.rom add -f background.png -n background.png -t raw

sudo ./flashrom -p internal -w libreboot.rom #updated image

KGPE-D16

General

Note these bugs and fixes were tested 2017 with the stable release Libreboot-20160907.

  • Do NOT use cheap Chinese 12v connectors, they will melt!
  • RAM is sensitive, less is more likely to work. See coreboot wiki for working configurations
  • RAM order is important, see motherboard manual
  • Use 62xx-series CPUs, because Libreboot does not update (proprietary) microcode. However, this is up to you (we have not tried though). (See Libreboot)
  • Internal GPU works (for text mode only), note the hardware jumper (see motherboard manual)
  • North bridge (?) gets hot
  • A system with 2x 6276 CPUs draws between 200 and 400 watt, depending on the workload.
  • There are two ethernet ports and one IPMI (not used)
  • Hardware jumpers for GPU, ethernet etc.
  • Note: It might be necessary to have a dedicated sound card or graphics card, if those features are desired.

Using

  • GRUB is recommended. But SeaBIOS has worked better when booting from CD-ROM or USB.
  • When booting from USB, connect the USB-stick NOT BEFORE GRUB menu is shown.
  • If problems booting, disconnect power and remove CMOS battery for a couple of seconds.
  • The default script in GRUB does not work with encrypted boot-partition (can manually boot).
  • When booting from GRUB, you might want to use “load config from external device” instead of “boot USB”. Recommended when booting LiveCDs etc., if you dont have any particular configuration locally.

Quirks

  • In GRUB the USB keyboard is unusably slow. Fix: always have a PS/2 keyboard connected, but use the USB keyboard.
  • In earlier versions of Libreboot the boot process could take up to five minutes (!), be patient.
  • If you can’t boot: reset CMOS (battery and power), make sure your graphic output correctly set (jumper on board). Otherwise, it is most likely a memory or ROM-image problem. You can use a serial cable to debug and get an idea about the issue.
  • When I had major problems booting I had some help by sound cues and measuring current power draw, to recognize when the boot would likely fail (if you cannot use serial cable). When booting successfully the system (1x 6276, 32GB) drew 180->200->218->166w (GRUB), otherwise it had a different behavior. Furthermore, after disconnecting the power the system would never boot without also clearing CMOS. The system would get stuck and the fans would always go high. While in a healthy boot would start fans low and then ramp up when starting GRUB and then stay there (fans connects to board directly). These sound cues were useful as you can be quite sure the system booted successfully without having any graphic output. In some configurations the fans will always be low and the system fail to boot, which would also overheat the already stuck system (!), thus you might want to power the fans with PSU instead of board.

Our Systems

Debian Stretch

1x 6276 CPU

2x 16GB 1600Mhz Reg-ECC MT36JSF2G72PZ-1G6E1LG (HP: 672612-081) max 32GB/CPU!

Nvidia GTX 660, Nouveau drivers but crashes when playing videos. Probably my fault however.

For one example software config, see: https://github.com/Eliot-Roxbergh/dotFIles/

Flashing

Buy a couple of flash chips in case of you breaking them, and to test different payloads. Furthermore, one could buy a proprietary chip just to debug the hardware.

D16-chip

Beagleboard Black P9 connector

PLEASE JUST POMONA HOLDER INSTEAD but should be correctly connected 1

PLEASE JUST POMONA HOLDER INSTEAD but should be correctly connected 2

PLEASE JUST POMONA HOLDER INSTEAD but should be correctly connected 3

Div pics a, Div pics b, Div pics c, Div pics d, Div pics e, Div pics f

We recommend SPI-speed set to 2048. (spi=2048)

Use a holder for the ROM, do not solder. Use a female-male cable when connecting to BBB (or other board). According to Libreboot IRC shorter cables are NOT necessarily better. I found no cable length to be optimal (~5/10/20 cm), my final configuration used ~10 cm cables.

When searching through my notes I found the following from Libreboot IRC; “Try different cables max 30 cm long, add 50 ohm resistors in series and keep trying. While 1: flashrom -c ‘your chip’ #Should be constant”

ROM-holder (eg.): 3M IC test socket, DIP 18, 218-3341-00-0602J

ROM-chip (eg.): Winbond W25Q16DV (if ROM too small can extend, see: Extend 2MB ROM to 8MB)

1 CS          -> 17 SPIO_CSO
2 DO  (IO1)   -> 21 SPIO_DO
3 /WP (IO2)   -> 3.3V
4 GND         -> GND

8 VCC         -> 3.3V
7 /HOLD (IO3) -> 3.3V
6 CLK         -> 22 SPIO_SCLK
5 DI (IO0)    -> 18


#remember to backup current image if you'd like
#can read current contents a nr of times and they should be the same
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory1.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory2.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory3.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory4.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory5.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory6.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory7.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory8.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory9.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory10.rom
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory11.rom
sha512sum factory*.rom #they _should_ be the same

#Flash ROM (can try different speeds), choose an appropriate ROM (keyboard layout, GRUB/Seabios)
./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -w ~/libreboot_r20160907_grub_kgpe-d16/kgpe-d16_svenska_txtmode.rom

## NOTE ##
# In my case (KGPE-D16) it was somewhat difficult - seemingly at random - to achieve a configuration such as read and write had good reliability.
# Furthermore, writing had good success rate while reading was more error prone.
# Thus, it is possible to write to the ROM and read (e.g.) 10 times and compare the resulting `sha512sum` to that of the ROM downloaded from Libreboot.
# If the sum EXACTLY matches atleast once, it is reasonable to assume that the write indeed succeeded (we believe).

Extend 2MB ROM to 8MB

Here is the script we use to flash 8mb chip

root@beaglebone:~# cat flashme_8mb.sh 
echo 'Creating a 8mb Libreboot Rom'
echo 'creating the file /home/flashing_d16/libreSept16/8mb_free.rom'
echo 'dd ing'
touch /home/flashing_d16/libreSept16/8mb_free.rom
echo ' ' > /home/flashing_d16/libreSept16/8mb_free.rom
echo 'Zeros then image'
dd if=/dev/zero bs=6144k count=1 of=/home/flashing_d16/libreSept16/8mb_free.rom
echo 'Writing image'
dd if=/home/flashing_d16/libreSept16/libreboot_r20160907_grub_kgpe-d16/kgpe-d16_svenska_txtmode.rom >> /home/flashing_d16/libreSept16/8mb_free.rom 
ls -lah /home/flashing_d16/libreSept16/8mb_free.rom  
echo 'Its flashing time'
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -w /home/flashing_d16/libreSept16/8mb_free.rom
echo 'everything is done'
echo 'plz verify'
echo '
cd directory-with-size
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory1.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory2.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory3.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory4.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=1024 -r factory5.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory6.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory7.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=256 -r factory8.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory9.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory10.rom
/home/flashing_d16/libreSept16/libreboot_r20160907_util/flashrom/armv7l/flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048 -r factory11.rom
sha512sum factory*.rom
'

Coreboot

Fria wifi

Note that many systems come with proprietary wifi, e g the X200 laptop or the S3 phone. In these cases another wifi chip is needed, either external (micro/)USB or internal.

For hardware recommendations see rekommenderat.

Fria mobilen

NEVER HAVE GOOGLE SERVICES ON YOUR PRIMARY PHONE, REGARDLESS OF THE FIRMWARE SITUATION. At most have a seperate phone for this.

Sadly phones are proprietary devices that track you. Nevertheless, Replicant are good but slow. An interesting phone in development is Librem 5 (Q1 2019). For more hardware recommendations see rekommenderat.

We have some experience with Replicant, guides coming (TODO!).