~hacktivista/hackware-boot

Boot setup for Hackware computers
hwbtool: boot signing instructions
hwbtool: don't require key-files
hwbtool: let me set / or /boot LUKS password

refs

main
browse  log 

clone

read-only
https://git.sr.ht/~hacktivista/hackware-boot
read/write
git@git.sr.ht:~hacktivista/hackware-boot

You can also use your local clone with git send-email.

#Hackware-boot

An easy to use and reasonably secure source based coreboot setup.

#Why?

At hacktivista.com, we needed a coreboot setup we could hack easily for the laptops we sell.

Ended up with a very robust and easy to use coreboot setup that uses GRUB as primary payload, works dynamically for end-users, and can be configured to be reasonably safe against physical attacks.

#Caveats

Works on Debian only (I use it on an LXD container).

It only works for X230 and X230t laptops and CH341a SPI flashers, but support for other Thinkpad laptops and other flashers is easy to add, and will be added over time.

#Included payloads

  • GRUB
  • SeaBIOS
  • iPXE
  • nvramcui
  • coreinfo

#Security measures

  • Updates EC-firmware previous to SPI flashing
  • Trims and disables IntelME
  • Easily configures firmware's GRUB for loading only trusted kernels, through the hwbtool

#Requirements

  • A Debian GNU/Linux system
  • An empty USB drive
  • A CH341a SPI programmer (we use this one, make sure to use it at 3.3v)
  • A SOIC-8 or SOIC-16 clip (depending on your laptop)
  • Dupont test clamps, or some other dupont cables that enable connection to the clip
  • The laptop you want to flash
  • Some time

#How?

  1. git clone this repo
  2. cd to this repo
  3. Probably change CONFIG_PXE_ROM_ID on <board-dir>/defconfig
  4. Run ./<board-dir>/flash_ec_firmware.sh and follow instructions
  5. Run ./<board-dir>/flash_spi.sh and follow instructions
  6. Install your GNU/Linux distro (we have instructions, in spanish only currently)
  7. Optionally execute the hwbtool

That's it!

#Libreboot support

We also support the setup of T400 and T500 laptops with binary Libreboot ROMs. Simply run ./libreboot-flash_spi.sh <t400|t500>.

No secondary payloads other than SeaBIOS nor simplified full disk encryption are supported on Libreboot.

Here is documentation on how to update EC firmware previous to Libreboot installation, which is recommended.

#Contributing

Source code is available on https://git.hacktivista.org/hackware-boot.

Bug reports and patches are welcome on https://lists.hacktivista.org/hacktivista-dev.

#Reciprocity

If you profit out of this software or in base to its derivation, please remember to give back.

In order to increase awareness and create a saner socioeconomic system for libre software I'm providing "reciprocity certificates" that will allow your clients and friends to know that you are contributing back instead of just free riding. To support our work and receive your certificate go to https://hacktivista.org/reciprocity.

#License

This project's code is released under the GPL version 2 or "at your option" any later version.

This is done for compatibility with coreboot's license (GPL 2 only) and Libreboot's license (GPLv3 or later). Maybe the safest for you is to consider the parts of this setup as licensed under the conditions of the software these are based on. If you have other suggestions regarding this copy-mess, please let me know.

Documentation - that is .md files and links to hacktivista.com or hacktivista.org that explain how to do things related to this software - is released under the CC0.