| Last updated: December 2016 |
|---|
| There have been updates to Heads and Heads documentation since this guide was created. Please first review Heads documentation: http://osresearch.net |
- Raspberry Pi 3 Model B
- micro-USB cable for powering the Raspberry Pi
- USB keyboard
- USB mouse
- HDMI cable + monitor
- female-to-female jumper wires
- Pomona 8-SOIC chip clip
- Thinkpad x230
- power cable
- (optional) ethernet cable
- (optional) device with live ethernet port
- Build Heads
- Install Qubes OS on to-be-flashed x230
- Set-up Raspberry Pi
- Install Flashrom
- Connect Pomona clip to Raspberry Pi
- Prepare x230 and expose BIOS chip
- Connect Pomona clip to MX25L3206E chip
- Set up appropriate power for Raspberry Pi and x230 board for chip
- Backup existing BIOS
- Flash Heads on an x230
- Neutering ME
- Add Xen to boot
- Configuring the TPM
- TODO
- Appendix: Running Qubes
in dedicated Fedora 23 heads qube:
- increase size of qube to
5120 MB sudo dnf install @development-tools bison clang flex m4 zlib zlib-devel perl-Digest perl-Digest-MD5 patch uuid-devel elfutils-libelf-devel- Download Heads
- unzip if necessary
- Read Running Qubes section, as you will probably need to change some aspects of
heads/initrd/bin/start-xenprior to building Heads in the next step - build Heads
- run
makein heads folder
x230.romcreated
If your build runs into errors of the file being too large, edit the makefile following this comment
- comment out the line
initrd_bins += initrd/bin/dmsetupso:#initrd_bins += initrd/bin/dmsetup
Follow the official instructions for installing Qubes on the to-be-flash x230. Installing Qubes after you have flashed the x230 is more difficult currently.
- install Raspbian
- Enable SPI by Start Menu > Preferences > Raspberry Pi Configuration, select Interfaces, then select Enabled for SPI. or through command line with
sudo raspi-config, enable SPI under Advanced and then spidev will be enabled.
sudo apt-get updatesudo apt-get install libusb-1.0- download latest stable version of Flashrom and its associated signature
- download coreboot/flashrom developer keys:
gpg --recv-keys 0x45D34CCF6785FC01 0x918F0230023DF00B - verify flashrom
gpg --verify flashrom-0.9.9.tar.bz2.asc flashrom-0.9.9.tar.bz2 - extract
tar -xf flashrom-0.9.9.tar.bz2 cd flashrommake
turn off raspberry pi
Looking at the Raspberry Pi with USB ports facing you/down, the expansion headers are on your upper right of the board. Counting the header numbers goes Left-to-Right, then Up-to-Down. So:
| left | right |
|---|---|
| 1 | 2 |
| 3 | 4 |
| 5 | 6 |
| etc. |
Following the Raspberry Pi SPI header instructions, connect the jumper wires to the following headers: 19, 21, 23, 24, 25.
Now looking at the Pomona 8-SOIC clip, these wires will go:
| left | right |
|---|---|
| 19 | 25 |
| 23 | empty |
| empty | 21 |
| empty (or 17 if powering from RPi) | 24 |
Before disassembling the x230, we can go into the BIOS to enable a few options we need. We can do this after disasssmblying the x230 as well.
In the x230, go into BIOS (enter on boot, then F1) and go to:
- Network > enable Wake on LAN (Ethernet LAN Option ROM can stay disabled)
- (optional) USB > Always on USB Charge in Off Mode (to power RPi -- this did not work for me but you can try)
Now unplug the x230, remove the battery, and disassemble the thinkpad:
Flip up the retainer and pull blue tab.
Inspect the type of flashchip on the motherboard, the x230 should have a Marconix MX25L3206E (where BIOS is) and MX25L6406E (where ME is).
we are interested in the MX25L3206E, which is "above" the other chip, closer to the screen. It should look like the following:
- from page 7
Using a magnified glass or the aid of your cellphone "torch/flashlight", confirm the dot on the chip is away from the screen closer to you on your x230. This means ground (GND) is the upper-right connection if you are facing the x230, so the diagram above should be rotated 180 degrees to accurately represent your perspective of the chip).
Attach the Pomona clip to the MX25L3206E chip, with GND to the upper-right.
| left | right |
|---|---|
| SI/SIO0 | GND |
| SCLK | empty |
| empty | SO/SIO1 |
| empty (or VCC if powering from RPi) | CS# |
which is:
| left | right |
|---|---|
| 19 | 25 |
| 23 | empty |
| empty | 21 |
| empty (or 17 if powering from RPi) | 24 |
While it is recommended to power the Raspberry Pi through to-be-flashed x230, I was unable to do so (the Raspberry Pi did not turn on). I was able to power the Raspberry Pi by connecting it to a wall outlet via the micro-USB cable. You should test out powering the RPi with the Pomona Clip detached from the x230, so that you are just booting the RPi, and you can see whether or not it is receiving adequate power. If on boot there is a yellow lightning bolt in the upper right corner that means that your RPi is not receiving enough power -- try a different (shorter) micro-USB cable, try a wall outlet rather than plugging it into a computer.
If you are interested in ME Neutering, you need to power the board through the RPi, the Wake-on-LAN strategy described below will not work.
Ensure that the x230 is off, battery removed, and AC power is unplugged. Attach the additional jumper wire between the Pomona Clip and RPi, attach the Clip to the appropriate chip and then power on the RPi.
You should have already gone into the x230 BIOS to enable Wake on LAN. With the x230 battery removed, plug in AC power and connect the x230 to a live ethernet connection via the ethernet cable. "live" just means that the computer (or wall socket) it is connected to is on. The green RJ45 (ethernet) light should turn on, signaling that the board is powered. The computer itself should remain off (no BIOS screen, etc).
Wake-on-LAN is the preferred method to power the board that the chip is on, the alternative is powering the board from the Raspberry Pi itself, this is not recommended by experts. However, this Wake-on-LAN strategy relies on ME functionality that will be removed by the ME Neutering.
from:
- https://www.bios-mods.com/forum/Thread-REQUEST-Lenovo-Thinkpad-X230-Whitelist-removal?pid=91134#pid91134
- https://www.bios-mods.com/forum/Thread-REQUEST-Lenovo-Thinkpad-X230-Whitelist-removal?pid=91787#pid91787
Check that it can be read successfully:
./flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512
You should receive an output listing the chip name (for instance, Found Macronix flash chip "MX25L3206E/MX25L3208E" or Found Micron/Numonyx/ST flash chip "N25Q064..3E"). This depends on when the x230 was manufactured.
If you cannot read the chip and receive an error similar to "no EEPROM Detected" or "0x0 Chip detected" then you may want to ensure you Raspberry Pi has adequate power (the flashing yellow lightning bolt in the upper-right means it is not being provided sufficient power). You can try switching the two pins 19 and 21.
./flashrom -c "MX25L3206E/MX25L3208E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r backup1.rom
Run the flashrom command again to make a second dump:
./flashrom -c "MX25L3206E/MX25L3208E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r backup2.rom
Now run diff to see if they match:
diff backup1.rom backup2.rom
If you receive no output, they match. Alternatively, you can take a sha512sum, sha1sum, or md5sum of the files to confirm they match:
sha512sum backup*.rom
You may try and flash Heads now.
./flashrom -c "MX25L3206E/MX25L3208E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w /path/to/x230.rom
When you get the message Verifying flash... Verified you have succeeded!
Download the ME Cleaner python script.
attach Pomona clip to MX25L6406E, which is further from the screen and closer to you.
./flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r me-backup1.rom./flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r me-backup2.rom
Now run diff to see if they match:
diff me-backup1.rom me-backup2.rom
If you receive no output, they match. Alternatively, you can take a sha512sum, sha1sum, or md5sum of the files to confirm they match:
sha512sum me-backup*.rom
clean a copy
python ./me-cleaner.py me-backup1.rom- rename
me-backup1.romtome-cleaned.romfor sanity
flash to board
./flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w /path/to/me-cleaned.rom
- http://hardenedlinux.org/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html
- https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
make xen.intermediate- extract
xen-4.6.3.gzwhich should get you a filexen - copy
xento USB and note the filesystem of the USB (if NTFS reformat to ext4, Heads can't mount NTFS) - plug USB into Heads machine
mkdir /tmp/usbmount /dev/sdbX /tmp/usbchange "X" to the number of your USB partition (most likely/dev/sdb1)mount -o rw /dev/sda1 /bootcp /tmp/usb/xen /bootumount /tmp/usbumount /boot
see (https://trmm.net/Installing_Heads#Configuring_the_TPM)
tpm physicalpresence -stpm physicalenabletpm physicalsetdeactivated -ctpm forceclear(if you get an errorTPM deactivated, try rebooting to fix the state)tpm physicalenabletpm takeclear -pwdo OWNER_PASSWORD(should betakeown, related bug/bin/sealtotp.sh- scan QR code
- test with
unsealtotp.sh
If you are finding the codes do not match, confirm the right time on your machine:
date -ushould give you UTC time,dateshould give you your local time. If it doesn't:export TZ=TIMEZONE
here is a list of timezones, I had success with the UCT# format. also: https://unix.stackexchange.com/questions/71860/correct-use-of-tz-date-and-hwclock
- https://github.com/osresearch/heads/wiki/Installing-Heads#installing-extra-software
- https://github.com/osresearch/heads/wiki/Installing-Heads#read-only-root
- https://github.com/osresearch/heads/wiki/Installing-Heads#hashing-the--partition-and-setting-up-dm-verity
- https://github.com/osresearch/heads/wiki/Installing-Heads#signing-boot
Things that may need to be modified in the Makefile prior to build (unless you want to edit /bin/start-xen every boot...):
- https://trmm.net/Installing_Heads#Adding_your_PGP_key
- change:
--module "${KERNEL} root=/dev/mapper/qubes_dom0-root rhgb" \to--module "${KERNEL} root=/dev/mapper/qubes_dom0-root rhgb" \(see: ticket) XEN=/boot/xen(see ticket)