From 8b2219bfa2da36e7809588ef723a10483a6e137f Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Wed, 05 Nov 2014 20:52:36 -0500 Subject: Documentation: *major* cleanup. Cleanup was long overdue. Old structure was messy and inefficient. --- (limited to 'docs/howtos') diff --git a/docs/howtos/cbfstool_libreboot5_strace b/docs/howtos/cbfstool_libreboot5_strace deleted file mode 100644 index 7e3794f..0000000 --- a/docs/howtos/cbfstool_libreboot5_strace +++ /dev/null @@ -1,48 +0,0 @@ -# strace ./cbfstool coreboot.rom add -n grub.cfg -f grub.cfg -t raw -execve("./cbfstool", ["./cbfstool", "coreboot.rom", "add", "-n", "grub.cfg", "-f", "grub.cfg", "-t", "raw"], [/* 25 vars */]) = 0 -brk(0) = 0x9577000 -access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) -mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f6000 -access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) -open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=94605, ...}) = 0 -mmap2(NULL, 94605, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76de000 -close(3) = 0 -access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) -open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 -read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232\1\0004\0\0\0"..., 512) = 512 -fstat64(3, {st_mode=S_IFREG|0755, st_size=1775080, ...}) = 0 -mmap2(NULL, 1784604, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb752a000 -mmap2(0xb76d8000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ae) = 0xb76d8000 -mmap2(0xb76db000, 11036, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76db000 -close(3) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7529000 -set_thread_area({entry_number:-1 -> 6, base_addr:0xb7529900, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 -mprotect(0xb76d8000, 8192, PROT_READ) = 0 -mprotect(0x8067000, 4096, PROT_READ) = 0 -mprotect(0xb7719000, 4096, PROT_READ) = 0 -munmap(0xb76de000, 94605) = 0 -brk(0) = 0x9577000 -brk(0x9598000) = 0x9598000 -open("grub.cfg", O_RDONLY) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=810, ...}) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f5000 -fstat64(3, {st_mode=S_IFREG|0644, st_size=810, ...}) = 0 -_llseek(3, 0, [0], SEEK_SET) = 0 -read(3, "set default=\"0\"\nset timeout=1\nse"..., 810) = 810 -_llseek(3, 810, [810], SEEK_SET) = 0 -close(3) = 0 -munmap(0xb76f5000, 4096) = 0 -open("coreboot.rom", O_RDONLY) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=2097152, ...}) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f5000 -fstat64(3, {st_mode=S_IFREG|0644, st_size=2097152, ...}) = 0 -_llseek(3, 2097152, [2097152], SEEK_SET) = 0 -_llseek(3, 0, [0], SEEK_SET) = 0 -mmap2(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7328000 -read(3, "LARCHIVE\0\0\6\30\0\0\1\252\0\0\0\0\0\0\0(cmos_lay"..., 2097152) = 2097152 -close(3) = 0 -munmap(0xb76f5000, 4096) = 0 ---- SIGSEGV (Segmentation fault) @ 0 (0) --- -+++ killed by SIGSEGV +++ -Segmentation fault diff --git a/docs/howtos/configuring_parabola.html b/docs/howtos/configuring_parabola.html deleted file mode 100644 index 56c5420..0000000 --- a/docs/howtos/configuring_parabola.html +++ /dev/null @@ -1,784 +0,0 @@ - - - - - - - - - Configuring Parabola (post-install) - - - -
-

Configuring Parabola (post-install)

- -
- -
- -

Table of Contents

- - -
- -

- While not strictly related to the libreboot project, this guide - is intended to be useful for those interested in installing - Parabola on their libreboot machine. This is also beneficial because development - is now being done on Parabola, where Trisquel is no longer used by the maintainer - at the time of writing. -

- -

- It details configuration steps that I took after installing the base system, - as a follow up to encrypted_parabola.html. - This guide is likely to become obsolete at a later date (due to the volatile - 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. -

- -

- - This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch - with the libreboot project! - -

- -

- You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible. - The aim here is to provide a common setup that most users will be happy with. While Parabola - can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide - all of the same usability as Trisquel, without hiding any details from the user. -

- -

- Paradoxically, as you get more advanced Parabola can actually become easier to use - when you want to setup your machine in a special way compared to what most distributions provide. - You will find over time that other distributions tend to get in your way. -

- -

- - This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, - then this guide is highly recommended! - -

- -

- A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. - Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries - to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. - It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, - especially for new users. -

- -

- The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), - and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the - Arch wiki. -

- -

- Some of these steps require internet access. I'll go into networking later but for now, I just connected - my machine to a switch and did:
- # systemctl start dhcpcd.service
- You can stop it later by running:
- # systemctl stop dhcpcd.service
- For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
- Setup network connection in Parabola -

- -
- -

Configure pacman

-

- pacman (package manager) is the name of the package management system in Arch, which Parabola - (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, - this can be used to add/remove and update the software on your computer. -

-

- Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman - and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this, - it's very important) and - https://wiki.parabolagnulinux.org/Official_Repositories -

-

- Back to top of page. -

-

Updating Parabola

-

- In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:
- # pacman -Syy
- (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, - which can be useful when switching to another mirror).
- Then, update the system:
- # pacman -Syu -

-

- - Before installing packages with 'pacman -S', always update first, using the notes above. - -

-

- Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages - about maintenance steps that you will need to perform with certain files (typically configurations) - after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. - If a new kernel is installed, you should also update to be able to use it (the currently running kernel will - also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a - rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This - is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. - A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, - and more maintenance work. -

-

- The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). Parabola's - IRC channel (#parabola on freenode) can also help you. -

-

- Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time - in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event, - like a presentation or sending an email to an important person before an allocated deadline, and so on. -

-

- Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories - exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, - so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in - the rare event that they do occur. -

-

- Back to top of page. -

-

Maintaining Parabola

-

- Parabola is a very simple distro, in the sense that you are in full control - and everything is made transparent to you. One consequence is - that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done - with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro - on another computer, for example). -

-

- Back to top of page. -

-

Cleaning the package cache

-

- - The following is very important as you continue to use, update and maintain your Parabola system:
- https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache. - Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache - of old package information, updated automatically when you do anything in pacman). -
-

-

- To clean out all old packages that are cached:
- # pacman -Sc -

-

- The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, - if you encounter issues and want to revert back to an older package then it's useful to have the caches available. - Only do this if you are sure that you won't need it. -

-

- The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:
- # pacman -Scc
- This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used - when disk space is at a premium. -

-

- Back to top of page. -

-

pacman command equivalents

-

- The following table lists other distro package manager commands, and their equivalent in pacman:
- https://wiki.archlinux.org/index.php/Pacman_Rosetta -

-

- Back to top of page. -

- -

your-freedom

-

- your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages - from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola - wiki for migrating - converting - an existing Arch system to a Parabola system), installing - your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution - is then to delete the offending packages, and continue installing your-freedom. -

-

- Back to top of page. -

- -
- -

Add a user

-

- Based on https://wiki.archlinux.org/index.php/Users_and_Groups. -

-

- It is important (for security reasons) to create and use a non-root (non-admin) user account for every day use. The default 'root' account is intended - only for critical administrative work, since it has complete access to the entire operating system. -

-

- Read the entire document linked to above, and then continue. -

-

- Add your user:
- # useradd -m -G wheel -s /bin/bash yourusername
- Set a password:
- # passwd yourusername -

- -

Back to top of page

- -
- -

systemd

-

- This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. - Read https://wiki.archlinux.org/index.php/systemd - and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage - to gain a full understanding. This is very important! Make sure to read them. -

-

- An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. -

-

- https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains - the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. -

- -

- The manpage should also help:
- # man systemd
- The section on 'unit types' is especially useful. -

- -

- According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. - on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the - log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki - recommends 50MiB). -

-

- Open /etc/systemd/journald.conf and find the line that says:
- #SystemMaxUse=
- Change it to say:
- SystemMaxUse=50M -

-

- The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, - and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. -

-

- Restart journald:
- # systemctl restart systemd-journald -

- -

- The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/* - but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically - start to delete older records when the journal size reaches it's limit (according to systemd developers). -

- -

- Finally, the wiki mentions 'temporary' files and the utility for managing them.
- # man systemd-tmpfiles
- The command for 'clean' is:
- # systemd-tmpfiles --clean
- According to the manpage, this "cleans all files and directories with an age parameter". - According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ - to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations - to get a better understanding. -

-

- I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. - The first one was etc.conf, containing information and a reference to this manpage:
- # man tmpfiles.d
- Read that manpage, and then continue studying all of the files. -

-

- The systemd developers tell me that it usually isn't necessary to touch the systemd-tmpfiles utility manually at all. -

- -

Back to top of page

- -
- -

Interesting repositories

-

- Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels - mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available - there, depending on your use case. -

-

- I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
- - [kernels]
- Include = /etc/pacman.d/mirrorlist -
-

-

- Now sync with the repository:
- # pacman -Syy -

-

- List all available packages in this repository:
- # pacman -Sl kernels -

-

- In the end, I decided not to install anything from it but I kept the repository enabled regardless. -

-

Back to top of page.

- -
- -

Setup a network connection in Parabola

-

- Read https://wiki.archlinux.org/index.php/Configuring_Network. -

-

- Back to top of page. -

-

Set the hostname

-

- This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
- # hostnamectl set-hostname yourhostname
- This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
- # man hostname
- # info hostname
- # man hostnamectl -

-

- Add the same hostname to /etc/hosts, on each line. Example:
- - 127.0.0.1 localhost.localdomain localhost myhostname
- ::1 localhost.localdomain localhost myhostname -
-

-

- You'll note that I set both lines; the 2nd line is for IPv6. More and more ISP's are providing this now (mine does) - so it's good to be forward-thinking here. -

-

- The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base). -

-

- Back to top of page. -

-

Network Status

-

- According to the Arch wiki, udev should already detect the ethernet chipset - and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section - when running this command:
- # lspci -v -

-

- Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
- - Kernel driver in use: e1000e
- Kernel modules: e1000e -
-

-

- Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
- # dmesg | grep e1000e -

-

Network device names

-

- According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names, - it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd - creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. - An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change. -

-

- If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends - adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the - instructions in grub_cbfs.html). -

-

- For background information, - read Predictable Network Interface Names -

-

- Show device names:
- # ls /sys/class/net -

-

- Changing the device names is possible (I chose not to do it):
- https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name -

-

- Back to top of page. -

-

Network setup

-

- I actually chose to ignore most of Networking section on the wiki. Instead, I plan to setup LXDE desktop with the graphical - network-manager client. Here is a list of network managers:
- https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers. - If you need to, set a static IP address (temporarily) using the networking guide an the Arch wiki, or start the dhcpcd service in systemd. - NetworkManager will be setup later, after installing LXDE. -

-

- Back to top of page. -

- -
- -

System Maintenance

-

- Read https://wiki.archlinux.org/index.php/System_maintenance before continuing. - Also read https://wiki.archlinux.org/index.php/Enhance_system_stability. - This is important, so make sure to read them! -

-

- Install smartmontools (can be used to check smart data - note: HDD's use non-free firmware inside, it's transparent to you - but the smart data comes from it. Therefore, don't rely on it too much):
- # pacman -S smartmontools
- Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it. -

-

- Back to top of page. -

- -
- -

Configuring the desktop

-

- Based on steps from - General Recommendations on the Arch wiki. - The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE - by default. -

-

- Back to top of page. -

- -

Installing Xorg

-

- Based on https://wiki.archlinux.org/index.php/Xorg. -

-

- Firstly, install it!
- # pacman -S xorg-server
- I also recommend installing this (contains lots of useful tools, including xrandr):
- # pacman -S xorg-server-utils -

-

- Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
- # pacman -S xf86-video-intel
- For other systems you can try:
- # pacman -Ss xf86-video- | less
- Combined with looking at your lspci output, you can determine which driver is needed. - By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. -

-

- Other drivers (not just video) can be found by looking at the xorg-drivers group:
- # pacman -Sg xorg-drivers
-

-

- Mostly you will rely on a display manager, but in case you ever want to start X without one:
- # pacman -S xorg-xinit -

-

- <optional>
-    Arch wiki recommends installing these, for testing that X works:
-    # pacman -S xorg-twm xorg-xclock xterm
-    Refer to https://wiki.archlinux.org/index.php/Xinitrc. - and test X:
-    # startx
-    When you are satisfied, type exit in xterm, inside the X session.
-    Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
- </optional> -

-

- Back to top of page. -

- -

Xorg keyboard layout

-

- Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg. -

-

- Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you - set in /etc/vconsole.conf earlier might not actually be the same in X. -

-

- To see what layout you currently use, try this on a terminal emulator in X:
- # setxkbmap -print -verbose 10 -

-

- In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. -

-

- I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard). - If you use an American keyboard (typically 104 keys) you will want to use pc104. -

-

- XkbLayout in my case would be gb, and XkbVariant would be dvorak. -

-

- The Arch wiki recommends two different methods for setting the keyboard layout:
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl. -

-

- In my case, I chose to use the configuration file method:
- Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
- - Section "InputClass"
-         Identifier "system-keyboard"
-         MatchIsKeyboard "on"
-         Option "XkbLayout" "gb"
-         Option "XkbModel" "pc105"
-         Option "XkbVariant" "dvorak"
- EndSection -
-

-

- For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then - you don't even need to do anything (though it might help, for the sake of being explicit). -

-

- Back to top of page. -

- -

Install LXDE

-

- Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight - and does everything that I need. - If you would like to try something different, refer to - https://wiki.archlinux.org/index.php/Desktop_environment -

-

- Refer to https://wiki.archlinux.org/index.php/LXDE. -

-

- Install it, choosing 'all' when asked for the default package list:
- # pacman -S lxde obconf -

-

- I didn't want the following, so I removed them:
- # pacman -R lxmusic lxtask -

-

- I also lazily installed all fonts:
- # pacman -S $(pacman -Ssq ttf-) -

-

- LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the GNU project:
- # pacman -S icecat
- And a mail client:
- # pacman -S icedove -

-

- In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report. -

-

- I also like to install these:
- # pacman -S xsensors stress htop -

-

- Enable LXDM (the default display manager, providing a graphical login):
- # systemctl enable lxdm.service
- It will start when you boot up the machine. To start it now, do:
- # systemctl start lxdm.service -

-

- Log in with your standard (non-root) user that you created earlier. - It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. - Read https://wiki.archlinux.org/index.php/Xinitrc. -

-

- Open LXterminal:
- $ cp /etc/skel/.xinitrc ~
- Open .xinitrc and add the following plus a line break at the bottom of the file.
- - # Probably not needed. The same locale info that we set before
- # Based on advice from the LXDE wiki - export LC_ALL=en_GB.UTF-8
- export LANGUAGE=en_GB.UTF-8
- export LANG=en_GB.UTF-8
-
- # Start lxde desktop
- exec startlxde
-
- Now make sure that it is executable:
- $ chmod +x .xinitrc -

-

- Back to top of page. -

- -

LXDE - clock

-

- In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S -

-

- Back to top of page. -

- -

LXDE - font

-

- NOTE TO SELF: come back to this later. -

-

- Back to top of page. -

- -

LXDE - screenlock

-

- Arch wiki recommends to use xscreensaver:
- # pacman -S xscreensaver -

-

- Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only, - setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes. -

-

- You can now lock the screen with Logout :: Lock Screen in the LXDE menu. -

-

- Back to top of page. -

- -

LXDE - automounting

-

- Refer to https://wiki.archlinux.org/index.php/File_manager_functionality. -

-

- I chose to ignore this for now. NOTE TO SELF: come back to this later. -

-

- Back to top of page. -

-

LXDE - disable suspend

-

- When closing the laptop lid, the machine suspends. This is annoying at least to me. - NOTE TO SELF: disable it, then document the steps here. -

-

- Back to top of page. -

-

LXDE - battery monitor

-

- Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add. - Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information. - Now click Close. When you hover the cursor over it, it'll show information about the battery. -

-

- Back to top of page. -

-

LXDE - Network Manager

-

- Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management. - Then I read: https://wiki.archlinux.org/index.php/NetworkManager. -

-

- Install Network Manager:
- # pacman -S networkmanager -

-

- You will also want the graphical applet:
- # pacman -S network-manager-applet
- Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop -

-

- I want to be able to use a VPN at some point, so the wiki tells me to do:
- # pacman -S networkmanager-openvpn -

-

- LXDE uses openbox, so I refer to:
- https://wiki.archlinux.org/index.php/NetworkManager#Openbox. -

-

- It tells me for the applet I need:
- # pacman -S xfce4-notifyd gnome-icon-theme
- Also, for storing authentication details (wifi) I need:
- # pacman -S gnome-keyring -

-

- I wanted to quickly enable networkmanager:
- # systemctl stop dhcpcd
- # systemctl start NetworkManager
- Enable NetworkManager at boot time:
- # systemctl enable NetworkManager -

-

- Restart LXDE (log out, and then log back in). -

-

- I added the volume control applet to the panel (right click panel, and add a new applet). - I also later changed the icons to use the gnome icon theme, in lxappearance. -

-

- Back to top of page. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/dock.html b/docs/howtos/dock.html deleted file mode 100644 index ef62e83..0000000 --- a/docs/howtos/dock.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - - Notes about DMA and the docking station (X60/T60) - - - -
-

Notes about DMA and the docking station (X60/T60)

- -
- -
-
-Use case:
----------
-Usually when people do full disk encryption, it's not really full disk,
-instead they still have a /boot in clear.
-
-So an evil maid attack can still be done, in two passes:
-1) Clone the hdd, Infect the initramfs or the kernel.
-2) Wait for the user to enter its password, recover the password,
-luksOpen the hdd image.
-
-I wanted a real full-disk encryption so I've put grub in flash and I
-have the following: The HDD has a LUKS rootfs(containing /boot) on an
-lvm partition, so no partition is in clear.
-
-So when the computer boots it executes coreboot, then grub as a payload.
-Grub then opens the LUKS partition and loads the kernel and initramfs
-from there.
-
-To prevent hardware level tempering(like reflashing), I used nail
-polish with a lot of gilder, that acts like a seal. Then a high
-resolution picture of it is taken, to be able to tell the difference.
-
-The problem:
-------------
-But then comes the docking port issue: Some LPC pins are exported
-there, such as the CLKRUN and LDRQ#.
-
-LDRQ# is "Encoded DMA/Bus Master Request": "Only needed by
-peripherals that need DMA or bus mastering. Requires an
-individual signal per peripheral. Peripherals may not share
-an LDRQ# signal."
-
-So now DMA access is possible trough the dock connector.
-So I want to be able to turn that off.
-
-If I got it right, the X60 has 2 superio, one is in the dock, and the
-other one is in the laptop, so we have:
-                            ________________
- _________________         |                |
-|                 |        | Dock connector:|
-|Dock: NSC pc87982|<--LPC--->D_LPC_DREQ0    |
-|_________________|        |_______^________|
-                                   |
-                                   |
-                                   |
-                                   |
-                ___________________|____
-               |                   v    |
-               | SuperIO:        DLDRQ# |
-               | NSC pc87382     LDRQ#  |
-               |___________________^____|
-                                   |
-                                   |
-                                   |
-                                   |
-                ___________________|___
-               |                   v   |
-               | Southbridge:    LDRQ0 |
-               | ICH7                  |
-               |_______________________|
-
-
-The code:
----------
-Now if I look at the existing code, there is some superio drivers, like
-pc87382 in src/superio/nsc, the code is very small. 
-The only interesting part is the pnp_info pnp_dev_info struct.
-
-Now if I look inside src/mainboard/lenovo/x60 there is some more
-complete dock driver:
-
-Inside dock.c I see some dock_connect and dock_disconnect functions.
-
-Such functions are called during the initialisation (romstage.c) and
-from the x60's SMI handler (smihandler.c).
-
-Questions:
-----------
-1) Would the following be sufficent to prevent DMA access from the
-outside:
-> int dock_connect(void)
-> {
->          int timeout = 1000;
-> +        int val;
-> +        
-> +        if (get_option(&val, "dock") != CB_SUCCESS)
-> +                val = 1;
-> +        if (val == 0)
-> +                return 0;
->          [...]
-> }
->
-> void dock_disconnect(void) {
-> +        if (dock_present())
-> +                return;
->          [...]
-> }
-2) Would an nvram option be ok for that? Should a Kconfig option be
-added too?
-
-> config DOCK_AUTODETECT
->         bool "Autodetect"
->         help
->           The dock is autodetected. If unsure select this option.
->
-> config DOCK_DISABLED
->         bool "Disabled"
->         help
->           The dock is always disabled.
->
-> config DOCK_NVRAM_ENABLE
->         bool "Nvram"
->         help
->           The dock autodetection is tried only if it is also enabled
-> trough nvram.
-
-
- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt - - - diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html deleted file mode 100644 index 3a1a75d..0000000 --- a/docs/howtos/encrypted_parabola.html +++ /dev/null @@ -1,577 +0,0 @@ - - - - - - - - - Installing Parabola GNU/Linux with full disk encryption (including /boot) - - - -

-

Installing Parabola GNU/Linux with full disk encryption (including /boot)

-
-
- -

- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -

- -

- Boot Parabola's install environment. How to boot a GNU/Linux installer. -

- -

- For this guide I used the 2013 09 01 image to boot the live installer and install the system. -

- -

- Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel. -

- -

- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. - See this page - for more info. -

- -

- If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously - contained plaintext copies of your data. -

- -

- Wipe the MBR (if you use MBR):
- # lsblk
- Your HDD is probably /dev/sda: - # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
- Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. - This guide is for libreboot with GRUB-as-payload only. -

- -

- Securely wipe the drive:
- # dd if=/dev/urandom of=/dev/sda; sync
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, - use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended - erase block size is. For example if it was 2MiB:
- # dd if=/dev/urandom of=/dev/sda bs=2M; sync -

-

- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then - it is already 'wiped'. You should just wipe the LUKS header. - https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/ - showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
- # head -c 3145728 /dev/urandom > /dev/sda; sync
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). -

-

- - If you do plan to use an SSD, make sure to read - https://wiki.archlinux.org/index.php/Solid_State_Drives
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting - them for this guide. -
-

- -

- This guide will go through the installation steps taken at the time of writing, which may or may not change due to - the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, - please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15). -

- -

- Change keyboard layout -

-

- Parabola live shell assumes US Qwerty. If you have something different, use:
- # loadkeys LAYOUT
- For me, LAYOUT would have been dvorak-uk. -

- -

Getting started

-

- The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide. - Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first. -

- -

dm-mod

-

- device-mapper will be used - a lot. Make sure that the kernel module is loaded:
- # modprobe dm-mod -

- -

Create LUKS partition

-

- I am using MBR partitioning, so I use cfdisk:
- # cfdisk /dev/sda -

-

- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). -

-

- Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
- I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption. -

-

- Parabola forces you to RTFM. -

-

- It tells me to run:
- # cryptsetup benchmark (for making sure the list below is populated)
- Then:
- # cat /proc/crypto
- This gives me crypto options that I can use. It also provides a representation of the best way to setup LUKS (in this case, security is a priority; speed, a distant second). - To gain a better understanding, I am also reading:
- # man cryptsetup -

-

- Following that page, based on my requirements, I do the following based on - based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode. - Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. -

-

- I am initializing LUKS with the following:
- # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1 - -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password - length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. - It might take you a while to memorize a long passphrase before beginning this step. -

- -

Create LVM

-

- Now I refer to https://wiki.archlinux.org/index.php/LVM. -

-

- Open the LUKS partition:
- # cryptsetup open --type luks /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
- I'm told that the above is old syntax, which is what I did anyway. You could also try:
- # cryptsetup luksOpen /dev/sda1 lvm -

-

- Create LVM partition:
- # pvcreate /dev/mapper/lvm
- Show that you just created it:
- # pvdisplay -

-

- Now I create the volume group, inside of which the logical volumes will be created:
- # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
- Show that you created it:
- # vgdisplay -

-

- Now create the logical volumes:
- # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
- # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, - if you will be running a web/mail server then you want /var in it's own partition (so that if it fills up with logs, it won't crash your system). - For a home/laptop system (typical use case), a root and a swap will do (really). -

-

- Verify that the logical volumes were created, using the following command:
- # lvdisplay -

- -

Create / and swap partitions

-

- For the swapvol LV I use:
- # mkswap /dev/mapper/matrix-swapvol -

-

- For the rootvol LV I use:
- # mkfs.ext4 /dev/mapper/matrix-rootvol -

- -

Continue with Parabola installation

-

- Mount the root (/) partition:
- # mount /dev/matrix/rootvol /mnt
-

-

- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola - so that the guide can continue. -

-

- Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide. - I also also cross referencing https://wiki.archlinux.org/index.php/Installation_guide. -

-

- Create /home and /boot on rootvol mountpoint:
- # mkdir /mnt/home
- # mkdir /mnt/boot -

-

- The wiki says to enable the swap so that it can be detected by 'genfstab':
- # swapon /dev/matrix/swapvol -

-

- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. - I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. - Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network. - You can test to see if internet is already working by pinging a few domains. -

- -

- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- # pacman -Syy
- # pacman -Syu
- # pacman -Sy pacman (and then I did the other 2 steps above, again)
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. -

-

- <troubleshooting>
-    The following is based on 'Verification of package signatures' in the Parabola install guide.
-    Check there first to see if steps differ by now.
-    Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
-    # pacman -Sy parabola-keyring
-    It says that you you get GPG errors, it's probably an expired key so do:
-    # pacman-key --populate parabola
-    # pacman-key --refresh-keys
-    # pacman -Sy parabola-keyring
-    To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
-    Also, it says that if the clock is set incorrectly then you have to manually set the correct time
-    (if keys are listed as expired because of it):
-    # date MMDDhhmm[[CC]YY][.ss]
-    I also had to install:
-    # pacman -S archlinux-keyring
-    # pacman-key --populate archlinux
-    In my case I saw some conflicting files reported in pacman, stopping me from using it.
-    I deleted the files that it mentioned - and then it worked. Specifically, I had this error:
-    licenses: /usr/share/licenses/common/MPS exists in filesystem
-    I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
-    # pacman -Sf licenses
- </troubleshooting>
-

-

- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- # pacstrap /mnt base base-devel wpa_supplicant dialog -

- -

Configure the system

-

- From the Parabola installation guide (Arch's one was identical):
- # genfstab -p /mnt >> /mnt/etc/fstab -

-

- Chroot into new system:
- # arch-chroot /mnt -

-

- It's a good idea to have this installed:
- # pacman -S linux-libre-lts -

-

- It was also suggested that you should install this kernel (read up on what GRSEC is):
- # pacman -S linux-libre-grsec -

-

- This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels - that can be used as a fallback during updates, if a bad kernel causes issues for you. -

-

- Parabola does not have wget. This is sinister. Install it:
- # pacman -S wget -

- - -

Set a root password

-

- At the time of writing, Parabola used SHA512 by default for it's password hashing. -

-

- I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes. -

-

- Open /etc/pam.d/passwd and add rounds=65536 at the end of the uncommented 'password' line. -

-

- # passwd root
- Make sure to set a secure password! Also, it must never be the same as your LUKS password. -

- -

Extra security tweaks

-

- Based on https://wiki.archlinux.org/index.php/Security. -

-

- Restrict access to important directories:
- # chmod 700 /boot /etc/{iptables,arptables} -

-

- Lockout user after three failed login attempts:
- Edit the file /etc/pam.d/system-login and comment out that line:
- # auth required pam_tally.so onerr=succeed file=/var/log/faillog
- Or just delete it. Above it, put:
- auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
- To unlock a user manually (if a password attempt is failed 3 times), do:
- # pam_tally --user theusername --reset - What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. -

-

- Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. - If this is a single-user system, you don't really need sudo. -

- -

Unmount, reboot!

-

- Exit from chroot:
- # exit -

-

- unmount:
- # umount /mnt
- # swapoff -a -

-

- deactivate the lvm lv's:
- # lvchange -an /dev/matrix/rootvol
- # lvchange -an /dev/matrix/swapvol
-

-

- Lock the encrypted partition (close it):
- # cryptsetup luksClose lvm -

-

- # shutdown -h now
- Then boot up again. -

- -

Booting from GRUB

-

- Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional - (using those 2 underlines will boot lts kernel instead of normal). -

-

- grub> cryptomount -a (ahci0,msdos1)
- grub> set root='lvm/matrix-rootvol'
- grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- grub> initrd /boot/initramfs-linux-libre-lts.img
- grub> boot
-

-

- You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img -

- -
- -

Modify grub.cfg inside the ROM

- -

- Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. - grub_cbfs.html shows you how. Follow that guide, using the configuration details below. -

-

- Inside the 'Load Operating System' menu entry, change the contents to:
- - cryptomount -a (ahci0,msdos1)
- set root='lvm/matrix-rootvol'
- linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- initrd /boot/initramfs-linux-libre-lts.img -
-

- -

- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. - You could also copy the menu entry and in one have -lts, and without in the other menuentry. - You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img -

- -

- Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. -

- -

- Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: -

-
set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
- -

- Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. - Change root on both of those 2 lines to whatever you want. -

- -

- Start dhcp on ethernet:
- # systemctl start dhcpcd.service - This is just for the step below. I won't cover network configuration here. That is for another Parabola article. -

- -

- The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile, - like so:
- # pacman -S grub -

- -

- GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash - by entering your chosen password at the prompt, when running this command:
- # grub-mkpasswd-pbkdf2 -

- -

- It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. - Use it to replace the default hash mentioned above. -

- -

- With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. - This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. -

- -

- You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
- # pacman -S base-devel -

- -

- For flashing the modified ROM, I just used flashrom from the Parabola repo's:
- # pacman -S flashrom
- I also installed dmidecode:
- # pacman -S dmidecode -

- -

- When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility; - GRUB is already part of libreboot, flashed alongside it as a payload):
- # pacman -R grub -

- -
- -

- If you followed all that correctly, you should now have a fully encrypted Parabola installation. - This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest - (desktop, etc). -

- -
- -

Further security tips

-

- https://wiki.archlinux.org/index.php/Security.
- https://wiki.parabolagnulinux.org/User:GNUtoo/laptop -

- -
- -

Follow-up tutorial: configuring Parabola

-

- configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic - system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. - Parabola is user-centric, which means that you are in control. For more information, read The Arch Way - (Parabola also follows it). -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html deleted file mode 100644 index 7599e02..0000000 --- a/docs/howtos/encrypted_trisquel.html +++ /dev/null @@ -1,316 +0,0 @@ - - - - - - - - - Installing Trisquel GNU/Linux with full disk encryption (including /boot) - - - -
-

Installing Trisquel GNU/Linux with full disk encryption (including /boot)

- -
- -

- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. -

- -

- This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer. -

- -

- Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols). -

- -

- when the installer asks you to setup - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'. -

- -

- - Your user password should be different than the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - -

- -

Partitioning

- -

Choose 'Manual' partitioning:

- - -

Further partitioning

- -

- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. -

- - -

Kernel

- -

- Installation will ask what kernel you want to use. linux-generic is fine. -

- -

Tasksel

- -

- Choose "Trisquel Desktop Environment" if you want GNOME, - "Trisquel-mini Desktop Environment" if you - want LXDE or "Triskel Desktop Environment" if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. -

- -

Postfix configuration

- -

- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.) -

- -

Install the GRUB boot loader to the master boot record

- -

- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. -

- -

- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly. -

- -

Clock UTC

- -

- Just say 'Yes'. -

- -

- Booting your system -

- -

- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. -

- -

- Do that:
- grub> cryptomount -a (ahci0,msdos1)
- grub> set root='lvm/buzz-distro'
- grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
- grub> initrd /initrd.img
- grub> boot -

- -

- ecryptfs -

- -

- If you didn't encrypted your home directory, then you can safely ignore this section. -

- -

- Immediately after logging in, do that:
- $ sudo ecryptfs-unwrap-passphrase -

- -

- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> -

- -

- Modify grub.cfg (CBFS) -

- -

- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. -

- -

- Modify your grub.cfg (in the firmware) using this tutorial; - just change the default menu entry 'Load Operating System' to say this inside: -

- -

- cryptomount -a (ahci0,msdos1)
- set root='lvm/buzz-distro'
- linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
- initrd /initrd.img -

- -

- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password. -

- -

- The GRUB utility can be used like so:
- $ grub-mkpasswd-pbkdf2 -

- -

- Give it a password (remember, it has to be secure) and it'll output something like:
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -

- -

- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
-

-
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-		
- -

- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! -

- -

- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using this tutorial. -

- -

- Update Trisquel -

- -

- $ sudo apt-get update
- $ sudo apt-get upgrade -

- -

- Conclusion -

- -

- If you followed all that correctly, you should now have a fully encrypted system. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/grub_boot_installer.html b/docs/howtos/grub_boot_installer.html deleted file mode 100644 index 757b48f..0000000 --- a/docs/howtos/grub_boot_installer.html +++ /dev/null @@ -1,142 +0,0 @@ - - - - - - - - - Libreboot documentation: installing GNU/Linux - - - -
-

Boot a GNU/Linux installer on USB

- -
- -

Prepare the USB drive (in GNU/Linux)

- -

- Connect the USB drive. Check dmesg:
- $ dmesg
- - Check lsblk to confirm which drive it is:
- $ lsblk -

- -

- Check that it wasn't automatically mounted. If it was, unmount it. For example:
- $ sudo umount /dev/sdb*
- # umount /dev/sdb* -

- -

- dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
- $ sudo dd if=gnulinux.iso of=/dev/sdb bs=8M; sync
- # dd if=gnulinux.iso of=/dev/sdb bs=8M; sync -

- -

Booting the USB drive (in GRUB)

- -

- Boot it in GRUB using the Parse ISOLINUX config (USB) option (it's in default libreboot grub.cfg, at least). - - A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual - ISOLINUX menu provided by that distro. -

- -

- If the ISOLINUX parser won't work, then press C to get to GRUB command line.
- grub> ls
- - Get the device from above output, eg (usb0). Example:
- grub> cat (usb0)/isolinux/isolinux.cfg
- - Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.
- - If it did that, then you do:
- grub> cat (usb0)/isolinux/foo.cfg
- - And so on, until you find the correct menuentries for ISOLINUX. -

- -

- Now look at the ISOLINUX menuentry. It'll look like:
- - kernel /path/to/kernel
- append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS
-
- - GRUB works the same way, but in it's own way. Example GRUB commands:
- grub> linux (usb0)/path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS
- grub> initrd (usb0)/path/to/initrd
- grub> boot
- - Of course this will vary from distro to distro. If you did all that correctly, it should now be booting the ISO - the way you specified. -

- -

Troubleshooting

- -

- Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. - This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions - it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. -

- -

- In most cases, you should use the vesafb ROM's. Example filename: libreboot_ukdvorak_vesafb.rom. -

- -

parabola won't boot in text-mode

- -

- Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). -

- -

debian-installer (trisquel net install) graphical corruption in text-mode

-

- When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, - booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't - exist. Use that kernel parameter on the 'linux' line when booting it:
- vga=normal fb=false -

- -

- Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. -

- -

- If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. - Or, if you are booting manually (from GRUB terminal) then just add the parameters. -

- -

- This workaround was found on the page: https://www.debian.org/releases/stable/i386/ch05s04.html. - It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/grub_cbfs.html b/docs/howtos/grub_cbfs.html deleted file mode 100644 index e603247..0000000 --- a/docs/howtos/grub_cbfs.html +++ /dev/null @@ -1,408 +0,0 @@ - - - - - - - - - Libreboot documentation: GRUB menu - - - -
-

How to change your default GRUB menu

- -
- -

- Libreboot uses the GRUB payload - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. -

- -

- A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual - filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' - allows you to change the contents of the ROM image. In this case, libreboot is configured - such that the 'grub.cfg' and 'grubtest.cfg' files exists directly inside CBFS instead of - inside the GRUB payload's 'memdisk' (which is itself stored in CBFS). -

- -

- Here is an excellent writeup about CBFS (coreboot filesystem): - http://lennartb.home.xs4all.nl/coreboot/col5.html. -

- -
- -

Table of Contents

- - - -
- -

Getting started

- -

- Download the latest release from - http://libreboot.org/ -
If you downloaded from git, refer to - ../index.html#build_meta before continuing. -

- -

- Install the build dependencies. -

- -

- Back to top of page. -

- -
- -

Build 'cbfstool' from source

- -

- If you are working with libreboot_src, then you can run make command in - libreboot_src/coreboot/util/cbfstool to build the cbfstool and rmodtool - executable. -

-

- Alternatively if you are working with libreboot_bin, then you can run ./builddeps-cbfstool - command inside libreboot_bin/; a cbfstool and rmodtool - executable will appear under libreboot_bin/ -

- -

- Back to top of page. -

- -
- -

Which ROM image should I use?

- -

- You can work directly with one of the ROM's already included in the libreboot ROM archives. For the purpose of - this tutorial it is assumed that your ROM is named libreboot.rom so please make sure to adapt. -

- -

- If you want to re-use the ROM that you currently have flashed (and running) then see - ../index.html#build_flashrom - and then run:
- $ sudo ./flashrom -p internal -r libreboot.rom
- Notice that this is using "-r" (read) instead of "-w" (write). - This will create a dump (copy) of your current firmware and name it libreboot.rom. - You need to take ownership of the file. For example:
- $ sudo chown yourusername:yourusername libreboot.rom
- # chown yourusername:yourusername libreboot.rom -

- -

- If you currently have flashed a ROM image from an older version, it is recommended to update first: - basically, modify one of the latest ROM's and then flash it. -

- -

- Back to top of page. -

- -
- -

Extract grubtest.cfg from the ROM image

- -

- Display contents of ROM:
- $ ./cbfstool libreboot.rom print -

- -

- The libreboot.rom file contains your grub.cfg and grubtest.cfg files. - You should extract, modify and re-insert the copy first. grub.cfg will load first, - but it has a menu entry for switching to the copy (grubtest.cfg). - This reduces your chance of making a mistake that could make your machine unbootable (or very hard to boot). -

- -

- Extract grubtest.cfg from the ROM image:
- $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg -

- -

- Now you have a grubtest.cfg in cbfstool directory. Edit it however you wish. -

- -

- Back to top of page. -

- -
- -
- -

Example modifications for grubtest.cfg

- -

- These are some common examples of ways in which the grubtest.cfg file can be modified. -

- -

Trisquel GNU/Linux-libre

- -

- As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry: -

- - -

- ro, quiet, splash, crashkernel=384M-2G:64M,2G-:128M and - $vt_handoff can be safely ignored. -

- -

- I use this to get my partition layout:
- $ lsblk -

- -

- In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1. - Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending - on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or - (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1). - 'msdos' is GRUB's name simply because this partitioning type is traditionally used by MS-DOS. - It doesn't mean you have a proprietary OS. -

- -

- Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and - new kernel updates are provided with the version in the filename. This can make GRUB payload - a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img - so if your /boot and / are on the same partition, you can set GRUB to boot from that. - These are also updated automatically when installing kernel updates from your distributions - apt-get repositories. - - Note: when using jxself kernel releases, - these are not updated at all and you have to update them manually. - -

- -

- For the GRUB payload's grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):
- set root='ahci0,msdos1'
- linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951
- initrd /initrd.img -

- -

- Optionally, you can convert the UUID to it's real device name, for example /dev/sda1 in this case. - sdX naming isn't very reliable, though, which is why UUID is used for most distributions. -

- -

- Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks. - Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).
- $ sudo -s
- # cd /boot/
- # rm -rf vmlinuz initrd.img
- # ln -s kernel ksym
- # ln -s initrd isym
- # exit -

- -

- Replace the underlined kernel and initrd filenames above with the actual filenames, of course. -

- -

- Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:
- set root='ahci0,msdos1'
- linux /ksym root=/dev/sda2
- initrd /isym -

- -

- There are lots of possible variations so please try to adapt. -

- -

Parabola GNU/Linux-libre

- -

- You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names - are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly. -

- -
- -

- Back to top of page. -

- -
- -

Re-insert the modified grubtest.cfg into the ROM image

- -

- Delete the grubtest.cfg that remained inside the ROM:
- $ ./cbfstool libreboot.rom remove -n grubtest.cfg -

- -

- Display ROM contents and now you see grubtest.cfg no longer exists there:
- $ ./cbfstool libreboot.rom print -

- -

- Add the modified version that you just made:
- $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw -

- -

- Now display ROM contents again and see that it exists again:
- $ ./cbfstool libreboot.rom print -

- -

- Back to top of page. -

- -
- -

Test it!

- -

- - Now you have a modified ROM. Refer back to ../index.html#flashrom for information - on how to flash it. Once you have done that, shut down and then boot up with your new test configuration. - -

- -

- Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. -

- -

- - If it does not work like you want it to, if you are unsure or sceptical in any way, - then re-do the steps above until you get it right! Do *not* proceed past this point - unless you are 100% sure that your new configuration is safe (or desirable) to use. - -

- -

- Back to top of page. -

- -
- -

Final steps

- -

- Create a copy of grubtest.cfg, called grub.cfg, which is the same except for one difference: - change the menuentry 'Switch to grub.cfg' to 'Switch to grubtest.cfg' and inside it, - change all instances of grub.cfg to grubtest.cfg. This is so that the main config still - links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in - case you ever want to follow this guide again in the future (modifying the already modified config)
- $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
-

- -

- Delete the grub.cfg that remained inside the ROM:
- $ ./cbfstool libreboot.rom remove -n grub.cfg -

- -

- Display ROM contents and now you see grub.cfg no longer exists there:
- $ ./cbfstool libreboot.rom print -

- -

- Add the modified version that you just made:
- $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw -

- -

- Now display ROM contents again and see that it exists again:
- $ ./cbfstool libreboot.rom print -

- -

- - Now you have a modified ROM. Refer back to ../index.html#flashrom for information - on how to flash it. Once you have done that, shut down and then boot up with your new configuration. - -

- -

- Back to top of page. -

- -
- -

Troubleshooting

- -

- A user reported that segmentation faults occur with cbfstool - when using this procedure depending on the size of the grub.cfg being re-insterted. - In his case, a minimum size of 857 bytes was required. This could (at the time of - this release) be a bug in cbfstool that should be investigated with the coreboot - community. If cbfstool segfaults, then keep this in mind. 'strace' (or gdb? clang?) - could be used for debugging. This was in libreboot 5th release (based on coreboot - from late 2013), and I'm not sure if the issue perists in the current releases. - I have not been able to reproduce it. strace (from that user) is here: - cbfstool_libreboot5_strace. - The issue has been reported by a few users, so it does not happen all the time: - this bug (if it still exists) could (should) be reproduced. -

- -

- Back to top of page. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/t60_dev/.htaccess b/docs/howtos/t60_dev/.htaccess deleted file mode 100644 index 75da674..0000000 --- a/docs/howtos/t60_dev/.htaccess +++ /dev/null @@ -1,2 +0,0 @@ -Options +Indexes -IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* diff --git a/docs/howtos/t60_dev/0001.JPG b/docs/howtos/t60_dev/0001.JPG deleted file mode 100644 index 84d2f4f..0000000 --- a/docs/howtos/t60_dev/0001.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0002.JPG b/docs/howtos/t60_dev/0002.JPG deleted file mode 100644 index 5f8ead5..0000000 --- a/docs/howtos/t60_dev/0002.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0003.JPG b/docs/howtos/t60_dev/0003.JPG deleted file mode 100644 index 4b0826f..0000000 --- a/docs/howtos/t60_dev/0003.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0004.JPG b/docs/howtos/t60_dev/0004.JPG deleted file mode 100644 index 42d9086..0000000 --- a/docs/howtos/t60_dev/0004.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0005.JPG b/docs/howtos/t60_dev/0005.JPG deleted file mode 100644 index 8e9bce3..0000000 --- a/docs/howtos/t60_dev/0005.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0006.JPG b/docs/howtos/t60_dev/0006.JPG deleted file mode 100644 index 6371b46..0000000 --- a/docs/howtos/t60_dev/0006.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0007.JPG b/docs/howtos/t60_dev/0007.JPG deleted file mode 100644 index cedc9d9..0000000 --- a/docs/howtos/t60_dev/0007.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0008.JPG b/docs/howtos/t60_dev/0008.JPG deleted file mode 100644 index bec57a1..0000000 --- a/docs/howtos/t60_dev/0008.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0009.JPG b/docs/howtos/t60_dev/0009.JPG deleted file mode 100644 index aeeda57..0000000 --- a/docs/howtos/t60_dev/0009.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0010.JPG b/docs/howtos/t60_dev/0010.JPG deleted file mode 100644 index c776171..0000000 --- a/docs/howtos/t60_dev/0010.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0011.JPG b/docs/howtos/t60_dev/0011.JPG deleted file mode 100644 index 24cb443..0000000 --- a/docs/howtos/t60_dev/0011.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0012.JPG b/docs/howtos/t60_dev/0012.JPG deleted file mode 100644 index c719958..0000000 --- a/docs/howtos/t60_dev/0012.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0013.JPG b/docs/howtos/t60_dev/0013.JPG deleted file mode 100644 index b8ed7ee..0000000 --- a/docs/howtos/t60_dev/0013.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0014.JPG b/docs/howtos/t60_dev/0014.JPG deleted file mode 100644 index 5160dc3..0000000 --- a/docs/howtos/t60_dev/0014.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0015.JPG b/docs/howtos/t60_dev/0015.JPG deleted file mode 100644 index 0c1fd18..0000000 --- a/docs/howtos/t60_dev/0015.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0016.JPG b/docs/howtos/t60_dev/0016.JPG deleted file mode 100644 index c698be2..0000000 --- a/docs/howtos/t60_dev/0016.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0017.JPG b/docs/howtos/t60_dev/0017.JPG deleted file mode 100644 index 652a66e..0000000 --- a/docs/howtos/t60_dev/0017.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0018.JPG b/docs/howtos/t60_dev/0018.JPG deleted file mode 100644 index cf43067..0000000 --- a/docs/howtos/t60_dev/0018.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0019.JPG b/docs/howtos/t60_dev/0019.JPG deleted file mode 100644 index a75f68a..0000000 --- a/docs/howtos/t60_dev/0019.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0020.JPG b/docs/howtos/t60_dev/0020.JPG deleted file mode 100644 index 0c4f7db..0000000 --- a/docs/howtos/t60_dev/0020.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0021.JPG b/docs/howtos/t60_dev/0021.JPG deleted file mode 100644 index c7d5757..0000000 --- a/docs/howtos/t60_dev/0021.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0022.JPG b/docs/howtos/t60_dev/0022.JPG deleted file mode 100644 index 5971da2..0000000 --- a/docs/howtos/t60_dev/0022.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0023.JPG b/docs/howtos/t60_dev/0023.JPG deleted file mode 100644 index 99f67c3..0000000 --- a/docs/howtos/t60_dev/0023.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0024.JPG b/docs/howtos/t60_dev/0024.JPG deleted file mode 100644 index f89b537..0000000 --- a/docs/howtos/t60_dev/0024.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0025.JPG b/docs/howtos/t60_dev/0025.JPG deleted file mode 100644 index d6b180e..0000000 --- a/docs/howtos/t60_dev/0025.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0026.JPG b/docs/howtos/t60_dev/0026.JPG deleted file mode 100644 index c8f3299..0000000 --- a/docs/howtos/t60_dev/0026.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0027.JPG b/docs/howtos/t60_dev/0027.JPG deleted file mode 100644 index 10ab8e0..0000000 --- a/docs/howtos/t60_dev/0027.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0028.JPG b/docs/howtos/t60_dev/0028.JPG deleted file mode 100644 index 64cba1c..0000000 --- a/docs/howtos/t60_dev/0028.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0029.JPG b/docs/howtos/t60_dev/0029.JPG deleted file mode 100644 index 960ebdd..0000000 --- a/docs/howtos/t60_dev/0029.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0030.JPG b/docs/howtos/t60_dev/0030.JPG deleted file mode 100644 index 046fd00..0000000 --- a/docs/howtos/t60_dev/0030.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0031.JPG b/docs/howtos/t60_dev/0031.JPG deleted file mode 100644 index 870f22b..0000000 --- a/docs/howtos/t60_dev/0031.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0032.JPG b/docs/howtos/t60_dev/0032.JPG deleted file mode 100644 index 70ff44a..0000000 --- a/docs/howtos/t60_dev/0032.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0033.JPG b/docs/howtos/t60_dev/0033.JPG deleted file mode 100644 index 142ca97..0000000 --- a/docs/howtos/t60_dev/0033.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0034.JPG b/docs/howtos/t60_dev/0034.JPG deleted file mode 100644 index 907192e..0000000 --- a/docs/howtos/t60_dev/0034.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0035.JPG b/docs/howtos/t60_dev/0035.JPG deleted file mode 100644 index bf38c89..0000000 --- a/docs/howtos/t60_dev/0035.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0036.JPG b/docs/howtos/t60_dev/0036.JPG deleted file mode 100644 index a7e5bdf..0000000 --- a/docs/howtos/t60_dev/0036.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0037.JPG b/docs/howtos/t60_dev/0037.JPG deleted file mode 100644 index ab30c27..0000000 --- a/docs/howtos/t60_dev/0037.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0038.JPG b/docs/howtos/t60_dev/0038.JPG deleted file mode 100644 index 362c547..0000000 --- a/docs/howtos/t60_dev/0038.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0039.JPG b/docs/howtos/t60_dev/0039.JPG deleted file mode 100644 index 224f72e..0000000 --- a/docs/howtos/t60_dev/0039.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0040.JPG b/docs/howtos/t60_dev/0040.JPG deleted file mode 100644 index adcd923..0000000 --- a/docs/howtos/t60_dev/0040.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0041.JPG b/docs/howtos/t60_dev/0041.JPG deleted file mode 100644 index 2a04682..0000000 --- a/docs/howtos/t60_dev/0041.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0042.JPG b/docs/howtos/t60_dev/0042.JPG deleted file mode 100644 index b5ed8ec..0000000 --- a/docs/howtos/t60_dev/0042.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0043.JPG b/docs/howtos/t60_dev/0043.JPG deleted file mode 100644 index 7144a98..0000000 --- a/docs/howtos/t60_dev/0043.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0044.JPG b/docs/howtos/t60_dev/0044.JPG deleted file mode 100644 index 27a24c6..0000000 --- a/docs/howtos/t60_dev/0044.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0045.JPG b/docs/howtos/t60_dev/0045.JPG deleted file mode 100644 index 997b498..0000000 --- a/docs/howtos/t60_dev/0045.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0046.JPG b/docs/howtos/t60_dev/0046.JPG deleted file mode 100644 index 25d6baa..0000000 --- a/docs/howtos/t60_dev/0046.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0047.JPG b/docs/howtos/t60_dev/0047.JPG deleted file mode 100644 index 6b57bf3..0000000 --- a/docs/howtos/t60_dev/0047.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0048.JPG b/docs/howtos/t60_dev/0048.JPG deleted file mode 100644 index 7339f07..0000000 --- a/docs/howtos/t60_dev/0048.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0049.JPG b/docs/howtos/t60_dev/0049.JPG deleted file mode 100644 index cf3a7fd..0000000 --- a/docs/howtos/t60_dev/0049.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0050.JPG b/docs/howtos/t60_dev/0050.JPG deleted file mode 100644 index 7de4edd..0000000 --- a/docs/howtos/t60_dev/0050.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0051.JPG b/docs/howtos/t60_dev/0051.JPG deleted file mode 100644 index 87c41b3..0000000 --- a/docs/howtos/t60_dev/0051.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0052.JPG b/docs/howtos/t60_dev/0052.JPG deleted file mode 100644 index 4a8e443..0000000 --- a/docs/howtos/t60_dev/0052.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0053.JPG b/docs/howtos/t60_dev/0053.JPG deleted file mode 100644 index e1044fc..0000000 --- a/docs/howtos/t60_dev/0053.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0054.JPG b/docs/howtos/t60_dev/0054.JPG deleted file mode 100644 index c96c020..0000000 --- a/docs/howtos/t60_dev/0054.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0055.JPG b/docs/howtos/t60_dev/0055.JPG deleted file mode 100644 index 6da87d5..0000000 --- a/docs/howtos/t60_dev/0055.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0056.JPG b/docs/howtos/t60_dev/0056.JPG deleted file mode 100644 index 81a6659..0000000 --- a/docs/howtos/t60_dev/0056.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0057.JPG b/docs/howtos/t60_dev/0057.JPG deleted file mode 100644 index 268fede..0000000 --- a/docs/howtos/t60_dev/0057.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0058.JPG b/docs/howtos/t60_dev/0058.JPG deleted file mode 100644 index bedfb12..0000000 --- a/docs/howtos/t60_dev/0058.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0059.JPG b/docs/howtos/t60_dev/0059.JPG deleted file mode 100644 index 422687c..0000000 --- a/docs/howtos/t60_dev/0059.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0060.JPG b/docs/howtos/t60_dev/0060.JPG deleted file mode 100644 index 8743c0d..0000000 --- a/docs/howtos/t60_dev/0060.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0061.JPG b/docs/howtos/t60_dev/0061.JPG deleted file mode 100644 index e05f626..0000000 --- a/docs/howtos/t60_dev/0061.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0062.JPG b/docs/howtos/t60_dev/0062.JPG deleted file mode 100644 index 1fe77a7..0000000 --- a/docs/howtos/t60_dev/0062.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0063.JPG b/docs/howtos/t60_dev/0063.JPG deleted file mode 100644 index 87b7761..0000000 --- a/docs/howtos/t60_dev/0063.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0064.JPG b/docs/howtos/t60_dev/0064.JPG deleted file mode 100644 index e80189e..0000000 --- a/docs/howtos/t60_dev/0064.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0065.JPG b/docs/howtos/t60_dev/0065.JPG deleted file mode 100644 index 4e77a88..0000000 --- a/docs/howtos/t60_dev/0065.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0066.JPG b/docs/howtos/t60_dev/0066.JPG deleted file mode 100644 index 793c0f8..0000000 --- a/docs/howtos/t60_dev/0066.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0068.JPG b/docs/howtos/t60_dev/0068.JPG deleted file mode 100644 index 9f9f299..0000000 --- a/docs/howtos/t60_dev/0068.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0069.JPG b/docs/howtos/t60_dev/0069.JPG deleted file mode 100644 index 98931e6..0000000 --- a/docs/howtos/t60_dev/0069.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0070.JPG b/docs/howtos/t60_dev/0070.JPG deleted file mode 100644 index 09958c3..0000000 --- a/docs/howtos/t60_dev/0070.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0071.JPG b/docs/howtos/t60_dev/0071.JPG deleted file mode 100644 index 104d21e..0000000 --- a/docs/howtos/t60_dev/0071.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0072.JPG b/docs/howtos/t60_dev/0072.JPG deleted file mode 100644 index 66c8e3b..0000000 --- a/docs/howtos/t60_dev/0072.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0073.JPG b/docs/howtos/t60_dev/0073.JPG deleted file mode 100644 index 5d9b9fa..0000000 --- a/docs/howtos/t60_dev/0073.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/0074.JPG b/docs/howtos/t60_dev/0074.JPG deleted file mode 100644 index 303264a..0000000 --- a/docs/howtos/t60_dev/0074.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_dev/t60_unbrick.jpg b/docs/howtos/t60_dev/t60_unbrick.jpg deleted file mode 100644 index 820a9b4..0000000 --- a/docs/howtos/t60_dev/t60_unbrick.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/t60_heatsink.html b/docs/howtos/t60_heatsink.html deleted file mode 100644 index f10ea60..0000000 --- a/docs/howtos/t60_heatsink.html +++ /dev/null @@ -1,133 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad T60 - - - - -
-

Changing heatsink (or CPU) on the ThinkPad T60

- -
- -

Or go back to main index

- -

Hardware requirements

- - -

Software requirements

- - -

Disassembly

- -

- Remove those screws and remove the HDD:
- -

- -

- Lift off the palm rest:
- -

- -

- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- -

- -

- Gently wedge both sides loose:
- -

- -

- Remove that cable from the position:
- -

- -

- Remove the bezel (sorry forgot to take pics). -

- -

- On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way
- -

- -

- This is also an opportunity to change the CPU to another one. For example if you had a Core Duo T2400, you can upgrade it to a better processor - (higher speed, 64-bit support). A Core 2 Duo T7600 was installed here. -

- -

- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
- -

- -

- Reinstall that upper bezel:
- -

- -

- Do that:
- -

- -

- Attach keyboard:
- -

- -

- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
- -

- -

- It lives!
- -

- -

- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
- -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/t60_lcd_15.html b/docs/howtos/t60_lcd_15.html deleted file mode 100644 index 3b382f5..0000000 --- a/docs/howtos/t60_lcd_15.html +++ /dev/null @@ -1,94 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad T60 - - - - -
-

Changing the LCD panel on a 15.1" T60

- -
- -

Or go back to main index

- -

Disassembly

- -

- Remove those covers and unscrew:
- -

- -

- Gently pry off the front bezel. -

- -

- Remove inverter board:
- -

- -

- Disconnect LCD cable:
- -

- -

- Remove the panel:
- -

- -

- Move the rails (left and right side) from the old panel to the new one and then attach LCD cable:
- -

- -

- Insert panel (this one is an LG-Philips LP150E05-A2K1, and there are others. See ../index.html#supported_t60_list):
- -

- -

- Insert new inverter board (see ../index.html#supported_t60_list for what is recommended on your LCD panel):
- -

- -

- Now re-attach the front bezel and put all the screws in. -

- -

- It lives!
- -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/t60_security.html b/docs/howtos/t60_security.html deleted file mode 100644 index f39c739..0000000 --- a/docs/howtos/t60_security.html +++ /dev/null @@ -1,445 +0,0 @@ - - - - - - - - - Libreboot documentation: Security on the ThinkPad T60 - - - - -
-

Security on the ThinkPad T60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements

- - -

- Rationale -

-

- Most people think of security on the software side: the hardware is important aswell. - Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work. - It is also generally useful to all those that believe security and privacy are inalienable rights. - Security starts with the hardware; crypto and network security come later. -

-

- Paradoxically, going this far to increase your security also makes you a bigger target. - At the same time, it protects you in the case that someone does attack your machine. - This paradox only exists while few people take adequate steps to protect yourself: it is your duty - to protect yourself, not only for your benefit but to make strong security normal so - that those who do need protection (and claim it) are a smaller target against the masses. -

-

- Even if there are levels of security beyond your ability (technically, financially and so on) - doing at least something (what you are able to do) is extremely important. - If you use the internet and your computer without protection, attacking you is cheap (some say it is - only a few US cents). If everyone (majority of people) use strong security by default, - it makes attacks more costly and time consuming; in effect, making them disappear. -

-

- This tutorial deals with reducing the number of devices that have direct memory access that - could communicate with inputs/outputs that could be used to remotely - command the machine (or leak data). -

- -

Disassembly

- -

- Remove those screws and remove the HDD:
- -

- -

- Lift off the palm rest:
- -

- -

- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- -

- -

- Gently wedge both sides loose:
- -

- -

- Remove that cable from the position:
- -

- -

- Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):
-
- Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.
- Wifi: The ath5k/ath9k cards might not have firmware at all. They might safe but could have - access to the computer's RAM trough DMA. If people have an intel - card(most T60's come with Intel wifi by default, until you change it),then that card runs - a non-free firwamre and has access to the computer's RAM trough DMA! So - it's risk-level is very high. -

- -

- Remove those screws:
- -

- -

- Disconnect the power jack:
- -

- -

- Remove nvram battery (we will put it back later):
- -

- -

- Disconnect cable (for 56k modem) and disconnect the other cable:
- -

- -

- Disconnect speaker cable:
- -

- -

- Disconnect the other end of the 56k modem cable:
- -

- -

- Make sure you removed it:
- -

- -

- Unscrew those:
- -

- -

- Make sure you removed those:
- -

- -

- Disconnect LCD cable from board:
- -

- -

- Remove those screws then remove the LCD assembly:
- -

- -

- Once again, make sure you removed those:
- -

- -

- Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady - surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the - screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:
- - -

- -

- Remove microphone (soldering iron not needed. Just wedge it out gently):
-
- Rationale:
- Another reason to remove the microphone: If your computer gets[1] compromised, it can - record what you say, and use it to receive data from nearby devices if - they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically - be programmed to accept remote commands from some speaker somewhere (remote security hole). In other words, - the machine could already be compromised from the factory. -

- -

- Remove infrared:
- -

- -

- Remove cardbus (it's in a socket, no need to disable. Just remove the port itself):
-
- Rationale:
- It has direct memory access and can be used to extract sensitive details (such as LUKS keys). See - 'GoodBIOS' video linked at the end (speaker is Peter Stuge, a coreboot hacker). The video covers X60 - but the same topics apply to T60. -

- -

- Before re-installing the upper chassis, remove the speaker:
-
- Reason: combined with the microphone issue, this could be used to leak data.
- If your computer gets[1] compromised, it can be used to - transmit data to nearby compromised devices. It's unknown if it can be - turned into a microphone[2].
- Replacement: headphones/speakers (line-out) or external DAC (USB). -

- -

- Remove the wwan:
-
- Wwan (3d modem): They run proprietary software and have access to the - computer's RAM! So it's like AMT but over the GSM network which is - probably even worse.
- Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended). -

- -

- This is where the simcard connector is soldered. See notes above about wwan. Remove simcard by removing battery - and then it's accessible (so, remember to do this when you re-assemble. or you could do it now?)
- -

- -

- Put those screws back:
- -

- -

- Put it back into lower chassis:
- -

- -

- Attach LCD and insert screws (also, attach the lcd cable to the board):
- -

- -

- Insert those screws:
- -

- -

- On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way
- -

- -

- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
- -

- -

- Reinstall that upper bezel:
- -

- -

- Do that:
- -

- -

- Attach keyboard and install nvram battery:
- -

- -

- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
- -

- -

- Remove those covers and unscrew:
- -

- -

- Gently pry off the front bezel (sorry, forgot to take pics). -

- -

- Remove bluetooth module:
- -

- -

- Re-attach the front bezel and re-insert the screws (sorry, forgot to take pics). -

- -

- It lives!
- -

- -

- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
- -

- -

- Not covered yet: -

- -

- Go to http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html - or directly to the video: http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm. -

-

- A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above. -

- -

- Also not covered yet: -

- - -

- Extra notes -

-

- EC: Cannot be removed but can be mitigated: it contains non-free - non-loadable code, but it has no access to the computer's RAM. - It has access to the on-switch of the wifi, bluetooth, modem and some - other power management features. The issue is that it has access to the - keyboard, however if the software security howto (not yet written) is followed correctly, - it won't be able to leak data to a local attacker. It has no network - access but it may still be able to leak data remotely, but that - requires someone to be nearby to recover the data with the help of an - SDR and some directional antennas[3]. -

-

- Intel 82573 Ethernet controller - on the X60 seems safe, according to Denis. -

- -

- Risk level -

- - -

- Further reading material (software security) -

- - -

- References -

-

[1] physical access

-

- Explain that black hats, TAO, and so on might use a 0day to get in, - and explain that in this case it mitigates what the attacker can do. - Also the TAO do some evaluation before launching an attack: they take - the probability of beeing caught into account, along with the kind of - target. A 0day costs a lot of money, I heard that it was from 100000$ - to 400000$, some other websites had prices 10 times lower but that - but it was probably a typo. So if people increase their security it - makes it more risky and more costly to attack people. -

-

[2] microphone

-

- It's possible to turn headphones into a microphone, you could try - yourself, however they don't record loud at all. Also intel cards have - the capability to change a connector's function, for instance the - microphone jack can now become a headphone plug, that's called - retasking. There is some support for it in GNU/Linux but it's not very - well known. -

-

[3] Video (CCC)

-

- 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While - their demo is experimental(their hardware also got damaged during the - transport), the spies probably already have that since a long time. - http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/t60_unbrick.html b/docs/howtos/t60_unbrick.html deleted file mode 100644 index 69648e1..0000000 --- a/docs/howtos/t60_unbrick.html +++ /dev/null @@ -1,319 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad T60 - - - - -
-

Unbricking the ThinkPad T60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements

- - -

Brick type 1: bucts not reset.

-

- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.

- - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-

- - *Those dd commands should be applied to all newly compiled T60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation. - (it says x60, but instructions for t60 are identical) -

- -

bad rom (or user error), machine won't boot

- -

- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. -

-

- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). -

- -

- Remove those screws and remove the HDD:
- -

- -

- Lift off the palm rest:
- -

- -

- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- -

- -

- Gently wedge both sides loose:
- -

- -

- Remove that cable from the position:
- -

- -

- Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):
- -

- -

- Remove those screws:
- -

- -

- Disconnect the power jack:
- -

- -

- Remove nvram battery:
- -

- -

- Disconnect cable (for 56k modem) and disconnect the other cable:
- -

- -

- Disconnect speaker cable:
- -

- -

- Disconnect the other end of the 56k modem cable:
- -

- -

- Make sure you removed it:
- -

- -

- Unscrew those:
- -

- -

- Make sure you removed those:
- -

- -

- Disconnect LCD cable from board:
- -

- -

- Remove those screws then remove the LCD assembly:
- -

- -

- Once again, make sure you removed those:
- -

- -

- Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady - surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the - screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:
- - -

- -

- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- (it says X60 but instructions are virtually the same for the T60, with except to physical differences in how to disassemble the machine)
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
- - Here is the pinout (correlate it with your programmer's documentation):
- -

- -

- Connecting the pomona:
- -

- -

- Connect programmer to 2nd computer:
- -

- -

- Programmer has power:
- -

- -

- Now flash the bricked machine using the 2nd computer. in my case I did:
- flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/t60/libreboot_usqwerty.rom
- Note: there are also other ROM images for T60
- Note: this is using buspirate as the programmer, so it is flashing the T60, not the 2nd computer!
- Here's my terminal window on the 2nd computer (also the programmer is active):
-
- So, you should see the following:
- -- -

-			flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian
-			flashrom is free software, get the source code at http://www.flashrom.org
-
-			Calibrating delay loop... delay loop is unreliable, trying to continue OK.
-			Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
-			Reading old flash chip contents... done.
-			Erasing and writing flash chip... Erase/write done.
-			Verifying flash... VERIFIED. 
-			
- --
- At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means - that you can put your T60 back together. So let's do that now. -

- -

- Put those screws back:
- -

- -

- Put it back into lower chassis:
- -

- -

- Attach LCD and insert screws (also, attach the lcd cable to the board):
- -

- -

- Insert those screws:
- -

- -

- On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way
- -

- -

- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
- -

- -

- Reinstall that upper bezel:
- -

- -

- Do that:
- -

- -

- Re-attach modem, wifi, (wwan?), and all necessary cables. Sorry, forgot to take pics. Look at previous removal steps to see where they go back to. -

- -

- Attach keyboard and install nvram battery:
- -

- -

- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
- -

- -

- It lives!
- -

- -

- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
- -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/x60_heatsink.html b/docs/howtos/x60_heatsink.html deleted file mode 100644 index 22b55e1..0000000 --- a/docs/howtos/x60_heatsink.html +++ /dev/null @@ -1,149 +0,0 @@ - - - - - - - - - Libreboot documentation: Switch heatsink on ThinkPad X60 - - - - -
-

Changing the fan/heatsink on the ThinkPad X60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements (for CPU stress testing)

- - -

Disassembly

-

- Remove those screws:
- -

-

- Push the keyboard forward (carefully):
- -

-

- Lift the keyboard up and disconnect it from the board:
- -

-

- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
- -

-

- You should now have this:
- -

-

- Disconnect the wifi antenna cables, the modem cable and the speaker:
- -

-

- Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem - cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand - side:
- -

-

- Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape - that holds it into place:
- -

-

- Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:
- -

-

- Remove those screws:
- -

-

- Remove those screws:
- -

-

- Carefully remove the plate, like so:
- -

-

- Remove the SATA connector:
- -

-

- Now remove the motherboard (gently) and cast the lcd/chassis aside:
- -

-

- Look at that black tape above the heatsink, remove it:
- -

-

- Now you have removed it:
- -

- -

- Disconnect the fan and remove all the screws, heatsink will easily come off:
- -

- -

- Remove the old paste with a cloth (from the CPU and heatsink) and then clean both of them with the alcholeel (to remove remaining residue. typo is intentional). - Apply a pea-sized amount of paste to the both chipsets that the heatsink covered and spread it evenly (uniformally). - Finally reinstall the heatsink, reversing previous steps. -

- -

- stress -c 2 command can be used to push the CPU to 100%, and xsensors (or watch sensors command) can be used to monitor heat. - Below 90C is ok. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/x60_heatsink/0000.jpg b/docs/howtos/x60_heatsink/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_heatsink/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0001.jpg b/docs/howtos/x60_heatsink/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_heatsink/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0002.jpg b/docs/howtos/x60_heatsink/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_heatsink/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0003.jpg b/docs/howtos/x60_heatsink/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_heatsink/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0004.jpg b/docs/howtos/x60_heatsink/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_heatsink/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0005.jpg b/docs/howtos/x60_heatsink/0005.jpg deleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_heatsink/0005.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0006.jpg b/docs/howtos/x60_heatsink/0006.jpg deleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_heatsink/0006.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0007.jpg b/docs/howtos/x60_heatsink/0007.jpg deleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_heatsink/0007.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0008.jpg b/docs/howtos/x60_heatsink/0008.jpg deleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_heatsink/0008.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0009.jpg b/docs/howtos/x60_heatsink/0009.jpg deleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_heatsink/0009.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0010.jpg b/docs/howtos/x60_heatsink/0010.jpg deleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_heatsink/0010.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0011.jpg b/docs/howtos/x60_heatsink/0011.jpg deleted file mode 100644 index 101cf6a..0000000 --- a/docs/howtos/x60_heatsink/0011.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0012.jpg b/docs/howtos/x60_heatsink/0012.jpg deleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_heatsink/0012.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0013.jpg b/docs/howtos/x60_heatsink/0013.jpg deleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_heatsink/0013.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0014.jpg b/docs/howtos/x60_heatsink/0014.jpg deleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_heatsink/0014.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0015.jpg b/docs/howtos/x60_heatsink/0015.jpg deleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_heatsink/0015.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0016.jpg b/docs/howtos/x60_heatsink/0016.jpg deleted file mode 100644 index ea418a5..0000000 --- a/docs/howtos/x60_heatsink/0016.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0017.jpg b/docs/howtos/x60_heatsink/0017.jpg deleted file mode 100644 index 8a67482..0000000 --- a/docs/howtos/x60_heatsink/0017.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0018.jpg b/docs/howtos/x60_heatsink/0018.jpg deleted file mode 100644 index 98c43ac..0000000 --- a/docs/howtos/x60_heatsink/0018.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change.html b/docs/howtos/x60_lcd_change.html deleted file mode 100644 index 3ddeaac..0000000 --- a/docs/howtos/x60_lcd_change.html +++ /dev/null @@ -1,54 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad T60 - - - - -
-

Changing the LCD panel on X60

-
- -

Or go back to main index

- -

This tutorial is incomplete, and only pictures for now.

- -

- - - - - - - -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/x60_lcd_change/0001.JPG b/docs/howtos/x60_lcd_change/0001.JPG deleted file mode 100755 index fd066eb..0000000 --- a/docs/howtos/x60_lcd_change/0001.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0002.JPG b/docs/howtos/x60_lcd_change/0002.JPG deleted file mode 100755 index 96949f1..0000000 --- a/docs/howtos/x60_lcd_change/0002.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0003.JPG b/docs/howtos/x60_lcd_change/0003.JPG deleted file mode 100755 index 90216aa..0000000 --- a/docs/howtos/x60_lcd_change/0003.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0004.JPG b/docs/howtos/x60_lcd_change/0004.JPG deleted file mode 100755 index 3b704a4..0000000 --- a/docs/howtos/x60_lcd_change/0004.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0005.JPG b/docs/howtos/x60_lcd_change/0005.JPG deleted file mode 100755 index 823bab9..0000000 --- a/docs/howtos/x60_lcd_change/0005.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0006.JPG b/docs/howtos/x60_lcd_change/0006.JPG deleted file mode 100755 index 040f2ca..0000000 --- a/docs/howtos/x60_lcd_change/0006.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0007.JPG b/docs/howtos/x60_lcd_change/0007.JPG deleted file mode 100755 index 42c2607..0000000 --- a/docs/howtos/x60_lcd_change/0007.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html deleted file mode 100644 index e24ae12..0000000 --- a/docs/howtos/x60_security.html +++ /dev/null @@ -1,306 +0,0 @@ - - - - - - - - - Libreboot documentation: Security on the ThinkPad X60 - - - - -
-

Security on the ThinkPad X60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements

- - -

- Rationale -

-

- Most people think of security on the software side: the hardware is important aswell. - Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work. - It is also generally useful to all those that believe security and privacy are inalienable rights. - Security starts with the hardware; crypto and network security come later. -

-

- Paradoxically, going this far to increase your security also makes you a bigger target. - At the same time, it protects you in the case that someone does attack your machine. - This paradox only exists while few people take adequate steps to protect yourself: it is your duty - to protect yourself, not only for your benefit but to make strong security normal so - that those who do need protection (and claim it) are a smaller target against the masses. -

-

- Even if there are levels of security beyond your ability (technically, financially and so on) - doing at least something (what you are able to do) is extremely important. - If you use the internet and your computer without protection, attacking you is cheap (some say it is - only a few US cents). If everyone (majority of people) use strong security by default, - it makes attacks more costly and time consuming; in effect, making them disappear. -

-

- This tutorial deals with reducing the number of devices that have direct memory access that - could communicate with inputs/outputs that could be used to remotely - command the machine (or leak data). -

- -

Disassembly

- -

- Firstly remove the bluetooth (if your X60 has this):
- The marked screws are underneath those stickers (marked in those 3 locations at the bottom of the LCD assembly):
-
- Now gently pry off the bottom part of the front bezel, and the bluetooth module is on the left (easily removable):
-
-

- -

- If your model was WWAN, remove the simcard (check anyway):
- Uncover those 2 screws at the bottom:
-
- SIM card (not present in the picture) is in the marked location:
-
- Replacement: USB dongle. -

- -

- Now get into the motherboard. -

- -

- Remove those screws:
- -

-

- Push the keyboard forward (carefully):
- -

-

- Lift the keyboard up and disconnect it from the board:
- -

-

- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
- -

-

- You should now have this:
- -

- -

- The following is a summary of what you will remove (already done to this machine):
-
- Note: the blue lines represent antenna cables and modem cables. You don't need to remove these, but you can if you want - (to make it tidier after removing other parts). I removed the antenna wires, the modem jack, the modem cable and - also (on another model) a device inside the part where the wwan antenna goes (wasn't sure what it was, but I knew it wasn't needed). This is optional -

- -

- Remove the microphone (can desolder it, but you can also easily pull it off with you hands). Already removed here:
-
- Rationale:
- Another reason to remove the microphone: If your computer gets[1] compromised, it can - record what you say, and use it to receive data from nearby devices if - they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically - be programmed to accept remote commands from some speaker somewhere (remote security hole). In other words, - the machine could already be compromised from the factory. -

- -

- Remove the modem:
-
- (useless, obsolete device) -

- -

- Remove the speaker:
-
- Reason: combined with the microphone issue, this could be used to leak data.
- If your computer gets[1] compromised, it can be used to - transmit data to nearby compromised devices. It's unknown if it can be - turned into a microphone[2].
- Replacement: headphones/speakers (line-out) or external DAC (USB). -

- -

- Remove the wlan (also remove wwan if you have it):
-
- Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.
- Wifi: The ath5k/ath9k cards might not have firmware at all. They might safe but could have - access to the computer's RAM trough DMA. If people have an intel - card(most X60's come with Intel wifi by default, until you change it),then that card runs - a non-free firwamre and has access to the computer's RAM trough DMA! So - it's risk-level is very high.
- Wwan (3d modem): They run proprietary software and have access to the - computer's RAM! So it's like AMT but over the GSM network which is - probably even worse.
- Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended). -

- -

- Not covered yet: -

- -

- Go to http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html - or directly to the video: http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm. -

-

- A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above. -

- -

- Also not covered yet: -

- - -

- Extra notes -

-

- EC: Cannot be removed but can be mitigated: it contains non-free - non-loadable code, but it has no access to the computer's RAM. - It has access to the on-switch of the wifi, bluetooth, modem and some - other power management features. The issue is that it has access to the - keyboard, however if the software security howto (not yet written) is followed correctly, - it won't be able to leak data to a local attacker. It has no network - access but it may still be able to leak data remotely, but that - requires someone to be nearby to recover the data with the help of an - SDR and some directional antennas[3]. -

-

- Intel 82573 Ethernet controller - on the X60 seems safe, according to Denis. -

- -

- Risk level -

- - -

- Further reading material (software security) -

- - -

- References -

-

[1] physical access

-

- Explain that black hats, TAO, and so on might use a 0day to get in, - and explain that in this case it mitigates what the attacker can do. - Also the TAO do some evaluation before launching an attack: they take - the probability of beeing caught into account, along with the kind of - target. A 0day costs a lot of money, I heard that it was from 100000$ - to 400000$, some other websites had prices 10 times lower but that - but it was probably a typo. So if people increase their security it - makes it more risky and more costly to attack people. -

-

[2] microphone

-

- It's possible to turn headphones into a microphone, you could try - yourself, however they don't record loud at all. Also intel cards have - the capability to change a connector's function, for instance the - microphone jack can now become a headphone plug, that's called - retasking. There is some support for it in GNU/Linux but it's not very - well known. -

-

[3] Video (CCC)

-

- 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While - their demo is experimental(their hardware also got damaged during the - transport), the spies probably already have that since a long time. - http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/x60_security/0000.jpg b/docs/howtos/x60_security/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_security/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_bluetooth.jpg b/docs/howtos/x60_security/0000_bluetooth.jpg deleted file mode 100644 index 94a255f..0000000 --- a/docs/howtos/x60_security/0000_bluetooth.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_bluetooth0.jpg b/docs/howtos/x60_security/0000_bluetooth0.jpg deleted file mode 100644 index a750b0c..0000000 --- a/docs/howtos/x60_security/0000_bluetooth0.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_simcard0.jpg b/docs/howtos/x60_security/0000_simcard0.jpg deleted file mode 100644 index 40837ea..0000000 --- a/docs/howtos/x60_security/0000_simcard0.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_simcard1.jpg b/docs/howtos/x60_security/0000_simcard1.jpg deleted file mode 100644 index c0a5b35..0000000 --- a/docs/howtos/x60_security/0000_simcard1.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001.jpg b/docs/howtos/x60_security/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_security/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_microphone.jpg b/docs/howtos/x60_security/0001_microphone.jpg deleted file mode 100644 index c419060..0000000 --- a/docs/howtos/x60_security/0001_microphone.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_modem.jpg b/docs/howtos/x60_security/0001_modem.jpg deleted file mode 100644 index 6a7a6a0..0000000 --- a/docs/howtos/x60_security/0001_modem.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_overview.jpg b/docs/howtos/x60_security/0001_overview.jpg deleted file mode 100644 index 7268e49..0000000 --- a/docs/howtos/x60_security/0001_overview.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_speaker.jpg b/docs/howtos/x60_security/0001_speaker.jpg deleted file mode 100644 index 28d3ed6..0000000 --- a/docs/howtos/x60_security/0001_speaker.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_wlan_wwan.jpg b/docs/howtos/x60_security/0001_wlan_wwan.jpg deleted file mode 100644 index 0db858d..0000000 --- a/docs/howtos/x60_security/0001_wlan_wwan.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0002.jpg b/docs/howtos/x60_security/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_security/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0003.jpg b/docs/howtos/x60_security/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_security/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0004.jpg b/docs/howtos/x60_security/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_security/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick.html b/docs/howtos/x60_unbrick.html deleted file mode 100644 index 945712d..0000000 --- a/docs/howtos/x60_unbrick.html +++ /dev/null @@ -1,310 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad X60 - - - - -
-

Unbricking the ThinkPad X60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements

- - -

Brick type 1: bucts not reset.

-

- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.

- - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-

- - *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation. -

- -

bad rom (or user error), machine won't boot

-

- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. -

-

- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). -

-

- Remove those screws:
- -

-

- Push the keyboard forward (carefully):
- -

-

- Lift the keyboard up and disconnect it from the board:
- -

-

- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
- -

-

- You should now have this:
- -

-

- Disconnect the wifi antenna cables, the modem cable and the speaker:
- -

-

- Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem - cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand - side:
- -

-

- Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape - that holds it into place:
- -

-

- Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:
- -

-

- Remove the screw that is highlighted (do NOT remove the other one; it holds part of the heatsink (other side) into place):
- -

-

- Remove those screws:
- -

-

- Carefully remove the plate, like so:
- -

-

- Remove the SATA connector:
- -

-

- Now remove the motherboard (gently) and cast the lcd/chassis aside:
- -

-

- Lift back that tape and hold it with something. Highlighted is the SPI flash chip:
- -

-

- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
- - Here is the pinout (correlate it with your programmer's documentation):
- -

- -

- My programmer, usb cable and clip:
-
- My programmer (bus pirate):
-
- My clip (pomona 5250):
-
- My USB mini a to b cable:
-
- Connecting the pomona:
-
- Connecting the USB cable from programmer to 2nd(working/non-bricked) computer, my T60:
-
- Programmer is now active:
-
- Now I install flashrom on the T60 (running Trisquel GNU/Linux) and do this:
- flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60/libreboot_usqwerty.rom
- Note: there are also other ROM images for X60
- Note: this is using buspirate as the programmer, so it is flashing the X60, not the T60!
- Here's my terminal window on the T60:
-
- So, you should see the following:
- -- -

-			flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian
-			flashrom is free software, get the source code at http://www.flashrom.org
-
-			Calibrating delay loop... delay loop is unreliable, trying to continue OK.
-			Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
-			Reading old flash chip contents... done.
-			Erasing and writing flash chip... Erase/write done.
-			Verifying flash... VERIFIED. 
-			
- --
- At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means - that you can put your X60 back together. So let's do that now. -

-

- Remove the programmer and put it away somewhere. Put back the tape and press firmly over it:
- -

-

- Your empty chassis:
- -

-

- Put the motherboard back in:
- -

-

- Reconnect SATA:
- -

-

- Put the plate back and re-insert those screws:
- -

-

- Re-route that antenna cable around the fan and apply the tape:
- -

-

- Route the cable here and then (not shown, due to error on my part) reconnect the monitor cable to the motherboard - and re-insert the screws:
- -

-

- Re-insert that screw:
- -

-

- Route the black antenna cable like so:
- -

-

- Tuck it in neatly like so:
- -

-

- Route the modem cable like so:
- -

-

- Connect modem cable to board and tuck it in neatly like so:
- -

-

- Route the power connection and connect it to the board like so:
- -

-

- Route the antenna and modem cables neatly like so:
- -

-

- Connect the wifi antenna cables. At the start of the tutorial, this machine had an Intel wifi chip. Here you see I've replaced it with an - Atheros AR5B95 (supports 802.11n and can be used without blobs):
- -

-

- Connect the modem cable:
- -

-

- Connect the speaker:
- -

-

- You should now have this:
- -

-

- Re-connect the upper chassis:
- -

-

- Re-connect the keyboard:
- -

-

- Re-insert the screws that you removed earlier:
- -

-

- Power on!
- -

-

- Trisquel live USB menu (using GRUB's ISOLINUX parser):
- -

-

- Trisquel live desktop:
- -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - diff --git a/docs/howtos/x60_unbrick/0000.jpg b/docs/howtos/x60_unbrick/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_unbrick/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0001.jpg b/docs/howtos/x60_unbrick/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_unbrick/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0002.jpg b/docs/howtos/x60_unbrick/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_unbrick/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0003.jpg b/docs/howtos/x60_unbrick/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_unbrick/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0004.jpg b/docs/howtos/x60_unbrick/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_unbrick/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0005.jpg b/docs/howtos/x60_unbrick/0005.jpg deleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_unbrick/0005.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0006.jpg b/docs/howtos/x60_unbrick/0006.jpg deleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_unbrick/0006.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0007.jpg b/docs/howtos/x60_unbrick/0007.jpg deleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_unbrick/0007.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0008.jpg b/docs/howtos/x60_unbrick/0008.jpg deleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_unbrick/0008.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0009.jpg b/docs/howtos/x60_unbrick/0009.jpg deleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_unbrick/0009.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0010.jpg b/docs/howtos/x60_unbrick/0010.jpg deleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_unbrick/0010.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0011.jpg b/docs/howtos/x60_unbrick/0011.jpg deleted file mode 100644 index edc14c7..0000000 --- a/docs/howtos/x60_unbrick/0011.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0012.jpg b/docs/howtos/x60_unbrick/0012.jpg deleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_unbrick/0012.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0013.jpg b/docs/howtos/x60_unbrick/0013.jpg deleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_unbrick/0013.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0014.jpg b/docs/howtos/x60_unbrick/0014.jpg deleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_unbrick/0014.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0015.jpg b/docs/howtos/x60_unbrick/0015.jpg deleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_unbrick/0015.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0016.jpg b/docs/howtos/x60_unbrick/0016.jpg deleted file mode 100644 index f10ca88..0000000 --- a/docs/howtos/x60_unbrick/0016.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0017.jpg b/docs/howtos/x60_unbrick/0017.jpg deleted file mode 100644 index 69b28c0..0000000 --- a/docs/howtos/x60_unbrick/0017.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0018.jpg b/docs/howtos/x60_unbrick/0018.jpg deleted file mode 100644 index 7145d9f..0000000 --- a/docs/howtos/x60_unbrick/0018.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0019.jpg b/docs/howtos/x60_unbrick/0019.jpg deleted file mode 100644 index 959a6ee..0000000 --- a/docs/howtos/x60_unbrick/0019.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0020.jpg b/docs/howtos/x60_unbrick/0020.jpg deleted file mode 100644 index e6b2536..0000000 --- a/docs/howtos/x60_unbrick/0020.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0021.jpg b/docs/howtos/x60_unbrick/0021.jpg deleted file mode 100644 index 65bcb60..0000000 --- a/docs/howtos/x60_unbrick/0021.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0022.jpg b/docs/howtos/x60_unbrick/0022.jpg deleted file mode 100644 index cfcad6d..0000000 --- a/docs/howtos/x60_unbrick/0022.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0023.jpg b/docs/howtos/x60_unbrick/0023.jpg deleted file mode 100644 index 10824fd..0000000 --- a/docs/howtos/x60_unbrick/0023.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0024.jpg b/docs/howtos/x60_unbrick/0024.jpg deleted file mode 100644 index 9ce9d45..0000000 --- a/docs/howtos/x60_unbrick/0024.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0025.jpg b/docs/howtos/x60_unbrick/0025.jpg deleted file mode 100644 index 7b6da73..0000000 --- a/docs/howtos/x60_unbrick/0025.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0026.jpg b/docs/howtos/x60_unbrick/0026.jpg deleted file mode 100644 index 526c11c..0000000 --- a/docs/howtos/x60_unbrick/0026.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0027.jpg b/docs/howtos/x60_unbrick/0027.jpg deleted file mode 100644 index 877dc59..0000000 --- a/docs/howtos/x60_unbrick/0027.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0028.jpg b/docs/howtos/x60_unbrick/0028.jpg deleted file mode 100644 index d22d932..0000000 --- a/docs/howtos/x60_unbrick/0028.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0029.jpg b/docs/howtos/x60_unbrick/0029.jpg deleted file mode 100644 index 27f9190..0000000 --- a/docs/howtos/x60_unbrick/0029.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0030.jpg b/docs/howtos/x60_unbrick/0030.jpg deleted file mode 100644 index 813b5c6..0000000 --- a/docs/howtos/x60_unbrick/0030.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0031.jpg b/docs/howtos/x60_unbrick/0031.jpg deleted file mode 100644 index 49fe541..0000000 --- a/docs/howtos/x60_unbrick/0031.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0032.jpg b/docs/howtos/x60_unbrick/0032.jpg deleted file mode 100644 index e8625ef..0000000 --- a/docs/howtos/x60_unbrick/0032.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0033.jpg b/docs/howtos/x60_unbrick/0033.jpg deleted file mode 100644 index 3abfa37..0000000 --- a/docs/howtos/x60_unbrick/0033.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0034.jpg b/docs/howtos/x60_unbrick/0034.jpg deleted file mode 100644 index c8ab597..0000000 --- a/docs/howtos/x60_unbrick/0034.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0035.jpg b/docs/howtos/x60_unbrick/0035.jpg deleted file mode 100644 index 03d5482..0000000 --- a/docs/howtos/x60_unbrick/0035.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0036.jpg b/docs/howtos/x60_unbrick/0036.jpg deleted file mode 100644 index 244c06c..0000000 --- a/docs/howtos/x60_unbrick/0036.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0037.jpg b/docs/howtos/x60_unbrick/0037.jpg deleted file mode 100644 index f55db4f..0000000 --- a/docs/howtos/x60_unbrick/0037.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0038.jpg b/docs/howtos/x60_unbrick/0038.jpg deleted file mode 100644 index 0735825..0000000 --- a/docs/howtos/x60_unbrick/0038.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0039.jpg b/docs/howtos/x60_unbrick/0039.jpg deleted file mode 100644 index dff9ba4..0000000 --- a/docs/howtos/x60_unbrick/0039.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0040.jpg b/docs/howtos/x60_unbrick/0040.jpg deleted file mode 100644 index 74a9b7f..0000000 --- a/docs/howtos/x60_unbrick/0040.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0041.jpg b/docs/howtos/x60_unbrick/0041.jpg deleted file mode 100644 index 1b15834..0000000 --- a/docs/howtos/x60_unbrick/0041.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0042.jpg b/docs/howtos/x60_unbrick/0042.jpg deleted file mode 100644 index 849a260..0000000 --- a/docs/howtos/x60_unbrick/0042.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0043.jpg b/docs/howtos/x60_unbrick/0043.jpg deleted file mode 100644 index c842695..0000000 --- a/docs/howtos/x60_unbrick/0043.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0044.jpg b/docs/howtos/x60_unbrick/0044.jpg deleted file mode 100644 index 2b78380..0000000 --- a/docs/howtos/x60_unbrick/0044.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0045.jpg b/docs/howtos/x60_unbrick/0045.jpg deleted file mode 100644 index d6d8e2d..0000000 --- a/docs/howtos/x60_unbrick/0045.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0046.jpg b/docs/howtos/x60_unbrick/0046.jpg deleted file mode 100644 index 5eef878..0000000 --- a/docs/howtos/x60_unbrick/0046.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0047.jpg b/docs/howtos/x60_unbrick/0047.jpg deleted file mode 100644 index 87517e0..0000000 --- a/docs/howtos/x60_unbrick/0047.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0048.jpg b/docs/howtos/x60_unbrick/0048.jpg deleted file mode 100644 index a701a48..0000000 --- a/docs/howtos/x60_unbrick/0048.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0049.jpg b/docs/howtos/x60_unbrick/0049.jpg deleted file mode 100644 index 630ac53..0000000 --- a/docs/howtos/x60_unbrick/0049.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/.htaccess b/docs/howtos/x60t_unbrick/.htaccess deleted file mode 100644 index 75da674..0000000 --- a/docs/howtos/x60t_unbrick/.htaccess +++ /dev/null @@ -1,2 +0,0 @@ -Options +Indexes -IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* diff --git a/docs/howtos/x60t_unbrick/0000.JPG b/docs/howtos/x60t_unbrick/0000.JPG deleted file mode 100644 index 4d8de31..0000000 --- a/docs/howtos/x60t_unbrick/0000.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0001.JPG b/docs/howtos/x60t_unbrick/0001.JPG deleted file mode 100644 index 7783c4f..0000000 --- a/docs/howtos/x60t_unbrick/0001.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0002.JPG b/docs/howtos/x60t_unbrick/0002.JPG deleted file mode 100644 index ddc6aac..0000000 --- a/docs/howtos/x60t_unbrick/0002.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0003.JPG b/docs/howtos/x60t_unbrick/0003.JPG deleted file mode 100644 index e1b6586..0000000 --- a/docs/howtos/x60t_unbrick/0003.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0004.JPG b/docs/howtos/x60t_unbrick/0004.JPG deleted file mode 100644 index b4ae18d..0000000 --- a/docs/howtos/x60t_unbrick/0004.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0005.JPG b/docs/howtos/x60t_unbrick/0005.JPG deleted file mode 100644 index b7b324b..0000000 --- a/docs/howtos/x60t_unbrick/0005.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0006.JPG b/docs/howtos/x60t_unbrick/0006.JPG deleted file mode 100644 index 795d02a..0000000 --- a/docs/howtos/x60t_unbrick/0006.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0007.JPG b/docs/howtos/x60t_unbrick/0007.JPG deleted file mode 100644 index 0ccdbad..0000000 --- a/docs/howtos/x60t_unbrick/0007.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0008.JPG b/docs/howtos/x60t_unbrick/0008.JPG deleted file mode 100644 index 5312934..0000000 --- a/docs/howtos/x60t_unbrick/0008.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0009.JPG b/docs/howtos/x60t_unbrick/0009.JPG deleted file mode 100644 index 9d8e7fa..0000000 --- a/docs/howtos/x60t_unbrick/0009.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0010.JPG b/docs/howtos/x60t_unbrick/0010.JPG deleted file mode 100644 index ea37b18..0000000 --- a/docs/howtos/x60t_unbrick/0010.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0011.JPG b/docs/howtos/x60t_unbrick/0011.JPG deleted file mode 100644 index ebbaa74..0000000 --- a/docs/howtos/x60t_unbrick/0011.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60tablet_unbrick.html b/docs/howtos/x60tablet_unbrick.html deleted file mode 100644 index da60227..0000000 --- a/docs/howtos/x60tablet_unbrick.html +++ /dev/null @@ -1,219 +0,0 @@ - - - - - - - - - Libreboot documentation: Unbricking the ThinkPad X60 Tablet - - - - -
-

Unbricking the ThinkPad X60

- -
- -

Or go back to main index

- -

Table of Contents

- - -

Hardware requirements

- - -

Software requirements

- - -

Brick type 1: bucts not reset.

-

- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.

- - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-

- - *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation. -

- -

bad rom (or user error), machine won't boot

-

- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. -

-

- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). -

- -

- -

- -

- Remove those screws:
- -

- -

- Remove the HDD:
- -

- -

- Push keyboard forward to loosen it:
- -

- -

- Lift:
- -

- -

- Remove those:
- -

- -

- - -

- -

- Also remove that (marked) and unroute the antenna cables:
- -

- -

- Some X60T's you have to unroute those too:
- -

- -

- Remove the LCD extend board screws. Also remove those screws (see blue marks) and remove/unroute the cables and remove the metal plate:
- -

- -

- Remove that screw and then remove the board:
- -

- -

- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
- - Here is the pinout (correlate it with your programmer's documentation):
-
- (SPI chip here is on the bottom of the board) -

- -

- Bus pirate:
- -

- -

- Pomona 5250:
- -

- -

- Connect pomona:
- -

- -

- Connect pirate to USB on 2nd computer:
- -

- -

- Pirate is active:
- -

- -

- -

- -

- On the 2nd machine, I did: flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60t/libreboot_ukqwerty.rom -

- -
-			flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian
-			flashrom is free software, get the source code at http://www.flashrom.org
-
-			Calibrating delay loop... delay loop is unreliable, trying to continue OK.
-			Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
-			Reading old flash chip contents... done.
-			Erasing and writing flash chip... Erase/write done.
-			Verifying flash... VERIFIED. 
-		
- -

- At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means that you can put your X60T back together. So let's do that now. -

- -

- Reverse the steps to re-assemble your machine. -

- -
- -

- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -

- - - -- cgit v0.9.1