Install Coreboot on Lenovo Thinkpad x230 - Some questions

Hello, I have recently got a Thinkpad x230 16Gb RAM
My goal is to mod it to become like a NitroPad x230, which is officially supported by Qubes.
[The NitroPad project is great, but I have time to invest on this, and I want to learn this stuff.]

This means (at least):

1. install the opensource BIOS Coreboot/Heads.
2. install Qubes.

For the moment I want to focus on task (1), as installing Qubes should not be too difficult (I have already installed it several times on other machines).

Researching a bit, i have found the Coreboot/Skulls project (LINK ) which is supposed to be a distro of Coreboot with simplified installation for x230 machines. It is also very convenient that from Skulls it is possible to install Heads by software, without the need of re-flashing the BIOS chips.

So my task now is to install Skulls.

The instructions for writing the new code to the 2 BIOS chips inside the x230 is here . I have ordered a cheap CH341A programmer from Amazon.

But before proceeding, there is something I’d like to ask, because I don’t understand it well.
Specifically, in the instructions (preliminaries, before writing the chips) they say:

original BIOS update / EC firmware (optional)
If the script, sudo ./skulls.sh -b x230 says "The installed original BIOS is very old.", it means that you have a BIOS version that may include an EC version older than 1.14.

If that's the case, consider doing one original Lenovo upgrade process. This is not supported anymore, once you're running coreboot (You'd have to manually flash back your backup images first, see later chapters).

This updates the BIOS and Embedded Controller (EC) firmware. The EC is not updated anymore, when running coreboot. Since official BIOS release 2.77 and its EC version 1.15 Lenovo includes a digital signature check, which prevents further firmware patching.

You have 2 options:

use the latest original CD and burn it, or
use the same, only with a patched EC firmware that allows using any aftermarket-battery: (this is only possible up to EC Firmware 1.14) By default, only original Lenovo batteries are allowed. Thanks to this project we can use Lenovo's bootable upgrade image, change it and create a bootable USB image (even with EC updates that allows one to use 3rd party aftermarket batteries). For this, follow instructions at github.com/hamishcoleman/thinkpad-ec.

From what I have read around, the EC contains some blobs of closed source code that controls a few low level things around, such as the keyboard, battery authenticity checks, etc.

Question 1: why does Skulls recommend to upgrade the EC using the “official” Lenovo process? Is this to include some bugfixes that Lenovo might have pushed? It is a bit confusing because it clearly says that with recent BIOS releases there is a signature check preventing further patching: so why would I want to install this newer release?

Question 2: do I understand correctly that Skulls/Coreboot will not (or even cannot) edit the EC firmware?

Question 3: coreboot is opensource but the original EC is not. Has somebody tried to reverse eng. the code running in the EC? Isn’t it a concern for security oriented users?

More generally, Any info regarding this EC is much appreciated. Or any info about hardening the security of the x270.

At some point I am sure I want to install a new (cheap) battery, so I need to get rid of any authenticity checks. Maybe I will also change the keyboard to a x220 keyboard, and I have read that editing modifying the EC code is necessary also in this case.

Thanks a lot!

References I have read, beside posts in this forum:

https://famicoman.com/2020/07/30/corebooting-the-thinkpad-x230-with-skulls/

Tagging @Plexus as they have installed Coreboot on many x230.

If you want to install Qubes, first test it with a qubes installation usb stick. I guess your CPU might be too old to run modern qubes 4.3.0. But you can be lucy. So test this first with the bios you find on your X230 before wasting time. Having a ivy bridge cpu you should be happy to run qubes, but test the installation of qubes before playing around with a flashtool and your BIOS. Older Intel CPUs than ivy bridge are not supported anymore to my knowledge.

Hi @luja , thank you for your answer.

I have managed to flash the bios and install HEADS and Qubes on my x230. This way, it is equivalent to the NitroPad x230. Indeed Qubes OS reports that my system is officially supported.

Regarding speed: I find the system (I have 16 Gb or ram) usable and definitely works well enough for average tasks. For example I can watch youtube videos without problems while having several other VMs running.

This said, I am not sure I would pay ~700 usd for an official NitroPad x230. Probably better to buy a more modern laptop officially supported by Qubes.

Please write a small manual on the install and upload a bios image of your machine to archive.org so others can just use a flash rom writer to install heads.

Would be interesting to use heads on dell pecision cad laptops like M6800 or M4800 which also have ivy bridge intel CPUs. I guess HEADS is specific for lenovo stinkpad fans

I don’t think I will do that, because the existing manuals are excellent and I would not be able to add much. In particular:

1. I suggest the official HEADS instructions (specific for the x230)
   Lenovo X230 Maximized | Heads - Wiki
2. and the very detailed Youtube video: https://www.youtube.com/watch?v=Av1Em0eVU-g , which executes the instructions from Heads.

The total cost of the operation is about ~12usd in hardware (the cheap programmer from amazon) and about 20/30minutes of time.

It requires no soldering or “advanced” skills. Everybody can - carefully and after reading the guides - do that.

that was supposed to be a PM