In case of doing the internal flashing method, do you guys apply the commands on the guide above in dom0?
I just use the internal programmer, you don’t need to use an external programmer to update, once you have coreboot installed.
If the update fails or there is something wrong with your build, you are going to need the external programmer to recover.
So you do the flashrom command:
$ flashrom -p internal --layout x230-layout.txt --image bios --write build/coreboot.rom
I just use a Linux livecd, but it probably also works from dom0
flashrom -p internal -w firmware.rom --ifd -i bios
That is how I only write the bios section
So um, would you describe the internal flashing process as useful/easy? It seems like I would need to unlock the IFD during my FIRST flashing of coreboot.
The process is the same, but you don’t need to take the computer apart and interface with the chip.
I think I depend a lot on the model you have, how useful it is. On the X220 or X230 you just need to open the back side to get to the chip, but the T models you need to take completely apart.
Yeah, with X230/220 getting access to the BIOS chips are quite easy.
Wouldn’t you say that enabling internal flashing poses some security threat? Some dude can flash your BIOS chips using a liveCD on the USB port?
I’m personally not overly worried about it, my threat model mainly focuses on what someone can do over the internet. I think it’s very unlikely someone is going to break into my house just to flash the firmware in my desktop PC.
Coreboot supports vboot where you can sign the firmware, then you get a warning if the firmware loaded doesn’t match the signing key.
I’m using Dasharo and I believe it has vboot enabled.