Issue Coreboot 4.17

published The release of the project coreboot 4.17 , in which a free alternative to proprietary firmware and BIOS are being developed. The project code is distributed under the GPLV2 license. The creation of a new version was attended by 150 developers who prepared more than 1300 changes.

The main changes :

  • The vulnerability has been eliminated ( cve-2022-29264 ), manifested in the Coreboot releases from 4.13 to 4.16 and allowing AP (Application Processor) systems to execute the code at the SMM (System Management Mode) level, more priority (Ring -2) than the hypervisor mode and zero protection ring, and having unlimited access to all memory. The problem is caused by an incorrect challenge to the SMI processor in the SMM_MODULE_Loader.
  • module.

  • Added support of 12 motherboards, 5 of which is used on devices with Chrome OS or on Google servers. Among not related to Google boards:
    • Clevo L140MU / L141MU / L142MU
    • Dell Precision T1650
    • HP Z220 CMT Workstation
    • Star Labs Labtop Mk III (i7-8550U), Labtop MK IV (i3-10110U, i7-10710U), Lite MK III (N5000) and Lite MK IV (N5030).
  • Continuing support for the motherboards of Google Deltan and Deltaur.
  • added New Payload Coredoom , which allows you to launch the DOOM game from Coreboot. The project used by doomgeneric , ported to Libpayload. For the output, a linear Coreboot Freimbofer is used, and WAD files with game resources are loaded from CBFS.
  • updated Payload components seabios 1.16.0 and IPXE 2022.1.
  • added Seagrub (Grub2 over Seabios), which allows you to use the SEABIOS callback-calls in GRUB2, for example, to turn to equipment to which there is no access to Payload Grub2.
  • Added protection against the attack sinkhole , which allows you to execute the code at the SMM (System Management Mode).
  • ).

  • The built -in possibility of generating static tables of memory pages from assembler files, without the need to call third -party utilities.
  • Wrong information is allowed to the CBMEMC console from SMI handlers when using Debug_smi.
  • CBMEM initialization processors have been changed, instead of the stages of handlers *_CBMEM_init_HOOK, two CBMEM_CREATION_HOOK handlers (used at the initial stage creating CBMEM) and CBMEM_RADY_HOOK (used at any stages at which CBMem has already been created).
  • Added PSB support (Platform Secure Boot), activated by the PSP processor (Platform Security Processor) for verification of the BIOS integrity by digital signature.
  • /Media reports.