coreboot on the Vault Pro
The Vault Pro series is characterized by implementation of newer CPUs, DDR4 memory in all models, Intel I210/211 Ethernet NICs, M.2 SATA/NVMe Storage, Display Port, USB C with Display Port, Micro USB console port, support for M.2 PCIe WiFI modules and discrete Trusted Platform Modules (dTPM). coreboot for the Vault Pro has been implemented via UEFI rather than legacy BIOS method. The original coreboot menu only allowed selecting the Boot Device/Method or, in some cases, running a MemTest. The coreboot UEFI BIOS menu is more extensive and has different behavior than coreboot on other Protectli Vaults. The purpose of this article is to document the coreboot UEFI menu and describe the expected behavior. There are currently a VP2400 4 port series and a VP4600 6 port series. The screenshots in this document are from the VP2410. More information regarding the specific platforms can be found at:
VP2400 Series Hardware Overview
VP4600 Series Hardware Overview
Information for the coreboot security features can be found at:
Boot Order and Options
- The current implementation of coreboot UEFI for the Vault Pro behaves differently than previous Vaults.
- A predefined boot order of possible devices is not supported in Vault Pro coreboot.
- coreboot will only list the bootable devices found at boot.
- A bootable drive, such as a new M.2 SATA or NVMe, is not listed in the boot list until there is a bootable partition on the drive.
- There is eMMC storage on the Vault Pro, but unless there is a bootable partition, it will not be displayed on the list.
- When an Operating System is installed with an EFI drive, the BIOS creates a “label” to point to the boot file system. It boots from “filename.efi” where “filename” is typically “shim” or “grub”.
- If an Operating System pre-installed with an EFI drive, but a label has not been created, one must boot from the drive, then the BIOS creates a “label” to point to the boot file system.
- If there is a bootable USB drive inserted at the time of boot, it would also be displayed in the boot list.
- If a USB is removed it will be removed from the list.
- If the USB is reinserted on a subsequent boot, it will be added to the end of the list.
- The boot order of the discovered bootable devices can be manually set by the user. It will not change unless the bootable devices change.
- Other options are iPXE Network Boot and UEFI Shell. These are options built into the coreboot BIOS and not dependent on a physical storage device.
Network Boot and Utilities
Beginning with release v1.0.15 of coreboot for the VP2410, a Netbooting feature has been added to the BIOS. This feature allows the user to iPXE boot the Vault over the network to a default Protectli site, or to specify a site. For example, one could boot to the netboot.xyz server which hosts multiple Operating Systems (OS) at https://boot.netboot.xyz. See example below. Note that using a specific site to boot an OS is supported by Protectli, but the actual OS that is loaded is not supported by Protectli, as is the case with all OS. In order to use the Network Boot feature:
- Verify the Vault is connected to the Internet via Ethernet port 1
- When the splash screen is displayed, press the F11 key
- Verify the Boot Menu is displayed
- Select “Network Boot and Utilities”
- Verify the “Network Boot and Utilities” page is displayed
If nothing is selected, the system will count down a few seconds and automatically netboot to the default Protectli Network Boot and Utilities page at: https://netboot.protectli.com/menu.ipxe In order to specify a site:
- Select “Advanced”
- Verify the “Change Netboot Payload” page is displayed
- Enter the desired URL (Example: https://boot.netboot.xyz)
- Hit “Enter”
- Verify the Vault returns to the “Network Boot and Utilities” page
- Select “Apply and Exit”
- Verify the Vault begins the iPXE boot process
- Verify the Vault boots to the netboot.xyz Main Menu
- For this example, select “Linux Network Installs (64-bit)
- Verify the “Linux Installers” page is displayed
- Select the desired OS (In this example we use Ubuntu)
- Verify Netbooting starts
- Follow the OS instructions to install and configure the Vault as desired
Note that if a specified URL such as https://boot.netboot.xyz is selected, it will not be saved across reboots. It will need to be manually entered if the Vault is rebooted.
coreboot BIOS Menu
In order to “get into” the BIOS, boot the system
- When the splash screen is displayed, press the DEL key
- Verify the Main Menu is displayed
Note: “0 MB RAM” is a only a visual bug. The operating system will see the RAM actually installed in the system.
- Select “One Time Boot”
- Verify the “One Time Boot” menu is displayed
In this example, there are several boot options. The options that are displayed demonstrate how the BIOS handles different boot options. The “CentOS Linux” and “ubuntu” options are shown because previously, CentOS Linux was installed on the internal M.2 SATA drive and Ubuntu was installed on a 2.5” SATA drive that was connected to the internal connectors. These are the labels mentioned above that were automatically created during installation. The 2.5” SATA drive has been removed before booting so, the “ubuntu” label remains, but there is no entry for the physical drive. The “Protectli 480GB M.2” entry is for the physical drive that has CentOS Linux installed on it. Similarly, the USB drive that was used to install Ubuntu and CentOS Linux was removed, so it is not displayed in the list. There is eMMC on the unit, but since there is no OS installed with a bootable partition, it is not displayed in the list. In order to boot from this menu, just select the desired option and hit ENTER.
Boot Maintenance Manager
Another option to select from the Main Menu is the “Boot Maintenance Manager”.
- Select “Boot Maintenance Manager”
- Verify the “Boot Maintenance Manager” menu is displayed
Note that the “Boot Maintenance Manager” and all the subsequent pages have keystroke instructions at the bottom of the page. Follow the on screen instructions to select the desired configuration.
- The “Driver and Console Options” are typically not used.
- The “Auto Boot Timeout” sets the amount of time that the splash screen is displayed during the boot process.
- The “Boot From File” option allows booting directly from a file, which are the source files for the labels mentioned above.
- Select the “Boot From File” option
- Verify the “Boot From File” menu is displayed
This allows one to select a file and then navigate through the filesystem to find the bootable file. This typically requires knowledge of the OS filesystem to identify the correct file. The “Boot Next Value” sets the boot source for the next time the system boots, one time only, and overrides the default setting.
- Select “Boot Next Value”
- Verify the “Boot Next Value” menu is displayed
- Set “Boot Next Value” as desired
The ”Boot Options” menu allows the user to Add, Delete, and Change Boot Options
- Select “Boot Options”
- Verify the “Boot Options” menu is displayed
The “Add Boot Option” can add a boot option to the list. The “Delete Boot Option” allows the user to manually remove boot options from the list.
- Select “Delete Boot Option”
- Verify the “Delete Boot Option” menu is displayed
Follow the on screen instructions to Delete a Boot Option The “Change Boot Order” page allows the user to edit the boot order.
- Select “Change Boot Option”
- Verify the “Change Boot Option” menu is displayed
- Verify the sub menu is displayed and one of the options is highlighted
- Follow the on screen instructions to Change the Boot Order
- Verify different options can be moved up and down the list with the “+” and “-” keys
Flashing coreboot on the Vault Pro
Note: coreboot can be flashed on to the Vault Pro at the time of order, or it can be flashed in the field. Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Protectli strongly recommends selecting coreboot at the time of order. However, if coreboot is flashed in the field, proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding. Protectli can not be held responsible for devices that are rendered unusable as a result of flashing the BIOS. If your devices becomes unusable as a result of a BIOS flashing operation, we will help recover the device, but the customer will be responsible for all shipping costs.
Flashing coreboot with “Flashli”
The recommended procedure to flash coreboot to the Vault Pro, or any of the Vaults is to use the “Flashli” tool from Protectli found at: https://protectli.com/kb/how-to-use-flashli/ Follow the instructions in the Knowledge Base article above to flash coreboot on the Vault Pro. Flashli can also be used to flash the Vault Pro back to AMI BIOS as well.
Manually flash coreboot
In addition to the Flashli tool, for those who prefer a more hands on approach, coreboot can be manually flashed on the Vault Pro with Ubuntu and “flashrom” utility. In order to use the correct version of flashrom that supports the specific Vault Pro, follow the instructions in the coreboot Build Guide for the target platform.
There is a minor hardware change to the power circuitry of the VP2410 from the original lot such that it requires a new version of coreboot and flashing the new version to the original lot “bricks” the unit. The original lot can be identified by a S/N or MAC address of the first Ethernet port with the last 4 digits 0400 or less. Therefore we have not posted the newer version of coreboot for manual flashing due to this issue. However, you can use the “Flashli” tool as noted in the article above to flash coreboot to the VP2410. The Flashli tool will correctly identify the version of hardware and flash the correct version of coreboot. If you insist on manually flashing coreboot, please contact email@example.com for the correct coreboot file.
Vault Pro coreboot Files
|Vault||coreboot .rom file||SHA256 file||Notes||Release Date|
|VP2410||vp2410_DF_1.0.15.rom||vp2410_DF_1.0.15.rom.sha256||Added: Network boot|
Fixed: BIOS displays correct RAM size
Serial #'s 64-62-66-21-03-15 and above
|VP2410||vp2410_v1.0.9.rom||vp2410_v1.0.9.rom.sha256||Initial Release, Initial HW Revision, Serial #'s 64-62-66-21-03-14 and below||8/17/2021|
|VP2420||vp2420_v1.0.1.rom||vp2420_v1.0.1.rom.sha256||Initial Release of VP2420||2/7/23|
|VP4630||protectli_vp4630_v1.0.13.rom||protectli_vp4630_v1.0.13.rom.sha256||Initial Release of VP4630||8/29/2022|
|VP4650||protectli_vp4630_vp4650_v1.0.19.rom||protectli_vp4630_vp4650_v1.0.19.rom.sha256||Initial Release of VP4650||12/22/22|
|VP4670||protectli_vp4670_v1.0.19.rom||protectli_vp4670_v1.0.19.rom.sha||Initial Release of VP4670||1/4/23|
Previous Vault Pro coreboot Files
|Vault||coreboot.rom file||SHA256 file||Notes||Release Date|
|VP2410||vp2410_v1.0.10.rom||vp2410_v1.0.10.rom.sha256||Initial Release, Revised HW Version, Serial #'s 64-62-66-21-03-15 and above||10/15/2021
In this Knowledge Base article, we have given an introduction to the coreboot Vault Pro UEFI BIOS menu. As always, if you experience any issues, feel free to contact Protectli support at: firstname.lastname@example.org