coreboot on the Vault

You are here:

coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.

coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:

  • Fast Boot – Minimal image, removes legacy bloat
  • Open Source – The source code is available and can be built without any cost or license
  • Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
  • Support for modern HW and Intel CPUs

The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.

coreboot is available on the FW2B, FW4B and FW6 series Protectli platforms as an alternative to traditional BIOS.

Please see the compatibility table below for software which has been tested with coreboot for full functionality

coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for field installation.

Boot Menu

When coreboot is installed and the system boots, it will first attempt to boot from the internal mSATA. If there is no bootable OS on the mSATA, it will then attempt to boot from any USB that it discovers. If it is desired to boot from a USB rather than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed then selecting the desired boot device. Note that with coreboot, there is no way to “get into” the BIOS to set individual parameters as there is with traditional BIOS.

Installation Instructions

Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.

Note: coreboot utilizes Legacy BIOS. If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive.

coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 19.10 (see this link for guidance on installing Ubuntu on the Vault). It is important to use Ubuntu 19.10 because previous versions of Ubuntu used a previous version of flashrom that did not support the FW6. While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu 19.10 to upgrade your Vault to coreboot.

In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.

  • If not using Ubuntu on the Vault, remove the existing mSATA and replace it with the dedicated mSATA for the coreboot installation process
  • Install Ubuntu desktop version on the Vault to the dedicated mSATA per the link above (we recommend the “Minimal” version for this task)
  • Verify that Ubuntu desktop version is installed and reboot the system
  • Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
  • Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
  • Open a terminal window in Ubuntu. (Applications->Terminal)
  • Verify the terminal opens and change directory to “Downloads” using the following command:
#cd Downloads

 

  • Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:
#ls -la

 

  • Download the appropriate SHA256 checksum file per the table below
  • Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:
#ls -la

 

  • If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:
#unzip filename.rom.zip
#unzip filename.rom.sha256.zip

 

  • Run the SHA256 program on the filename.rom file using the following command:
#sha256sum filename.rom

 

  • Verify the SHA256 output is the same as the contents of the filename.rom.sha file using the following command:
#cat filename.rom.sha

 

  • Verify the “flashrom” program is present in Ubuntu using the following command:
#which flashrom

 

  • If flashrom is not present, get it from the network and install it in Ubuntu using the following command:
#sudo apt install flashrom

 

Verify flashrom is installed on the system

Flash the coreboot image to the system.

Note: The flashrom command arguments are different for the FW6 series than the FW2B and FW4B series. You must use the correct command for the specific unit. Using the incorrect command could render the unit useless and unable to boot.

flashrom command for FW2B, FW4B:

 #sudo flashrom -p internal -w filename.rom -V -o output-file 
  • where -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output

flashrom command for FW6:

 #sudo flashrom -p internal -w filename.rom --ifd -i bios -V -o output-file 
  • where “–ifd -i bios” is required for the FW6,  -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output
 
  • Reboot the system
  • Verify the system boots and displays the coreboot version string on the screen, then the splash screen
  • Verify the system boots up to Ubuntu desktop
  • If not using Ubuntu as the OS, power off the system and replace the dedicated Ubuntu mSATA with the mSATA for the desired OS
  • Reboot the system and verify that it boots to the desired OS

At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.

Flash from Coreboot to Original(AMI) BIOS

In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.

Using the same Ubuntu install as the instructions above;

  • Verify the correct BIOS is downloaded from here
  • Unzip the BIOS in the Downloads folder
  • Open Terminal and change directory to BIOS folder. Examples below.

For the FW4B

#cd Downloads/4B180727

 

For the FW2B

#cd Downloads/2B180727

 

For the FW6

#cd Downloads/6-190708

 

  • Run the flashrom command, using ‘filename.bin’ for legacy BIOS, instead of ‘filename.rom’ for coreboot

FW4B BIOS file example:

 #sudo flashrom -p internal -w YLBWL412.bin -V -o output-file 

 

FW2B BIOS file example:

 #sudo flashrom -p internal -w YLBWL212.bin -V -o output-file 

 

FW6 BIOS file example: (Note additional command line arguments)

 #sudo flashrom -p internal -w KBU6LA09.bin --ifd -i bios -V -o output-file 

 

  • After the flash is complete the terminal should output a “VERIFIED” message.
  • Reboot and verify the legacy BIOS is loaded

coreboot File Table

Vaultcoreboot .rom fileSHA256 file
FW2Bfw2b_v4.9.0.1.romfw2b_v4.9.0.1.rom.sha
FW4Bfw4b_v4.9.0.1.romfw4b_v4.9.0.1.rom.sha
FW6fw6_v4.9.0.1.romfw6_v4.9.0.1.rom.sha

 

coreboot Compatibility

Vault pfSense 2.4.5FreeBSD 11.2OPNsense 19.7Untangle 14.2.2Ubuntu 18.04.3Ubuntu 19.10ESXi 6.7Windows 10
FW2B VerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerified - Use MBR partition scheme
FW4BVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerified - Use MBR partition scheme
FW6AVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerified - Use MBR partition scheme
FW6BVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerified - Use MBR partition scheme
FW6CVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerifiedVerified - Use MBR partition scheme

 

If you need additional assistance, please feel free to reach out at support@protectli.com. You can find more information about coreboot on the Vault in our Knowledge Base as well.