coreboot on the Vault
We recommend purchasing DRAM from Protectli at the time of purchase (or DRAM from our Hardware Compatibility list) so we can ensure that the memory works with the coreboot build.
TL;DR: If you would like to flash your BIOS to coreboot, we highly recommend using our script Flashli to do so. This drastically lowers the chances of accidently bricking your Protectli Vault. Please find more information on Flashli at this link.
coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.
coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:
- Fast Boot – Minimal image, removes legacy bloat
- Open Source – The source code is available and can be built without any cost or license
- Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
- Support for modern HW and Intel CPUs
The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.
coreboot is available on the FW2B, FW4B, FW6A/Br2/D/E series, as well as the Vault Pro VP2410, VP2420, VP4630, VP4650 and VP4670 as an alternative to traditional BIOS.
coreboot is based on legacy BIOS, please see the compatibility table below for software which has been tested with coreboot for full functionality
coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for field installation.
Attention: If you wish to use coreboot, we highly recommend choosing coreboot at the time of purchase and allowing Protectli to flash and validate successful installation. Flashing the BIOS is potentially problematic, as if anything goes wrong the entire unit needs to be sent to Protectli in order to be recovered. Flashing is done at your own risk. While we provide instructions on how to do so, if you choose to flash your Vault and it does not flash properly, then recovery by Protectli is not covered under Protectli’s new product warranty. It is important to note that even if you follow all the steps properly, there is still a chance that the flash does not work and the unit will need to be recovered by Protectli.
Protectli is committed to continuing the development of coreboot on each of our compatible platforms. While coreboot images for the Vault may not be available with every minor coreboot project update, we will work diligently to ensure Vault coreboot updates are available to address any serious vulnerabilities. We will also work to contribute our coreboot updates back into the project master. Protectli contributions can be found at this link for version 4.9.0.1. Version 4.12.0.3 is now released and source code contributions will be available once they are approved by the coreboot community. Version 4.12.0.3 includes security enhancements for Intel Spectre-Meltdown vulnerabilities and has a built in MemTest that can be run from the boot menu.
coreboot source code repositories are available for inspection for the following vaults FW2B/FW4B (link) and FW6A/B/C here (link), this source code does not include pre-compiled components for specific hardware, referred to as “blobs”.
It takes a very long time to propagate coreboot “upstream” for approval by the coreboot approvers and publish the source code, so we are investigating alternate methods of providing source code to the community. We plan to provide a github repository for Protectli Vaults along with build instructions. Please have patience during this process as there are legal issues regarding some of the pre-compiled components for specific hardware, referred to as “blobs”. We need to make sure we follow the proper legal path before release.
coreboot BIOS Settings and Boot Selection
coreboot for the Vault FW series is “Legacy” BIOS. The implementation of Legacy BIOS is such that when coreboot is installed on the Vault, there is no way to “get into” the BIOS as there is with traditional BIOS. The only option available at boot time is to select the boot device from the Boot Selection Menu.When coreboot is installed on the Vault, the Vault will first attempt to boot from the internal mSATA.
If there is no bootable Operating System (OS) on the mSATA, it will then attempt to boot from any USB or drive that it discovers. If it is desired to boot from a drive other than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed, then selecting the desired boot device.
The exception to this is the FW4C with coreboot.
The FW4C uses the UEFI BIOS. For instructions to access the UEFI BIOS, see the Knowledge Base article for coreboot on the Vault Pro at:
https://protectli.com/kb/coreboot-on-the-vault-pro/
Although the FW4C uses UEFI BIOS, it does not have the security features of the Vault Pro series.
Note: coreboot utilizes Legacy BIOS for the FW series with the exception of the FW4C.
If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive / OS as bootable. The same is applicable if an OS was installed with Legacy BIOS, but the BIOS only supports or is configured for UEFI.
coreboot Hardware Compatibility
RAM
There are some coreboot hardware compatibility issues with specific DRAM vendors and/or specific manufacturing lots.
While Crucial and Kingston modules are recommended, recently we have heard reports of batches that are not compatible. v4.12.0.5 for the FW4B has significantly improved compatibility. We currently recommend selecting DRAM at the time of purchase or directly through our store to ensure compatibility.
For the FW2B we recommend Crucial SO-DIMM modules or Samsung RAM modules which were included with pre-configured units.`
FW6A/B/C platforms work fine with a majority of RAM SODIMMs . We have seen some compatibility issues with Samsung, PNY and Corsair brand modules.
USB Drive
We have seen some mixed results with USB 2.0 drives and coreboot flashed devices. Please consider using a USB 3.0 drive for best compatibility.
Monitor
We have seen incompatibility with 1440p monitors on coreboot flashed FW2B and FW4B. The FW6A/B/C/D is fully compatible.
Keyboard
In some rare occurrences, customers have reported incompatibility with certain high end keyboards attempting to access the boot menu. If you are unable to access the boot menu, please try a another keyboard or utilizing the COM port (link to our COM port article)
Installation Instructions
Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.
Protectli can not be held responsible for devices that are rendered unusable as a result of flashing the BIOS. If your devices becomes unusable as a result of a BIOS flashing operation, we will help recover the device, but the customer will be responsible for all shipping costs.
Flashing coreboot with “Flashli”
The recommended procedure to flash coreboot to any of the Vaults is to use the “Flashli” tool from Protectli found at:
https://protectli.com/kb/how-to-use-flashli/
Follow the instructions in the Knowledge Base article above to flash coreboot. Flashli can also be used to flash the Vault back to AMI BIOS as well.
Manually flash coreboot
Below are the manual instructions for flashing coreboot.
coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 20.04 (see this link for guidance on installing Ubuntu on the Vault). It is important to use Ubuntu 20.04 or newer because previous versions of Ubuntu used an older version of flashrom that did not support the FW6A/B/C. While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu 20.04 or newer to upgrade your Vault to coreboot.
We have noticed possible odd behavior with coreboot flashes done in a UEFI environment. Verify the following steps are done with a legacy install of Ubuntu. To guarantee a legacy install of Ubuntu follow the steps in this article (link), but selecting “Legacy only” instead of “UEFI only” then proceed with Ubuntu installation. Please out reach out if you are unsure.
Currently the only exception to the above note is coreboot on the VP2410, which is UEFI only and we suggest flashing in a UEFI environment.
In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.
- Install Ubuntu desktop version 20.04 or newer on the Vault to the internal mSATA per the link above (we recommend the “Minimal” version for this task)
- Note: Installing Ubuntu on the mSATA drive will overwrite anything currently installed.
- Note: A clean install of Ubuntu 20.04 or newer is recommended for a clean, controlled environment to ensure a successful BIOS flash.
- Verify that Ubuntu desktop version is installed and reboot the system
- Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
- Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
- Open a terminal window in Ubuntu. (Applications->Terminal)
- Verify the terminal opens and change directory to “Downloads” using the following command:
#cd Downloads
- Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:
#ls -la
- Download the appropriate SHA256 checksum file per the table below
- Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:
#ls -la
- If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:
#unzip filename.rom.zip
#unzip filename.rom.sha256.zip
- Run the SHA256 program on the filename.rom file using the following command:
#sha256sum filename.rom
- Verify the SHA256 output is the same as the contents of the filename.rom.sha file using the following command:
#cat filename.rom.sha
- Verify the “flashrom” program is present in Ubuntu using the following command:
#which flashrom
- If flashrom is not present, get it from the network and install it in Ubuntu using the following command:
#sudo apt install flashrom
Verify flashrom is installed on the system
Flash the coreboot image to the system.
Note: The flashrom command arguments for v4.9.0.1 were different for the FW6 series than the FW2B and FW4B series. Now all of the versions, including FW6D and FW6E use the same flashrom command arguments.
flashrom command:
#sudo flashrom -p internal -w filename.rom --ifd -i bios - After the flash is complete the terminal should output a “VERIFIED” message
- If a “VERIFIED” message does not appear, do NOT power off the device. Verify the flashrom command is correct and re-run the flashrom command again
- Reboot the system
- Verify the system boots and displays the coreboot version string on the screen, then the splash screen
- Verify the system boots up to Ubuntu desktop
- If not using Ubuntu as the OS, power off the system and install the desired OS over the Ubuntu installation or replace the Ubuntu mSATA with a mSATA for the desired OS.
- Reboot the system and verify that it boots to the desired OS
At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.
Flash from coreboot to Original(AMI) BIOS
In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.
Using the same Ubuntu install as the instructions above;
- Verify the correct BIOS is downloaded from this link
- Unzip the BIOS in the Downloads folder
- Open Terminal and change directory to BIOS folder. Example filenames and commands below will depend upon the actual version of the BIOS.
For the FW4B
#cd Downloads/4B191022
For the FW2B
#cd Downloads/2B191022
For the FW6A/B/C
#cd Downloads/6-190708
For the FW6D
#cd Downloads/6D201203
For the FW6DE
#cd Downloads/6E201203
- Run the flashrom command, using ‘filename.bin’ for legacy BIOS, instead of ‘filename.rom’ for coreboot
FW4B BIOS file example:
#sudo flashrom -p internal -w YLBWL412.bin --ifd -i bios
FW2B BIOS file example:
#sudo flashrom -p internal -w YLBWL212.bin --ifd -i bios
FW6A/B/C BIOS file example:
#sudo flashrom -p internal -w KBU6LA09.bin --ifd -i bios
FW6D BIOS file example:
#sudo flashrom -p internal -w KBR6L132.bin --ifd -i bios
- After the flash is complete the terminal should output a “VERIFIED” message.
- Reboot and verify the legacy BIOS is loaded
coreboot File Table
Current Version
| Vault | coreboot .rom file | SHA256 file | Notes | Release Date |
|---|---|---|---|---|
| FW2B | fw2b_v4.9.0.3.rom | fw2b_v4.9.0.3.rom.sha256 | Fixed high CPU usage in Windows | 11/1/2022 |
| FW4B | fw4b_v4.12.0.8.rom | fw4b_v4.12.0.8.rom.sha256 | Fix high CPU usage in Windows | 11/1/2022 |
| FW4C | protectli_fw4c_v4.12.0.12.rom | protectli_fw4c_v4.12.0.12.rom.SHA256 | Initial Release | 3/2/2023 |
| FW6A/B/C/D/E | protectli_fw6_DF_v1.0.14.rom | protectli_fw6_DF_v1.0.14.rom_.sha256 | Fixed high temperature under stress on FW6D/E | 5/18/2022 |
Previous Versions
| Vault | coreboot .rom file | SHA256 file | Notes | Release Date |
|---|---|---|---|---|
| FW6A/B/C/D/E | protectli_fw6_DF_v1.0.12.rom | protectli_fw6_DF_v1.0.12.rom_.sha256 | Fix COM port, Fix USB WiFi, Add PCIe WiFi | 11/16/2021 |
| FW2B | fw2b_v4.9.0.2.rom | fw2b_v4.9.0.2.rom.sha256 | HPET Fix | 6/24/2019 |
| FW4B | fw4b_v4.12.0.7.rom | fw4b_v4.12.0.7.rom.sha | Fix iPXE with I211 NICs | 4/29/2021 |
| FW4B | fw4b_v4.12.0.3.rom | fw4b_v4.12.0.3.rom.sha | Security enhancements for Intel Spectre-Meltdown vulnerabilities, built in MemTest accessible in boot menu | 11/11/2020 |
| FW4B | fw4b_v4.9.0.1.rom | fw4b_v4.9.0.1.rom.sha256 | Initial Release | 6/24/2019 |
| FW6A/B/C | fw6_v4.12.0.4.rom | fw6_v4.12.0.4.rom.sha | Support for Intel i210, i211 NICs | 5/4/2021 |
| FW6A/B/C | fw6_v4.12.0.3.rom | fw6_v4.12.0.3.rom.sha | Security enhancements for Intel Spectre-Meltdown vulnerabilities, built in MemTest accessible in boot menu | 11/11/2020 |
| FW6A/B/C | fw6_v4.9.0.1.rom | fw6_v4.9.0.1.rom.sha256 | Initial Release | 6/24/2019 |
| FW6D | fw6d_DF_1.0.6.rom | protectli_fw6d_DF_1.0.6.rom_.sha256 | Initial Release | 5/4/2021 |
| FW6E | fw6e_DF_1.0.7.rom | protectli_fw6e_DF_1.0.7.rom_.sha256 | Initial Release | 5/17/2021 |
coreboot Compatibility
| Vault | pfSense 2.4.5 | pfSense 2.5 | FreeBSD 11.2 | Sophos XG 18 | OPNsense 21.1 | Untangle 14.2.2 | Ubuntu 20.04 | ESXi 6.7 | Windows 10 |
|---|---|---|---|---|---|---|---|---|---|
| FW2B | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified - Use MBR partition scheme |
| FW4B | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified - Use MBR partition scheme |
| FW6A | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified - Use MBR partition scheme |
| FW6B | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified - Use MBR partition scheme |
| FW6C | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified | Verified - Use MBR partition scheme |
| FW6D | Verified | Verified | Verified | Verified | Verified | ||||
| FW6E | Verified | Verified | Verified | Verified | Verified |
If you need additional assistance, please feel free to reach out at support@protectli.com. You can find more information about coreboot on the Vault in our Knowledge Base as well.