Repository containing instructions and configuration files to run Qubes OS on X220 with coreboot.
Go to file
2018-03-28 18:15:20 +02:00
config Draft 2018-03-27 20:01:52 +02:00
README.md Note addition 2018-03-28 18:15:20 +02:00

Disclaimer: This is not an easy: mistakes can lead to data loss or bricking of the laptop. Only execute command that you are able to understand.

Note: This guide suggest installing Qubes before flashing coreboot. If you already have coreboot refer to this instead http://dodoid.net/qubreboot/

Qubes+Coreboot on Thinkpad X220

Prerequisites

  • Thinkpad x220 (other models supported by coreboot may apply)
  • Pomona 5250 + RaspberryPI/BeagleBone black for hardware flashing

Advantages:

  • Encrypted /boot
  • Less proprietary components in bios
  • Neutralized Intel ME
  • Evil Maid Attacks requires hardware flashing/partial disassembly

Disadvantages:

  • TPM can't work without the Intel ME
  • Not all RAM sticks works
  • Different (probably worse) fan control
  • Microcode updates probably working but not yet tested

Final qubes-hcl-report

Qubes release 4.0 (R4.0)

Brand:		LENOVO
Model:		429136G
BIOS:		CBET4000 4.7-577-gd18f42ab6f

Xen:		4.8.3
Kernel:		4.14.18-1

RAM:		12208 Mb

CPU:
  Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
Chipset:
  Intel Corporation 2nd Generation Core Processor Family DRAM Controller [8086:0104] (rev 09)
VGA:
  Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0106] (rev 09) (prog-if 00 [VGA controller])

Net:
  Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 05)
  Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34)

SCSI:
  Crucial_CT240M50 Rev: MU03

HVM:		Active
I/O MMU:	Active
HAP/SLAT:	Yes
TPM:		Device present
Remapping:	Yes

Procedure

Install Qubes

Do a simple Qubes 4 LUKS+LVM installation by just following the graphical installer.

Coreboot prerequisites

Clone the base Qubes debian8/9 template and install the following packages:

sudo apt-get install git wget build-essential gnat flex bison libncurses5-dev zlib1g-dev libfreetype6-dev unifont python3

sudo apt-get build-dep grub

If required enable the necessary source repository.

Create an AppVM based on the template and start a terminal in it.

mkdir ~/Build
cd ~/Build
git clone https://notabug.org/Velsoth/x220-coreboot.git
cd x220-coreboot/
./cb-helper download_code
./cb-helper build_utils

Get the original bios binary

If you are able to extract it from the executable distributed by Lenovo it should be good. Do not get it from some random forum or website. If you can't the best way is to read it directly from the flash using the Raspberry and the clip.

    ______
1--| O    |--8
2--|      |--7
3--|      |--6
4--|______|--5

Remeber to research your chip model and manufacturer (in this guide a Macronix MX25L6405) and double check the pin layout using the official datasheet.

1 2 3 4 5 6 7 8 Flash pin number
CS DO /WP GND DI CLK /HOLD VCC Pin name
24 21 GND 25 19 23 GND 17 Rpi GPIO number

Please refer to the multiple flashing guides available

From a root prompt on the Rpi

flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios1.bin
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios2.bin
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r bios3.bin
sha1sum bios*.bin

Check that all the checksums do match. In case they don't there's probably something wrong in the clip position or in the wiring. Remember that no pin should left floating even if it's not useful for the operation. /WP and /HOLD should be always connected to something like GND.

Continue with coreboot build

Now reassemble the x220, boot Qubes and copy bios1.bin from the RaspberryPi to the AppVM created before in ~/Build/x220-coreboot/binaries/bios.bin.

Open again a terminal in the AppVM:

cd ~/Build/x220-coreboot/
./cb-helper split_bios
./cb-helper neuter_me
./cb-helper pre_build_coreboot

Now the cb-helper script is prepared to build coreboot with SeaBIOS as primary payload and Grub2 as a secondary payload. In this specific guide we do not use SeaBIOS and directly use Grub2 as a primary payload.

This is an advantage for some reasons:

  • Faster boot
  • Less code running And a disadvantage for some others:
  • No BIOS like configuration available
  • Probable problems with other operating systems
  • Missing utilities like nvramcui

Now edit grub.cfg ~/Build/x220/coreboot/config/grub.cfg Replace at the beginning of the file

set prefix=(memdisk)/boot/grub

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod part_msdos
insmod ext2
insmod lvm
insmod gcry_rijndael
insmod gcry_sha256
insmod luks
insmod cryptodisk
# insmod usbserial_pl2303
# insmod usbserial_ftdi
# insmod usbserial_usbdebug
insmod gfxmenu
insmod gfxterm_menu
insmod gfxterm_background
insmod chain
insmod jpeg

# Serial and keyboard configuration, very important.
# serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
# terminal_input --append  serial
# terminal_output --append serial
terminal_input --append at_keyboard
terminal_output --append cbmemc

gfxpayload=keep
terminal_output --append gfxterm

set menu_color_normal=white/black
set menu_color_highlight=white/cyan

# Default to first option, automatically boot after 1 second
set default="0>0"
set timeout=1

# This is useful when using 'cat' on long files on GRUB terminal
set pager=1

# Set a background image from CBFS
background_image (cbfsdisk)/background.jpg

# Set DejaVu Sans Mono as the default font
loadfont (cbfsdisk)/dejavusansmono.pf2

# Default keymap
keymap usqwerty

And add the following menuentry: ** THIS IS AN EXAMPLE YOU SHOULD GET IT FROM YOUR ORIGINAL grub.cfg WITH YOUR DISK UUID AND KERNEL VERSIONS **

menuentry 'Qubes, with Xen hypervisor FDE' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-1c874f0f-b41d-4120-8058-b327554c11bf' {
	cryptomount -a
	set root='lvm/qubes_dom0-boot'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  55e7e06a-cad4-4a8d-ba89-9205493e87d7
	else
	  search --no-floppy --fs-uuid --set=root 55e7e06a-cad4-4a8d-ba89-9205493e87d7
	fi
	echo	'Loading Xen 4.8.3 ...'
        if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then
            xen_rm_opts=
        else
            xen_rm_opts="no-real-mode edd=off"
        fi
	multiboot	/xen-4.8.3.gz placeholder  console=none dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx ${xen_rm_opts}
	echo	'Loading Linux 4.14.18-1.pvops.qubes.x86_64 ...'
	module	/vmlinuz-4.14.18-1.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-8453f049-6322-4e5d-b05a-a6c4688fd3a5 rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.preliminary_hw_support=1 rhgb quiet rd.qubes.hide_all_usb 
	echo	'Loading initial ramdisk ...'
	module	--nounzip   /initramfs-4.14.18-1.pvops.qubes.x86_64.img
}

The only difference with the original is the addition of

  • cryptomount -a
  • set root='lvm/qubes_dom0-boot'

The below example of .config should work without any modification given that the steps above have been done correctly, however some configurations depends on personal needs and should be changed. Refer to the coreboot wiki for more information https://www.coreboot.org/Coreboot_Options

~/Build/x220-coreboot/coreboot/.config

CONFIG_COREBOOT_BUILD=y
CONFIG_LOCALVERSION=""
CONFIG_CBFS_PREFIX="fallback"
CONFIG_COMPILER_GCC=y
CONFIG_COMPRESS_RAMSTAGE=y
CONFIG_INCLUDE_CONFIG_FILE=y
CONFIG_USE_BLOBS=y
CONFIG_RELOCATABLE_RAMSTAGE=y

CONFIG_VENDOR_LENOVO=y
CONFIG_BOARD_SPECIFIC_OPTIONS=y
CONFIG_MAINBOARD_DIR="lenovo/x220"
CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X220"
CONFIG_MAINBOARD_VENDOR="LENOVO"
CONFIG_MAX_CPUS=8
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
CONFIG_CBFS_SIZE=0x200000
CONFIG_VGA_BIOS_ID="8086,0126"
CONFIG_DIMM_SPD_SIZE=256
CONFIG_DCACHE_RAM_BASE=0xfefe0000
CONFIG_DCACHE_RAM_SIZE=0x20000
CONFIG_VGA_BIOS_FILE="pci8086,0126.rom"
CONFIG_MAINBOARD_PCI_SUBSYSTEM_VENDOR_ID=0x17aa
CONFIG_MAINBOARD_PCI_SUBSYSTEM_DEVICE_ID=0x21db
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_DRAM_RESET_GATE_GPIO=10
CONFIG_DEVICETREE="devicetree.cb"
CONFIG_MAX_REBOOT_CNT=3
CONFIG_HAVE_GBE_BIN=y
CONFIG_USBDEBUG_HCD_INDEX=2
CONFIG_MMCONF_BASE_ADDRESS=0xf0000000
CONFIG_TPM_PIRQ=0x0
CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
CONFIG_FMDFILE=""
CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00
CONFIG_IFD_BIN_PATH="../binaries/descriptor.bin"
CONFIG_ME_BIN_PATH="../binaries/me_neutered.bin"
CONFIG_BOARD_LENOVO_X220=y
CONFIG_CPU_ADDR_BITS=36
CONFIG_DEFAULT_CONSOLE_LOGLEVEL=8
CONFIG_DRIVERS_PS2_KEYBOARD=y
CONFIG_SMBIOS_ENCLOSURE_TYPE=0x09
CONFIG_BOARD_ROMSIZE_KB_8192=y
CONFIG_COREBOOT_ROMSIZE_KB_8192=y
CONFIG_COREBOOT_ROMSIZE_KB=8192
CONFIG_ROM_SIZE=0x800000
CONFIG_SYSTEM_TYPE_LAPTOP=y

CONFIG_CPU_SPECIFIC_OPTIONS=y
CONFIG_RAMTOP=0x200000
CONFIG_HEAP_SIZE=0x4000
CONFIG_RAMBASE=0x100000
CONFIG_EHCI_BAR=0xfef00000
CONFIG_SERIRQ_CONTINUOUS_MODE=y
CONFIG_SMM_TSEG_SIZE=0x800000
CONFIG_ACPI_CPU_STRING="\\_PR.CP%02d"
CONFIG_BOOTBLOCK_CPU_INIT="cpu/intel/model_206ax/bootblock.c"
CONFIG_C_ENV_BOOTBLOCK_SIZE=0x10000
CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y
CONFIG_ROMSTAGE_ADDR=0x2000000
CONFIG_VERSTAGE_ADDR=0x2000000
CONFIG_SPI_FLASH_INCLUDE_ALL_DRIVERS=y
CONFIG_DCACHE_RAM_MRC_VAR_SIZE=0x0
CONFIG_PCIEXP_ASPM=y
CONFIG_PCIEXP_COMMON_CLOCK=y
CONFIG_BOOTBLOCK_NORTHBRIDGE_INIT="northbridge/intel/sandybridge/bootblock.c"
CONFIG_BOOTBLOCK_SOUTHBRIDGE_INIT="southbridge/intel/bd82x6x/bootblock.c"
CONFIG_CACHE_MRC_SIZE_KB=512
CONFIG_STACK_SIZE=0x1000
CONFIG_UART_PCI_ADDR=0x0

CONFIG_SOCKET_SPECIFIC_OPTIONS=y
CONFIG_XIP_ROM_SIZE=0x20000
CONFIG_NUM_IPI_STARTS=2
CONFIG_CPU_INTEL_MODEL_206AX=y
CONFIG_SSE2=y
CONFIG_CPU_INTEL_SOCKET_RPGA989=y
CONFIG_CPU_INTEL_COMMON=y
CONFIG_ENABLE_VMX=y
CONFIG_UDELAY_TSC=y
CONFIG_TSC_CONSTANT_RATE=y
CONFIG_TSC_MONOTONIC_TIMER=y
CONFIG_TSC_SYNC_MFENCE=y
CONFIG_LOGICAL_CPUS=y
CONFIG_SMM_TSEG=y
CONFIG_SMM_MODULE_HEAP_SIZE=0x4000
CONFIG_CACHE_AS_RAM=y
CONFIG_SMP=y
CONFIG_AP_SIPI_VECTOR=0xfffff000
CONFIG_MMX=y
CONFIG_SSE=y
CONFIG_SUPPORT_CPU_UCODE_IN_CBFS=y
CONFIG_CPU_MICROCODE_CBFS_NONE=y

CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
CONFIG_USE_NATIVE_RAMINIT=y
CONFIG_SANDYBRIDGE_IVYBRIDGE_LVDS=y
CONFIG_IF_NATIVE_VGA_INIT=y
CONFIG_HPET_ADDRESS=0xfed00000
CONFIG_HPET_MIN_TICKS=0x80
CONFIG_MAX_PIRQ_LINKS=4

CONFIG_SOUTHBRIDGE_INTEL_C216=y
CONFIG_SOUTH_BRIDGE_OPTIONS=y
CONFIG_LOCK_SPI_FLASH_NONE=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
CONFIG_INTEL_CHIPSET_LOCKDOWN=y

CONFIG_EC_ACPI=y
CONFIG_EC_LENOVO_H8=y
CONFIG_H8_BEEP_ON_DEATH=y
CONFIG_H8_FLASH_LEDS_ON_DEATH=y
CONFIG_EC_LENOVO_PMH7=y
CONFIG_HAVE_INTEL_FIRMWARE=y

CONFIG_CHECK_ME=y
CONFIG_GBE_BIN_PATH="../binaries/gbe.bin"
CONFIG_UDK_2013_VERSION=2013
CONFIG_UDK_2015_VERSION=2015
CONFIG_UDK_2017_VERSION=2017
CONFIG_UDK_VERSION=2013
CONFIG_ARCH_ARMV8_EXTENSION=0
CONFIG_ARCH_X86=y
CONFIG_ARCH_BOOTBLOCK_X86_32=y
CONFIG_ARCH_VERSTAGE_X86_32=y
CONFIG_ARCH_ROMSTAGE_X86_32=y
CONFIG_ARCH_RAMSTAGE_X86_32=y
CONFIG_PC80_SYSTEM=y
CONFIG_HAVE_CMOS_DEFAULT=y
CONFIG_CMOS_DEFAULT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.default"
CONFIG_IOAPIC_INTERRUPTS_ON_FSB=y
CONFIG_ID_SECTION_OFFSET=0x80
CONFIG_BOOTBLOCK_SIMPLE=y
CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"

CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y
CONFIG_HAVE_LINEAR_FRAMEBUFFER=y
CONFIG_MAINBOARD_HAS_NATIVE_VGA_INIT=y
CONFIG_MAINBOARD_HAS_LIBGFXINIT=y
CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y

CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_PCI=y
CONFIG_MMCONF_SUPPORT=y
CONFIG_PCIX_PLUGIN_SUPPORT=y
CONFIG_CARDBUS_PLUGIN_SUPPORT=y
CONFIG_PCIEXP_PLUGIN_SUPPORT=y
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000

CONFIG_CACHE_MRC_SETTINGS=y
CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
CONFIG_SPI_FLASH=y
CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
CONFIG_SPI_FLASH_ADESTO=y
CONFIG_SPI_FLASH_AMIC=y
CONFIG_SPI_FLASH_ATMEL=y
CONFIG_SPI_FLASH_EON=y
CONFIG_SPI_FLASH_GIGADEVICE=y
CONFIG_SPI_FLASH_MACRONIX=y
CONFIG_SPI_FLASH_SPANSION=y
CONFIG_SPI_FLASH_SST=y
CONFIG_SPI_FLASH_STMICRO=y
CONFIG_SPI_FLASH_WINBOND=y
CONFIG_NO_UART_ON_SUPERIO=y
CONFIG_HAVE_USBDEBUG=y
CONFIG_HAVE_USBDEBUG_OPTIONS=y
CONFIG_SMBIOS_PROVIDED_BY_MOBO=y
CONFIG_INTEL_EDID=y
CONFIG_INTEL_INT15=y
CONFIG_INTEL_GMA_ACPI=y
CONFIG_GFX_GMA=y
CONFIG_GFX_GMA_CPU="Sandybridge"
CONFIG_GFX_GMA_CPU_VARIANT="Normal"
CONFIG_GFX_GMA_INTERNAL_IS_LVDS=y
CONFIG_GFX_GMA_INTERNAL_PORT="LVDS"
CONFIG_GFX_GMA_ANALOG_I2C_PORT="PCH_DAC"
CONFIG_DRIVERS_INTEL_WIFI=y
CONFIG_DRIVERS_MC146818=y
CONFIG_LPC_TPM=y
CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000
CONFIG_VGA=y
CONFIG_DRIVERS_RICOH_RCE822=y

CONFIG_MAINBOARD_HAS_LPC_TPM=y
CONFIG_ACPI_SATA_GENERATOR=y
CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y
CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_RTC=y

CONFIG_SQUELCH_EARLY_SMP=y
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
CONFIG_CONSOLE_POST=y
CONFIG_HWBASE_DEBUG_CB=y
CONFIG_HAVE_ACPI_RESUME=y
CONFIG_RESUME_PATH_SAME_AS_BOOT=y
CONFIG_HAVE_HARD_RESET=y
CONFIG_HAVE_MONOTONIC_TIMER=y
CONFIG_HAVE_OPTION_TABLE=y
CONFIG_HAVE_SMI_HANDLER=y
CONFIG_IOAPIC=y
CONFIG_USE_WATCHDOG_ON_BOOT=y
CONFIG_HAVE_ACPI_TABLES=y
CONFIG_COMMON_FADT=y

CONFIG_GENERATE_SMBIOS_TABLES=y

CONFIG_PAYLOAD_GRUB2=y
CONFIG_PAYLOAD_FILE="payloads/external/GRUB2/grub2/build/default_payload.elf"
CONFIG_GRUB2_STABLE=y
CONFIG_GRUB2_EXTRA_MODULES="gcry_rijndael gcry_sha256 gcry_seed lvm luks cryptodisk all_video jpeg png cat videoinfo videotest crypto gfxmenu gfxterm_menu gfxterm_background password password_pbkdf2 pbkdf2 usbserial_pl2303 usbserial_ftdi usbserial_usbdebug"
CONFIG_GRUB2_INCLUDE_RUNTIME_CONFIG_FILE=y
CONFIG_GRUB2_RUNTIME_CONFIG_FILE="../config/grub.cfg"
CONFIG_PAYLOAD_OPTIONS=""
CONFIG_COMPRESSED_PAYLOAD_LZMA=y
CONFIG_COMPRESS_SECONDARY_PAYLOAD=y


CONFIG_HAVE_DEBUG_RAM_SETUP=y
CONFIG_HAVE_DEBUG_SMBUS=y
CONFIG_WARNINGS_ARE_ERRORS=y
CONFIG_EARLY_CBMEM_INIT=y
CONFIG_RELOCATABLE_MODULES=y
CONFIG_BOOTBLOCK_CUSTOM=y

Now build coreboot

./cb-helper build_coreboot

And add the font and tha background image:

coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/dejavusansmono.pf2 -n dejavusansmono.pf2 -t raw
coreboot/util/cbfstool/cbfstool out/coreboot.rom add -f misc/bg.jpg -n background.jpg -t raw

The file ~/Build/x220-coreboot/out/coreboot.rom should now be ready for flashing.

Coreboot flash

From the RaspberryPi

flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -w coreboot.rom

(flashrom may sometimes give an error about failing to erase. This is fine as long as the end it prints 'VERIFIED')

Or from dom0 if you already have flashed coreboot before:

sudo flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom

Encrypt /boot

From now on keep in mind that any error may cause data loss. Even not doing any error may cause data loss. Please make a full backup bedofre going on. Boot a live archlinux or any other live distro which has cryptsetup, lvm and dd installed. In this part it is assumed the device with Qubes is /dev/sda.

fdisk -l /dev/sda
Device     Boot Start       End			Sectors		Size 	Id Type
/dev/sda1        2048 		2099199 	2097151 	1.0 G  	83 Linux
/dev/sda2        2099200 	468862127	466762927 	222.6G 	83 Linux

Take note of the offset values.

Copy on an external device a backup of the boot partition:

dd if=/dev/sda1 of=/mnt/backup/boot.dd bs=1M status=progress

Using fdisk, cfdisk or parted delete both sda1 and sda2 and create a new partition using the whole disk called sda.

Now move the old LUKS partition at the beginning of the disk. First check that the offsets are correct (source: https://superuser.com/questions/541067/how-to-move-a-partition-in-gnu-linux):

dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1 count=100 skip=$((2099199-2048)) seek=0 2> /dev/null | file -s -
/dev/stdin: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8453f049-6322-4e5d-b05a-a6c4688fd3a5

If the file command detect a LUKS encrypted file it should be safe to continue.

dd conv=notrunc bs=512 iflag=fullblock if=/dev/sda1  skip=$((2099199-2048)) seek=0 of=/dev/sda1 status=progress

Wait for the process to complete. Do not stop it for any reason.

cryptsetup luksOpen /dev/sda1 qubespv
pvresize /dev/mapper/qubespv
lvcreate -n boot -l100%FREE qubes_dom0
dd if=/mnt/backup/bios.dd of /dev/mapper/qubes_dom0-boot

Reboot

Reboot. You should now be prompted two times for your LUKS passphrase: this is because the Grub installed within the Flash has no way to pass the actual passphrase to the kernel. A workaround to this issue is explained here https://wiki.parabola.nu/Installing_Parabola_on_Libreboot_with_full_disk_encryption_(including_/boot)#Bonus:Using_a_key_file_to_unlock.2Fboot.2F

TODO

  • Flash coreboot read-only to prevent tampering
  • Add a script which symlink the latest kernel and the previous one in a predictable path in /boot
  • Find a way to disable ExpressCard/Camera/Other components from coreboot
  • Test microcode updates for meltdown/spectre