Conversation

next project: figuring out how to exorcize this gunyah hypervisor bullshit from my thinkpad

1
0
0

the answer of course is obvious: coreboot

3
0
0

sl2bounce is cute, but where i'm going, i won't be needing that anymore

0
0
0

@ariadne unfortunately, anything prior to (and including) the UEFI boot stage are signed with them being fused

some small OEMs forget to fuse, but Lenovo isn't one of them, as unfused breaks HDCP and DRM

1
0
0

@ariadne this is basically the opposite of PC evolution which went from a fully open system (which I grew up on) to trying to figure out how to secure it (TPM, TXT, DRTM etc.). The QC SoCs started with the mobile ecosystem with a strict boot chain locked to the device manufacturer, and it is loosening up. The Gunyah hypervisor early boot is mainly there to make sure the peripherals and their firmware are properly initialized and isolated. It is then switched to the platform hypervisor on Windows systems (and to Linux on EL2 with the slbounce thing). And yes, this is a much longer way of saying that it is not really possible to make it go away in a correctly configured device. @never_released

1
0
0

@canacar @never_released then can we at least get a fix for it to make it work with 64GB of RAM?

1
0
0

@valpackett @ariadne Anything pre-bootguard (Ivy Bridge and earlier), and also any Haswell ThinkPads with socketed CPUs (ThinkPad T440p/W450/W451/L440/L540) do not have bootguard. Anything with MEv11 (Skylake and Kaby Lake/Kaby Lake Refresh, so T460/T470/T480-era) has bootguard, but it can be bypassed with deguard.

1
0
0

@ariadne @never_released this is in my list to follow up on but things were quite busy recently. I suspect the DT available at boot is a generic one where "32G should be enough for everyone". If so Lenovo may have to provide an update. Are there any other publicly available bug reports or discussions on this I can refer to when discussing internally?

1
0
0

@canacar @ariadne this isn't about the DT itself but that Gunyah doesn't map the full 64G

Doesn't matter for Windows because Snapdragon X has Secure Launch forced to always-on even for WinPE but breaks booting any OS that doesn't escalate to EL2 without cutting down available memory

1
0
0

@never_released @ariadne is this just the memory Gunyah reserves for itself and other use cases (that may not be applicable to Linux?) I thought the missing memory was on the order of Gigabytes, so I assumed a configuration issue somewhere. I will bring this up with the right teams, but having a good description will help a lot.

1
0
0

@canacar @ariadne the UEFI memory map that is given to the OS is invalid and contains memory that will be faulted on access

1
0
0

@canacar @ariadne to be able to boot the OS at all you have to override memory to cut the upper half, otherwise it'll crash really early when trying to access it

1
0
0

@never_released @ariadne do you know how Android handles this? I will probably find out next week but still ...

1
0
0

@canacar @ariadne no Android QCOM devices with >32GB of RAM, and that was the limit until the SoC memory map got reworked for Snapdragon X, which is pretty recent

1
0
0