Topic locked, huh? Follow up to making Coreboot work with full disk encryption on ASUS KFSN4-DRE

40 réponses [Dernière contribution]
hack and hack
Hors ligne
A rejoint: 04/02/2015

Original post (suddenly locked, go figure): https://trisquel.info/en/forum/asus-kfsn-4-dre-end-november-2016

Yeah, so the real problem is that after cryptomount -a, "set root='lvm/rootvolume-logicalvolume" can't be found.
hmm... The only difference is that I have other disks, so other volume groups.

The other thing is trying to get SeaBIOS chainloaded from GRUB. In the Coreboot documentation, the path shown goes from memdisk.
I guess what cbfsdisk is (inside the rom), but what's this memdisk? The definition on the web isn't very easy to understand.

For the font issue, I'll try to add the font to the cbfs, and modify the path accordingly in grub.cfg.

Oh, and I gotta try with the officially unsupported 6 core CPU. Who knows, with some luck...

jxself
Hors ligne
A rejoint: 09/13/2010

Posts get automatically locked by the system after a period of time.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Oh, thanks. At least I won't be surprised anymore.

Unfortunately it's a blogger page that demands javascript, but it's still the best info I could get on (memdisk):
https://lukeluo.blogspot.nl/2013/06/grub-how-to-4-memdisk-and-loopback.html

It's the second time I find great info on blogger, yet I'm forced to use javascript then.
Maybe this works (although one script for one website is a bit cumbersome): https://gist.github.com/ChimeraCoder/7799402

Some highlights:
the memdisk is attached to a device called "(memdisk)" in grub.
-
-c, --config=FILE
embed FILE as an early config
-m, --memdisk=FILE
embed FILE as a memdisk image
So, two files will be embedded into generated image, an early config file and a memdisk file.
-
$ cat embedded.cfg
echo "!!!!!!!!!!!!!!!! embedded config file in core.img !!!!!!!!!!!!"
sleep -i 6
set root=memdisk
set prefix=($root)/boot/grub
-
there is a "(memdisk)" as we expect, where our file reside. We can load the "hello" module from memdisk, just like any other disk, then execute the "hello" command.

So according to this, any path linking to (memdisk) should link to inside the cbfs. The difference with (cbfsdisk) might be that memdisk loads in in a specific way.

OK next is trial and error:
1. make coreboot with an externally compiled GRUB, and add into the rom the grub.cfg, the font, and an externally compiled SeaBIOS.

2. Since I can't seem to find the lvm part to decrypt, I'll reinstall the OS, but I'll try a single volumegroup over several HDD/SSD. But then I might lose the possibility to assign a logical volume to a specific physical drive (easier to reinstall parts without toucheing other parts?).
This is the tough part now. Maybe it's possible with one volumegroup https://ekuric.wordpress.com/2011/08/26/lv-on-specific-pv/ (gotta do that from the OS installer though).
This doesn't show how to, but allows to read the current install https://serverfault.com/questions/461385/how-to-find-the-physical-volumes-that-hold-a-logical-volume-in-lvm
Maybe it's best to do the install on one drive, then if possible create and assign the other logical volumes to other disks https://unix.stackexchange.com/questions/188851/move-logical-volume-to-a-new-physical-disk.
Any experience wuth that, anyone?

3. Assuming I can boot, try another coreboot build for the 6 core CPU, and hope for the best. Else, it's still a bit better (maybe much more with the GPU) than the X200.

4. Mastering the fans, so I can get the lowest possible noise without damaging components. I might get an external controller.

5. Enjoy!

hack and hack
Hors ligne
A rejoint: 04/02/2015

Forgot about SSD optimization:
https://sites.google.com/site/easylinuxtipsproject/ssd
https://askubuntu.com/questions/674320/what-ssd-optimization-are-needed-on-latest-ubuntu-version
http://www.makeuseof.com/tag/optimize-linux-ssds/

Gotta figure out what to actually do (as absolutely recommended only), and how to do it. I don't want to micromanage it without significant improvements in return.
Again, any info is most welcome :)

hack and hack
Hors ligne
A rejoint: 04/02/2015

Hi uboot,

GRUB alone displayed the LiveCD in a deformed way (like the screen was flattened from the top). But that's with the onboard graphics, I can't speak for the external GPU yet.

The solution suggested on #coreboot was to build GRUB with the latest version instead (because of some script added) https://github.com/librecore-org/librecore/wiki/Building-a-small-GRUB-payload-for-512k-targets-and-above

Of course GRUB chainloaded from SeaBIOS is fine too, it's just that I had an issue with the bootorder file (with this inside "/rom@img/grub.lzma": SeaBIOS was always looking for the optical drive, then the HDD. GRUB was last on the list.

I don't see anything wrong with what you did, minus the bootorder file (at least it didn't work for me).

Man, I'm so lazy myself about it, but mostly because it's demoralizing to work for so long with such slow results. But hey, gotta finish this.

Tomorrow, I'll work on rebuilding Coreboot with the latest GRUB.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Never had this error (yet... ). But I know I have the first line of grub.cfg (I took mine from Libreboot, and modified it a bit) about setting some prefix.
It says "set prefix=(memdisk)/boot/grub"

I can't precisely figure out where (memdisk) is though (besides being inside GRUB).

Also, when compiling GRUB from outside Coreboot, you can write down additional modules (like luks) on the list (see the 2nd block of code in the link).

-------

About onboard graphics: I did try Coreboot with GRUB built with Coreboot's build system. But I couldn't add /load some modules, plus without SeaBIOS, I had the display problem (actually the SeaBIùOS version was outdated, I don't remember really), and also no way to launch a liveCD.

For the external GPU (which I didn't install yet since I have to switch the chip containing the rom, and it's in the way), hopefully the latest GRUB will work without the need for SeaBIOS.
But I don't mind chainloading GRUB from SeaBIOS instead. I just need to make the bootorder file work.

Basically, a SeaGRUB is what I have right now, but with the bootorder file not working (also not findink my lvm disk to unlock, but that's another story).
I'll try a GRUBSea right now, which would get rid of the bootorder issue, but it would have to work with the graphics.

hack and hack
Hors ligne
A rejoint: 04/02/2015

I'll fix the grub font issue later.

On to n°2:
about the lvm :
at grub, I hit "c" to reach the prompt page, and I type "ls (ataX,msdosY) (previously listed with ls only).

And I get "no known filesystem detected", whereas when installing, I definitely defined the partition as ext4 (roughly following the Libreboot manual here https://libreboot.org/docs/gnulinux/encrypted_debian.html).

Also, when trying to decrypt the disk, I get "disk 'lvm/volumegroup-logicalvolume' not found".

Some solutions might be to:
- chroot and update/reinstall GRUB from there
- completely reinstall the OS

None is satisfying, since I don't fully understand what's going on.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Reading this, I tried inserting GRUB modules manually http://grub.johnlane.ie/

And insmod luks works, but cryptomount then says "Cypher aes isn't available". What's that, another module?
For the sake of trying stuff, I tried to insmod lvm, but the module isn't found, even though I'm pretty sure I've added it...

I'll try that first.

libreleah
Hors ligne
A rejoint: 04/03/2017

grub payload is currently broken on kfsn4-dre, so you have to use seabios which means that /boot/ has to be unencrypted. ping tpearson about it on freenode irc

hack and hack
Hors ligne
A rejoint: 04/02/2015

Hey Leah, thanks for the info.

What about partial encryption (/home + some other HDD completely encrypted)? But GRUB wouldn't be needed for this anyway, right?

I'll ask tpearson as well.

libreleah
Hors ligne
A rejoint: 04/03/2017

afaik USB support is broken in GRUB, on that board, as are a few other features, making it unusable. I don't remember the details, all I know is that tpearson said seabios is to be used instead of grub

since seabios doesn't understand luks/dm-crypt, that means you have to leave /boot/ unencrypted. /boot/ simply contains your kernel, and perhaps a bootloader. The rest of the system can be encrypted.

Even without encrypted /boot/, there are precautions that you can take, such as checking before boot that your kernel hasn't somehow been tampered with before you boot it. Same for your bootloader. These are precautions that should be taken anyway, even with encrypted /boot/ (and libreboot.org has a guide for checking GPG signatures of kernel in GRUB, before booting them).

hack and hack
Hors ligne
A rejoint: 04/02/2015

Thank you Leah!

Last question, if I may (hard to find the info):
Assuming I dedicated a volume group for each physical drive (with the same passphrase. the goal is to have a drive I can leave untouched in case of a reinstall),
does that mean I have to unlock them one after the other?
Well, that would be assuming that GRUB works...
I didn't try #lvm yet though.
-----

About GRUB for this board:
For GRUB (chainloaded from SeaBIOS because maybe some display issue IIRC), I used a liveCD, so the USB support wasn't too much of an issue (well it was, but I ended up figuring this out with help from others).

I have some font recognition issue, otherwise it seems to work fine. Just for the sake of being thorough, I'll try to compile GRUB again with those extra modules for encryption, and insmod them all before cryptomount.

But else, I'll do as you suggest. Thanks again Leah.

libreleah
Hors ligne
A rejoint: 04/03/2017

if you have separate drives encrypted, then yes you have to unlock all of them.

However, it should be possible to unlock just one of them and have a keyfile (on the first encrypted drive) that automatically unlocks all the other drives.

or you could set up RAID, with /boot/ unencrypted on RAID1 setup, the rest encrypted on top of RAID10 or something like that.

What sort of partition scheme are you aiming for on all the drives? I'm not sure I fully understand your questions.

libreleah
Hors ligne
A rejoint: 04/03/2017

It's probably better to come to #libreboot if you're having issues with it. on freenode IRC

hack and hack
Hors ligne
A rejoint: 04/02/2015

The rough idea is
/home on a SSD (encrypted),
/boot on the same SSD (unencrypted, unless I get lucky with GRUB),
/data on one HDD (encrypted),
/backup on another HDD (encrypted, and same size as the other HDD),
the goal being that I'd like to be able to reinstall /home easily if needed, while leaving the 2 other drives untouched.

Ah yes, forgot about the keyfile possibility. I guess that solves it (assuming it can unlock the /home folder only on the SSD).
I'm not sure RAID would fit, because that would be exact copies of the other drives, right? Maybe it's fine for the /backup HDD.

I'll get to #libreboot tonight hopefully. Thank you :) !

libreleah
Hors ligne
A rejoint: 04/03/2017

yeah use keyfiles. that'll do it

hack and hack
Hors ligne
A rejoint: 04/02/2015

Thanks Leah :)

hack and hack
Hors ligne
A rejoint: 04/02/2015

So, what's left:
- most likely, I'll have to stick with SeaBIOS only. Easy. I'll still do the full test with GRUB (easy as well).

- checking the kernel and the bootloader's signature seems awfully complicated.
I might pass (overkill, specially for a home destop PC for an average user).
I mean, it's all about the threat level. This is for fending off a "malicious super nerd cracker who has access to my home desktop".
Extremely unlikely.
It would nicely replace an encrypted boot partition though. Also it requires GRUB (which is a bit broken for this board).
https://libreboot.org/docs/gnulinux/grub_hardening.html
Not sure it's even worth it on my laptop since I have full disk encryption anyway. Maybe later. Probably never.

- Encrypting /home folder only and the other drives should be easy (during the install).

- The keyfiles thing looks also complicated, but 3 passphrases at each boot (even if trice the same) is too much.
https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
https://davidyat.es/2015/04/03/encrypting-a-second-hard-drive-on-ubuntu-14-10-post-install/
http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

- test the 6 core CPU. Easy.

- tweak fans speed and SSD optimization. No idea if easy or hard.

libreleah
Hors ligne
A rejoint: 04/03/2017

with methods to establish whether the system has been physically opened, plus a BIOS password (in SeaBIOS) preventing boot until entering the correct one, that should be an acceptable compromise if you don't have encrypted /boot/

(i'd recommend this even with encrypted /boot/)

i'm not sure whether seabios supports passwords. i know grub does (and libreboot documents it)

hack and hack
Hors ligne
A rejoint: 04/02/2015

I guess I was a bit tired and overwhelmed by all this, but it doesn't sound so hard after all. I'll start again with slowly reading doc first :)

I don't think SeaBIOS supports passwords (I'm pretty sure I've read that from Coreboot's doc).
So I'll have to stick with what I already got (GRUB chainloaded from SeaBIOS).
I'ts just annoying that I have missing fonts in GRUB (the frame, and the arrows). I used the grub.cfg from Libreboot, where there's a line about "loadfont (cbfsdisk)/unicode.pf2" it was dejavu originally). I tried to add the font to cbfs, but it's too big. I'll probably have to do that during the build.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Actually, since SeaBIOS is most likely mandatory for this board, I'm not sure signing the kernel and GRUB password is worth it.
That makes SeaBIOS accessible anyway, so...
Forget signing (Coreboot and/or GRUB), too much headaches.
https://www.coreboot.org/Security#Existing_security_features

Btw there's no aes module existing in GRUB.
There's a "gcry_seed - This module provides support for the SEED (block cypher) cryptography tool.",
but I'm done trying. No full disk encryption.

So I'll stick with:
- SeaBIOS chainloading GRUB (for opening encrypted partitions). Besides the font issue, it's done.
- basic encryption with /boot unencrypted
- keyfiles (rather easy, after all)
In theory, /boot being unencrypted would allow me to boot,
input my passphrase for /home, and from there I should be able to do the keyfile stuff.

I could put /boot on a thumb drive, but I'm not James Bond, this is way too much security for what it is.

That's all for this board. Nearly 6 months, all for this haha...
The info is hard to find, how could I have done it better/faster?
Oh well, at least I've learned a few things along the way.
But I'm done doing that kind of complicated sh*t for so long.
Less time building the tools, more time actually using the tools.

Too bad, it's the most interesting for the power/price ratio.
Laptops are a bit underpowered (just like the other librebooted desktops),
and the KGPE costs way more, if you take into account the components.

hack and hack
Hors ligne
A rejoint: 04/02/2015

OK, some news:
the ASUS KFNSE4-DRE does run on one 6 cores CPU,
contrarily to what ASUS's website states
(I do have a rev 1.05G though but it's the standard version IIRC, stated as not being supported).
So make sure you have the exact same board as mine at least.

At the boot stage, only the internal GPU is recognized (and that's with Coreboot).
But when launching the liveCD, the external one is working.

Now while the liveCD starts booting, it doesn't go all the way.
The external GPU does give more "verbose" info: "EDID checksum is invalid"
and " nouveau E[ DRM] DDC responded, but no EDID for DVI-D-1".
I also have "out of range" on my monitor when only booting with VGA.
I electrically unplugged the monitor, it seems to be fixed.
I reached the LiveCD, but some bits were missing (like very late to load).
But it seems I can't reach the LiveCD anymore. There was some message about watchdog overflow once.

#coreboot wants me to enable the microcode updates before giving another bug report.
Also that other things like raminit for this board should be open-source, and that I should check the source to be sure.
It makes sense that microcodes aren't a valid threat, and might improve stability, but if I can avoid using it, I will.

#libreboot has responded, but nothing useful yet.

About full disk encryption with GRUB:
It seems it's still about missing modules regarding GRUB, so I'll try again later.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Some more progress: doing the old "unplug and hold the start button 30s" got me a nearly clean access to the liveCD (minus reloading some Mate apps like "show desktop").
Plus SeaBIOS chainloading GRUB was displayed on the external GPU!

But (the one and only but) launching the install starts for a bit, the the screen freezes. I reboot, and back to SeaBIOS/GRUB not being displayed, and no access to the LiveCD (like showing the desktop).
Trying again with that 30s trick, still the same display :_(

Any idea why? It seems unreliable/unstable.
But I'm on to something.

Also, it seems there's no kernel panic for now.
Maybe it has to do with this text-mode. I'm using a standard Debian LiveCD.

hack and hack
Hors ligne
A rejoint: 04/02/2015

I've let it rest a bit, and managed to start the install with the LiveCD. I hope there's a way to get the text install from the LiveCD install (it didn't show the menu, but booted directly into the desktop).

Also it might be stuck during the install here (blank screen, only the mouse showing). Seems I'm not done yet.

And there's still Libreboot to try (if I can build it for a 6 cores CPU).

EDIT: It's still unstable, I have a hard time getting it to display GRUB from the start. And I have yet to succeed to finish an install from it.

Maybe the microcode updates would fix that. But that's the super last resort.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Well, I'll go for Coreboot WITH the microcode updates (#libreboot also suggested that). Hopefully this will be enough.

Leah, if you read this:
If microcodes updates for the KFSN4-DRE make it really work with a 6 cores CPU, is it worth it to try and build Libreboot for 6 cores? And if so, how do I do that (the manual doesn't indicate this specific point).
Worth it in terms of freedom, of course.

Thanks in advance.
The question is still on #libreboot, but I'll have to turn my PC off at some point.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Ah Leah, also this: I see I can either build with GRUB or SeaBIOS, but how do I chainload one from the other?
https://libreboot.org/docs/git/

hack and hack
Hors ligne
A rejoint: 04/02/2015

Using microcodes (SeaBIOS only since GRUB is useless in this case), SeaBIOS (and the LiveCD menu, at last), appears only on VGA, and to see the verbosity when starting a live session, I must switch to DVI.
No problem for daily use: I'll just stay on DVI until it boots.

Now, will the LiveCD doesn't boot. It takes several minutes, and it's still working on it.
I'm stuck in a loop about "systemd-udevd timeout".
But more often than not I have that underscore blinking on the upper left.

Trying the failsafe live session, it hangs on the VGA, meaning it still didn't boot the live session process (still on SeaBIOS, in other words).
"Probing EDD... ok". Stuck there.

EDIT:
I also tried a new install (text install, so all in VGA), I kinda couldn't refuse to install GRUB on disk (though it shouldn't be a problem).
Yet, no way to boot.
But the LiveCD doesn't boot either, so I guess it's logical.
It might be another problem though.

Any idea is more than welcome, as usual.

hack and hack
Hors ligne
A rejoint: 04/02/2015

I could try to input kernel parameters (acpi=off, vga=normal), but I guess I need GRUB then (I doubt I can do it with SeaBIOS alone).

From the liveCD:
hardware detection tool says : failed to load libmenu.c32 and COM32 file hdt.c32
I tried that without success http://www.syslinux.org/archives/2013-March/019666.html ("no menu entries were found!")
The other solution only works for thumbdrives (https://askubuntu.com/questions/612746/ubuntu-live-usb-wont-boot-failed-to-load-com32-file-menu-c32), which I can't use with this mobo.

memory diagnostic tool doesn't even start.
Trying the graphical install right now: undefined video mode number: 314
Then, nothing.

The external GPU display isn't much of a concern (fails to display the payloads when built with microcodes), it's about the inability to complete the boot (or reach the live session), that's with microcodes, or reach it, but only if I do a specific manipulation every time I turn it off (that's without microcodes).
Even the manipulation of unplugging everything and pressing the start button for 30s (arbitrary time) doesn't work when built with microcode updates.

hack and hack
Hors ligne
A rejoint: 04/02/2015

OK, as advised on #coreboot, I'll try the rom with the install on Qemu first, just to isolate problems (whether they're Coreboot or Payload related).

EDIT: If I had read this (https://trisquel.info/en/forum/asuskfsn4-dre-libreboot) more carefully, I would have wasted much less time... The least I can do is learn from the lesson.

The 6 cores is still worth testing.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Thanks uboot! Much appreciated :)

This is depressing. The information is scarce and confusing.
Tell me about it... It's hard, but just don't stop ;)
We can have the best free hardware available around very soon.
Some features are limited for now, but it's minor enough, to me.

This GRUB error seems to be about the path to the GRUB folder ("set prefix (path to the grub folder)").

In order to boot successfully, the root, prefix, linux and initrd variables must be correct. The user must verify the paths and names of these items. If they are incorrect, use the commands below to find and fix them. GRUB 2 variable settings can be viewed with the set command.
https://help.ubuntu.com/community/Grub2/Troubleshooting

Are you able to reach the GRUB menu, or do you reach only GRUB rescue? If not, there's something about the "normal" module to load with insmod that should work.

As for me, I'm trying to understand QEMU (aqemu failed from the repo).
I'll probably have to input something like this "-bios build/coreboot.rom -serial stdio -cdrom operatingsystem.iso hdd.qcow2" to run both Coreboot and the OS.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Following these tutorials
https://trisquel.info/en/forum/virtualbox-being-removed-trisquel#comment-41768
https://www.coreboot.org/Lesson1
https://www.coreboot.org/QEMU_Build_Tutorial

I managed to boot the LiveCD/iso.
But no way to boot the coreboot rom right now.
qemu-system-x86_64 -m 512M -bios coreboot_kfsn4-dre_6cores_grub_chained_par_seabios.rom hdd.qcow2 -nographic
qemu: fatal: Trying to execute code outside RAM or ROM at 0x00000000000a0000

EAX=000ceffb EBX=000cef83 ECX=00000004 EDX=0000000f
ESI=00000663 EDI=00000000 EBP=00000000 ESP=000cef24
EIP=0009ffaa EFL=00000013 [----A-C] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0010 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
CS =0008 00000000 ffffffff 00cf9b00 DPL=0 CS32 [-RA]
SS =0010 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
DS =0010 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
FS =0010 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
GS =0010 00000000 ffffffff 00cf9300 DPL=0 DS [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT= fff00200 0000001f
IDT= 00000000 00000000
CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
CCS=000ceffb CCD=000cf034 CCO=ADDB
EFER=0000000000000000
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000004198000000000000
XMM02=000000000000000041ae000020000000 XMM03=000000000000000041ae0000c0000000
XMM04=0000000000000000c12ffd0000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000
Abandon

The webz didn't help. I tried -no-kvm which doesn't get permission to be executed (sudo chown root:kvm /dev/kvm did nothing. No surprise, there's no kvm in /dev/).

Couldn't get aqemu (GUI) to work either.

I'll try to compile the rom again: because of an internet issue at that time on my main machine, I've compiled the latest roms (64 bits) on a 32 bits machine. Maybe it's a problem. I don't know, I don't have anything else to try.

hack and hack
Hors ligne
A rejoint: 04/02/2015

some more news:
Still with 6 cores, I've tested everything in QEMU.
Seems my first build of Coreboot was problematic.
Building a new one, I can reach the LiveCD on the KFSN4-DRE.
Definitely used microcode updates (didn't work without).

SeaBIOS is displayed every time on the external GPU.
So that's encouraging.

Downside: Still can't boot from the installed OS.
Also SeaBIOS doesn't show all my disks, for some reason.

Suggested things to try from #coreboot:
* fetch the SeaBIOS log.
* try VGA BIOS.
* Try GRUB only, properly configured
(set root=(hd0,msdos1) > linux /vmlinuz root=/dev/sda1 > initrd /initrd.img > boot).
* Check SeaBIOS config (rather obscure advice since there's not much to configure).

I need to make a copy of this rom, I'll gain time for recovery, if needed.
If all works, I'd need to make it boot faster with possible tweaks.
And Try to make GRUB work on QEMU first, then test it again on the mobo.

EDIT: chances are I just need to reinstall the OS. It seems something went wrong the first time (the text install "remembers" or fetches my disk config, and it seems / wasn't even configured, if that's even possible).
For the install:
- I'll make primary partitions (limited to 4 though)
- /root 10G
- /swap 2048mb
- delete luks headers of the data/backup drives 1min
- ext4, rename as /data et /backup
- create one volume each for encryption
- From the text install, I don't see where I can encrypt /home yet. Might have missed it. I'll try again.
- I'll try installing nothing on the mbr (no GRUB). I didn't get a clear answer about that yet.

hack and hack
Hors ligne
A rejoint: 04/02/2015

SeaBIOS still doesn't show all my disks, and doesn't boot the newest install either.

Internal VGA only displays SeaBIOS (it takes longer), but it ends up not booting. It makes it harder to reflash: I must switch the CPU, get back to 4 cores where I can use internal VGA only if needed (my external GPU is over the rom chip slot).

I've rebuilt a rom with "Run VGA Option ROMs" enabled.
It's supposed to retreive VGA data from the external GPU for Coreboot to use it.I'll flash tomorrow.
Maybe I'll add GRUB chainloaded, just to have one more option to troubleshoot with.

Before that, I'll try to fetch SeaBIOS log from the LiveCD.

hack and hack
Hors ligne
A rejoint: 04/02/2015

It seems I'm out of ammo. The log I got was limited to whatever I booted on. Meaning it's a log about the live session, not about the prior failed boot from disk.

Also, the vga rom option seems to be useless, since SeaBIOS is already displayed.

I'll see what else I can try for the 6 cores.
But else, tomorrow I'll try a 4 cores rom, with microcode updates and SeaBIOS.

I can access my drives from the live session btw, but the big drives made mouse and keyboard unresponsive, even after unplugging/replugging.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Lilos:

After some time i was able to fix all my problems :)

Libreboot do not work.

Coreboot works ! I build with no microcode updates and with seabios!

Coreboot have one bug also but in irc we fixed configuration file generation!

Also no boot wait!

System boot super fast !
Lilos, how did you do it?
Personally, without microcode updates, it's not working.
Also I do have boot wait.
What is the config you use?

Maybe it's a matter of CPU model, RAM model and amount of ram.

hack and hack
Hors ligne
A rejoint: 04/02/2015

I gave up on the 6 cores CPU, I don't know what else to try with it. The info I got on IRC was rather cryptic this time.

So back to the 4 cores, with SeaBIOS only. I can see the liveCD menu, but no way to see the live session with the internal GPU (VGA). No way start the install on disk.
The external GPU (DVI) does show the liveCD boot process, but it doesn't reach the live session either.

But at least SeaBIOS does show all my disks this time.
That's the only positive aspect compared to the 6 cores for now.

In a nutshell:
- 4 cores with GRUB chainloaded from SeaBIOS loads the liveCD just fine.
- 4 cores with SeaBIOS only fails to load the liveCD.
- 6 cores with SeaBIOS only loads the liveCD.

This board is playing with me, I have no other explanation.
I don't know what to do. Maybe remove some RAM.

hack and hack
Hors ligne
A rejoint: 04/02/2015

OK, removing some RAM made the boot faster, at least.
But still the same issues otherwise.

So I tried Libreboot again, and while the boot time is slow, it gives the best results: it goes beyond the SeaBIOS screen on the disk install (and the LiveCD works fine). But I land on a blank screen with a blinking underscore. I'm investigating that right now. It could be:
* a kernel issue
* GRUB being installed on the wrong drive (I use SeaBIOS anyway
* maybe other reasons, still searching.

The install on disk was still failing, but eventually it ended OK (with GRUB installed, though I don't need it, and without network updates because it kept on failing earlier).

So, provided I find a way to boot all the way, and that Libreboot seems to work, then I must be doing something wrong with Coreboot, though I've read a lot of doc, a lot of help in "make menuconfig".

If someone has a clue, I'm interested. The Coreboot boot time is way better than Libreboot's.

Anyway, with Libreboot (vesafb), forget text install. But I remember a suggestion about installing the OS from another computer. let's try that.

Else I'm stopping this. It might work for a few people, but not for me, and it's not like I didn't try.

hack and hack
Hors ligne
A rejoint: 04/02/2015

I can't access the live session anymore from Libreboot (and nothing changed AT ALL since last time it worked).

It maybe works for a few people (lilos, jxself, the Libreboot team), but not for me. And it's not like I didn't try.
I have nothing else to try anyway. Both #libreboot and #coreboot I've tried extensively.

So yeah, I give up. Unless you're an expert, DON'T BUY the KFSN4-DRE. It's not liberated enough to be used, in my experience.

hack and hack
Hors ligne
A rejoint: 04/02/2015

Out of sheer desperation, I reflashed Libreboot. I can reach the live session again this time (gotta make sure that such instability is unrelated to hardware unplugging/replugging, even if it's only the monitor).

So most likely the problem is the install.
I tried to chroot, but I don't know if it worked.
But I tried "update-initramfs -u" because I have and fsck error 2, and it says I can't because I'm on read-only media.

So I think chrooting failed, but I don't know why.
I can access the drives froma file explorer though.

I don't know why it's so problematic since the last install attempt (although not network connected) went just fine.

I'll probably have difficulties making a minimal install.

EDIT: OK, after flashing, I can reach the liveCD. if I restart, not changing anything, no way to boot it all the way, as if the graphic initialization only works once. The keyboard (ps2) is locked after a reboot.
I can't remove the CMOS for 20 min after each reboot only to fix that.

I discovered that if I hit ctrl+alt+esc during a failed liveCD boot, it brings me back to SeaBIOS (though the keyboard gets locked after that).

hack and hack
Hors ligne
A rejoint: 04/02/2015

IT WORKS!!!

Well, not with Libreboot:
* keyboard fails to work after reboot unless removing CMOS
* it couldn't launch a good disk install.
* it couldn't reach the LiveCD after the first flashing of the rom on the chip

With Coreboot (thanks to #coreboot):
* I built only for i386 since 64 bits isn't supported (it switches to 64 bits when the OS boots up)
* "Graphics initialization" --> "None" in the Devices menu (CONFIG_NO_GFX_INIT)
* in the Console menu deselect "Use onboard VGA as primary video device" (CONFIG_ONBOARD_VGA_IS_PRIMARY)

I also updated my Coreboot sources, mine is nearly 10 months old...
I can reach the LiveCD, the install on disk (there is the fsck error displayed, but I still can boot), and it seems stable.

What's left to do:
* fixing VGA support (both internal and external GPU). Ext VGA works only on the live session.
EDIT: I just learned you can never have both internal and external GPU working during the boot. however they can both work in the OS. But it's not vital, I'll just have to switch chips twice for flashing a new rom, that's OK.
* try it for the 6 cores

What doesn't work at all:
I doubt it's worth it to try GRUB just yet (great for more security, and it would be better with usb keyboard support).
It would be even better if USB booting.

OK, let's try for 6 cores and call it a day.

hack and hack
Hors ligne
A rejoint: 04/02/2015

6 cores was officially unsupported by Asus for my version of mobo. Unfortunately, I didn't succeed in making it work.
And I'm tired of all this anyway.

So I'll stick to 4 cores since finally it's working well with SeaBIOS.

Yet to fix (but I'm done working on it):
* GRUB doesn't work (biggest downside)
* LiveUSB doesn't work