Feature Request(s): Port Over the Beneficial Security Enhancements Made by Dasharo's Fork

[ilikenwf]

Aaron suggested I make this request. I hope it’s not too forward, but it appears that Dasharo has recently added very good privacy and security features to both coreboot and their edk2 payload and module. Since Dasharo originally forked from your work on Clevo machines, I was wondering if some of these features could be integrated into System76's firmware.

One notable feature is the ability to set the HAP offset bit location, allowing users to choose between ME enabled, ME disabled (AltFwMe), and ME disabled (HAP bit). Please note that the use of the HAP bit is seen as a much more secure and trustworthy way of disabling IME; it does not require hiding it from the system, and can be verified. I can provide references for this if you require them. This is all quite different than what Aaron pointed out in upstream coreboot.

Additionally, Dasharo has introduced password options (including password protection for BIOS setup) and other security features, which can be reviewed in their coreboot Kconfigs. I prefer System76 and would love to see these features ported or replicated in your firmware instead of having to buy my next machine from a competitor overseas.

For reference, here are the ME HAP bit definitions:

https://github.com/Dasharo/coreboot/blob/dasharo/src/soc/intel/common/block/include/intelblocks/me_18.h#L7
https://github.com/Dasharo/coreboot/blob/dasharo/src/soc/intel/common/block/include/intelblocks/me_16.h#L7
https://github.com/Dasharo/coreboot/blob/dasharo/src/soc/intel/common/block/include/intelblocks/me_15.h#L7

And the edk2 options with ME-related settings highlighted:

https://github.com/Dasharo/coreboot/blob/dasharo/payloads/external/edk2/Kconfig.dasharo#L102

The actual option settings are managed in their edk2 and edk2 modules:

https://github.com/Dasharo/edk2
https://github.com/Dasharo/DasharoModulePkg

Thank you for considering this request.