How to verify the integrity of your firmware

by

Usually, firmware is applied by a computer manufacturer and subsequently maintained and updated. At least, if you are lucky enough to be the proud owner of a NovaCustom device. It’s worth noting that many computer suppliers don’t even offer firmware updates, or at least an accessible way to install them. This is concerning, as the laptop’s firmware is increasingly crucial for the overall security of your device. But how do you know that the firmware you are running hasn’t been tampered with?

The short and unsatisfying answer is: you can’t do that after the installation. Unless you have Heads firmware, which provides integrated integrity verification methods. To ensure the firmware’s integrity for the default EDK II (TianoCore) firmware version, you will need to overwrite the firmware. And that’s exactly what we are going to do in this article.

The are two types of firmware present in the motherboard of the laptop:

  • BIOS firmware
  • EC firmware

In this article, we are focussing on the BIOS firmware, as that’s the type of firmware that is responsible for the boot process and could potentially contain malware.

Note: when flashing firmware, always make sure that the BIOS firmware version corresponds with the EC firmware version. Otherwise, the laptop may not boot or stability issues may occur.

1. Build the firmware

Dasharo coreboot firmware builds are reproducible, so the first thing we want to do is to build the firmware from source. But this requires the docker application, and it’s easier to install this with apt, instead of following the Requirements steps. So we will need to open a terminal window (Ctrl + Alt + T) and execute:

sudo apt install git docker.io -y

Now, please follow the Dasharo firmware building guide (only the steps under the Build Dasharo BIOS firmware section). Step 1, 2 and 3 should be executed according to the steps from that link.

After executing the line from step 4, you will get a permission error. This is because we have installed docker from apt. Right after the error message, simply execute:

sudo !!

This runs the previous docker command with root privileges, which should avoid the permission error.

Now continue with step 5 and 6 as described in the building guide.

If the build is successful, the binary is created in the folder ~/coreboot/build/coreboot.rom. Please note that the building process can take a lot of time.

Note: Heads has a dedicated building manual. The binary might be located at a different place. In further commands, please make sure you change the binary path accordingly.

Now proceed with 2: Note the hash of the binary.

2. Note the hash of the binary

Now that we have the firmware binary, let’s make sure it is identifiable by getting the sha256 hash value. We can do so by executing:

sha256sum ~/coreboot/build/coreboot.rom

The output shows the hash and the filename of the file like this:

Note: this is just an example output.

00b6338389cc5d020b641629971aac6d4047be6134c6e8d0228140edc42584f6  coreboot.rom

You can build the firmware on another computer that is in another network and then verify that the sha256 hash is the same.

What if the hash doesn’t match?

If the hash is not matching, that means that the source code of the binary you have built does not match with the source code of the binary that was used on the other build process. This may indicate tampering, but it isn’t necessarily. It can also be file corruption that causes the change in the hash.

Note: even the tiniest change in the configuration causes the hash to be different.

We have started this discussion to verify the binary with the binary that was created by the firmware developers. Currently, this is not possible due to vboot signing.

Please join the discussion on Github!

3. Install the firmware

There are two ways to install (overwrite) the laptop’s firmware:

  1. By internal flashing.
  2. By external flashing.

External flashing is the safest method, but requires some tools. With internal flashing, one could argue that the flashing process could – in theory – be faked by malicious firmware. Still, we explain how to flash firmware internally, as some might not have the needed tools to flash the firmware externally.

Would you like to see the instructions for internal or external flashing?

Show instructions to flash internally
Show instructions to flash externally

Flashing internally

First of all, copy the coreboot.rom file to a USB pen drive.

Then, make sure that BIOS Boot Lock, SMM BIOS Write Protection and UEFI Secure Boot are disabled.

Boot the laptop to the Dasharo Tools Suite. You can even build DTS from source and flash it to another USB pen drive if you do not trust the integrated iPXE boot option, or if you are running Heads that doesn’t have iPXE booting integrated.

Once DTS has booted, you will be prompted by the DTS main menu what to do. Choose option 9: Drop to shell. Now, execute:

mkdir /mnt/usb

Now, insert the USB pen drive that contains the coreboot.rom file. Identify it with the following command:

fdisk -l

Mount the USB pen drive’s partition to the folder that you created earlier by executing the command below.

Please note that in the example below, we use /dev/sda1. However, the partition path could be different depending on other storage drives that are possibly attached. Replace /dev/sda1 with the partition path that you have identified with the earlier executed fdisk -l command.

mount /dev/sda1 /mnt/usb

Now again, verify the sha256 hash of the coreboot.rom binary by executing:

sha256sum /mnt/usb/coreboot.rom

This is not only to check if the binary hasn’t been tampered with in the meantime, but also to make sure that the binary is not corrupted during the copy process.

Make sure that the hash of the output is the same as the hash that was outputted in this step.

Now execute the command to flash the binary and power off the laptop once the flashing process has been completed. You can do this with the following command:

flashrom -p internal --ifd -i bios -w /mnt/usb/coreboot.rom && systemctl poweroff

The flashing process will start. This takes about 3 minutes. After that, the laptop shuts down and the firmware has been successfully installed.

Flashing externally

If you do not want to rely on the Dasharo Tools Suite, or if you are afraid of faked firmware flashing, you can flash the firmware externally. This requires the following tools:

  1. A CHA341A firmware programmer that flashes at the correct voltage. You can buy one in our shop.
    – You need the EEPROM clip version for Intel 11th Gen CPU boards and lower. You need the WSON 8×6 variant for Intel 12th Gen CPU boards and higher.
  2. In case your laptop has a WSON 8×6 firmware chip: A clam to keep the probe in place of the clip.
    – This is included if bought in our shop.
  3. Something heavy to put on the clamp, to make sure that the probe stays on the WSON 8×6 chip during the flash process. We use big pincers for that.
  4. Another computer with GNU/Linux installed that has internet access. The steps below are described for Ubuntu.

On the other computer, download, build and install flashrom version v1.3.0 or higher by executing the following commands:

sudo apt update
sudo apt upgrade -y
sudo apt remove flashrom -y # To remove any existing flashrom versions
sudo apt install git make binutils build-essential ca-certificates libpci-dev libftdi-dev libusb-1.0-0-dev -y
git clone https://github.com/flashrom/flashrom
cd flashrom
make CONFIG_CH341A_SPI=yes
sudo make install

Now that flashrom has been installed, it’s time to unscrew the bottom case of the laptop that you will flash. Then connect the CH341A 3.3V programmer to the flashrom computer and connect the probe to the main SPI (BIOS) chip by using the clamp and the heavy item. Please see the image further down to see how this can look like. During the flash process, it is important that the CMOS battery as well as the main battery are disconnected.

Start the flash process with the following command:

sudo flashrom -p ch341a_spi --ifd -i bios -w ~/coreboot/build/coreboot.rom

Note: the command above assumes that your coreboot.rom binary is located at ~/coreboot/build/coreboot.rom. If needed, replace it to the correct path.

In some cases, flashrom asks to specify the chip. In this case, simply add -c DETECTEDCHIP at the end of the flashrom command, but replace DETECTEDCHIP with the first detected chip from the earlier output (between double quotes). If the command fails, you can try again but with the second detected chip.

The flashing process starts when prompting Reading flash. The whole flash process takes about 10 minutes, so please be patient. Time for coffee! As soon as the flashing process has been completed, the output contains VERIFIED.

Flashing firmware externally.

Once the flash process has been completed, you can remove the probe and the programmer. After that, make sure to reconnect the CMOS battery and the main battery. You can now install the bottom case and power on the laptop.

Note: the first boot can take up to two minutes.

Note: flashing the firmware also resets the UEFI firmware settings to the default settings. For most use cases, we recommend to disable the Intel Management Engine (ME) after flashing. You might also want to check other Dasharo System Features to enable security features that are possibly not enabled by default.

About the author: Wessel Klein Snakenborg is passionate about technology since childhood. He launched NovaCustom in 2015, crafting tailor-made laptops with privacy and security in mind. With a focus on user-friendliness, NovaCustom continues to redefine the laptop experience, led by Wessel's commitment to innovation and collaboration.

  • UPS shipment within 2 working days
  • coreboot firmware*
  • Excellent quality
  • All European keyboard layouts

Do you have a question?

Get in touch
Share your cart