Librebooting the T480 - Easier than it looks

Good news, everyone! There is now a Libreboot image for the T480! Some purists may call this a sellout, a fake, but I call it a step forward. Anything less snooping than what is currently inside stock thinkpads is a step in the right direction.

The why

For those who may not know, Libreboot is an alternate BIOS with certain features disabled or neutered. The big one is IntelME, the Management Engine, which has the potential to backdoor your device from the ground up. Remember, the BIOS is the first thing that loads, and anything else is running on top of this, so you may not discover malware embedded in the BIOS if you’re looking from the userspace.

One added bonus in Libreboot (apart from disabling a lot of the snooping potential) is that your system boots faster. The BIOs is a program that initiates the hardware, and can contain a lot of tools on top of it. Libreboot focuses on two things: Starting the hardware and then booting into the OS. As many Linux users know, the first thing that boots in Linux (the OS, not the hardware itself) is usually GRUB. This initiates the kernel, and your OS boots. Well, Libreboot has that built-in, so you can boot straight!

Librebooting Thinkpads

NOTE: This is not a substitute for the libreboot.org manual. I did, however, find certain passages lead me in a circle, so I will try to explain the process in a linear fashion.

I have three laptops, two of which are librebooted: The X200 (Libre), X220, and now the T480. Some Thinkpads may be librebooted without external flash chips, some require a clip like the Pomona to be flashable. Unfortunately, the T480 is one of the latter, so you will require some hardware.

Hardware bill of materials

• A Thinkpad T480 (duh)
• A flash chip
• Some GPIO jumper cables
• A Raspberry Pi (I had a Pi 4 lying around, but a Zero will work too)
• An SD card (32GB is plenty)
• A shitton of patience

Apart from the hardware, you will also need some software. For the OS, use Raspbian. You will also need the LBMK toolkit and a Libreboot image.

• LBMK tool
• Libreboot images for patching (check HTTPS mirrors)
• Original ThinkPad BIOS image

Preparing flashable images

Before you take your laptop apart and start poking around chips, you can do the setup for the environment comfortably. For the detailed steps, please refer to the manual for details. The steps I ran to get to a working state are:

git clone https://codeberg.org/libreboot/lbmk
cd lbmk
sudo ./mk dependencies debian

Once the setup is done successfully, you can download the Libreboot images for your device (T480 or T480s) and patch them using the inject subcommand:

./mk inject libreboot-RELEASE_targetname.tar.xz

The libreboot-RELEASE…tar.xz contains the stock image. The inject command patches the images straight inside the tar file. How do you know it’s flashed properly? If it’s the stock image, you will see the words “DO_NOT_FLASH” in the image names.

I said it before, I’ll say it again: This is not a substitute for the real thing, consider this post only a supplement to the manual so you know when you can go on to the next step.

Making sense of the images

You got a tar.xz file now, and if extracted, you will see a bin folder. Inside this are a ton of files that are the same size. These are different Libreboot BIOS images. Each of these contains a different payload you can use to make the BIOS boot the way you expect it to. My favourite is the SeaBIOS, since my OS installs GRUB by itself and not having it makes my system boot strangely. The SeaBIOS payload moves straight to your drive and any encryption you may have running on it.

There are also text/video modes, but you can use whichever you like.

Downgrading your BIOS

This is where I hit a snag, I couldn’t for the love of me find a proper working thinkpad BIOS image for downgrading. The link works now (for some reason), but I spent an hour looking for the image where I could extract it and get it on a USB.

Note on Thunderbolt

I can highly recommend you follow the Thunderbolt flashing manual. In my case, this has not been successful for one simple reason: I could not attach the clip properly. The tb.bin file contains the ROM to make Thunderbolt

Before flashing

One important thing to do is a sanity check on the clip. Once you find the BIOS chip (near the center of the board), you can attach your clip. Once the clip is properly attached, you should run a check to see if the clip is attached securely by doing two dumps of the ROM. If the sha256sum of these matches, you can assume the chip will flash properly.

From this point forward, do not bump the desk, do not touch the wires. Pray to the Omnissiah and he will answer your prayers.

To flash the chip, run flashrom and write the image of your selection to the chip. Use flashrom or preferably the tool which Libreboot wants you to use. Afterwards, for subsequent flashing, flashrom works fine.

The flash

This will take some minutes. Please wait, resist the urge. Leave the room, this process will finish faster without you monitoring it. Check back in 10-15 minutes (depending on the speed you selected). Once it is done, you should see a “VERIFIED” status and the program happily closed. Now, your laptop should boot into Libreboot. Disconnect the clips, plug in the battery, and boot. If you see a boot screen, well done! If not, try again.

After the flash

One thing I found in the IRC room for Libreboot is that the T480 does not work the same way as certain other models, in that it does not have a coreboot image. As it stands, certain things are not possible:

• The Fn and Ctrl keys cannot be swapped around, so you’re stuck with the default ThinkPad behaviour (Fn in the corner, Ctrl next to Super).
• Setting a SeaBIOS splash screen is complicated (I haven’t worked out a good image to set as bootsplash.)

The former takes some getting used to, the latter can be bypassed with a simple trick:

• Set up a GRUB splash screen to the wallpaper you want
• Set the GRUB timeout to 0, so you can boot directly to the first option
• Now your GRUB serves as your boot screen and you can rice it (I have the LenOwO logo)

Upgrading

Now that you are running Libreboot, you can patch your system easily from the inside, without taking your laptop apart. flashrom -p internal can read/write to your chip directly from the OS.

In closing

I hope that you follow the Libreboot official manual for the specific steps. What this “manual” is meant to do is to give you a clear step-by-step. During my install, I found myself wasting hours re-reading the same section several times, since they link into one another. It’s easy to get lost and without a specific step-by-step.

If you want a bit more freedom in your computing on a device that did not come out around 2010, or if you’re just interested in a snappier boot for your laptop, I can wholeheartedly recommend Libreboot. If you want a fully-free system and don’t want any proprietary blobs, you can check out some forks, like Canoeboot. These are made only for older thinkpads, but the tradeoff is that you get a fully libre system.

The last thing I want to stress (maybe to the detriment of Libreboot): It is well-made. It is not extremely difficult; hell, if I can do it, anyone comfortable in Linux can do it. The Minifree Ltd. sells pre-librebooted devices, but as far as I can tell, the surcharge for flashing the device is way too much. GBP490+ for a T480 that you can find for less than half the price? Consider this process an investment.

Good luck, and may the Machine Spirit find your sacrifice satisfying.