Protectli VP2420 Dasharo Release Notes

Following Release Notes describe status of open-source firmware development for Protectli VP2420.

For details about our release process please read Dasharo Standard Release Process.

Subscribe to Protectli Dasharo Release Newsletter

Test results for this platform can be found here.

v1.2.0 - 2024-05-16

Added

• Setup menu password configuration
• Serial port console redirection option in setup menu
• Customizable Serial Number and UUID via CBFS support
• Customizable boot logo support
• Support for taking screenshots in the firmware
• ESP partition scanning in look for grubx64.efi or shimx64.efi or Windows bootmgr
• Microsoft and Windows 2023 UEFI Secure Boot certificates
• UEFI 2.8 errata C compliance in EDKII fork

Changed

• Rebased to coreboot 4.21
• Enroll default UEFI Secure Boot keys on the first boot
• Improved UEFI Secure Boot menu user experience
• Scope of reset to defaults hotkey to global in firmware setup
• Updated microcode to the newer version; refer to SBOM section below
• Updated ME to the newer version; refer to SBOM section below

Fixed

• Auto Boot Time-out is reset to 0 when F9 is pressed
• Reset to defaults with F9 causes the wrong settings to be restored
• RTC time and date resetting to the coreboot build date on 29th February
• Cannot set custom bootsplash in firmware via DCU nor cbfstool

Binaries

protectli_vp2420_v1.2.0.rom sha256 sha256.sig

protectli_vp2420_v1.2.0_dev_signed.rom sha256 sha256.sig

To verify binary integrity with hash and signature please follow the instructions in Dasharo release signature verification using this key

SBOM (Software Bill of Materials)

• Dasharo coreboot fork based on 4.21 revision 7c2c79e8
• Dasharo EDKII fork based on edk2-stable202002 revision ae0ce3e2
• iPXE based on 2023.12 revision 838611b3
• vboot based on 0c11187c75 revision 0c11187c
• Intel Management Engine based on v15.40.32.2910 revision d0b63476
• Intel Flash Descriptor based on v1.0 revision d0b63476
• Intel Firmware Support Package based on Elkhart Lake MR6 revision 481ea7cf
• Intel microcode based on EHL B1 0x00000016 revision microcode-20230808

v1.1.0 - 2023-04-20

Added

• USB stack and mass storage enable/disable option
• SMM BIOS write protection enable/disable option

Changed

• Updating from v1.0.x requires flashing the WP_RO recovery partition
• Firmware version v1.1.x are signed with a new key
• Keys must be provisioned prior enabling Secure Boot

Fixed

• VP2420 memory issues and incorrectly reported memory capacity
• Popup with information about recovery mode is still displayed after flashing with a valid binary

Known issues

• pfSense boot time
• Double characters in pfSense initial boot phase

Binaries

protectli_vp2420_v1.1.0.rom sha256 sha256.sig

To verify binary integrity with hash and signature please follow the instructions in Dasharo release signature verification using this key

SBOM (Software Bill of Materials)

• coreboot based on c86c926 revision e36a117d
• edk2 based on 7f90b9cd revision 19bf14b4

v1.0.1 - 2023-02-02

Added

• TPM 2.0 support over SPI interface
• TPM Measured Boot

Changed

• Downgrade edk2 Secure Boot driver to achieve consistent user experience as on the VP46XX v1.0.19 release

Fixed

• Dasharo BIOS lock menu is missing
• iPXE entry doesn't occur in setup menu
• Impossibility of pfSense/OPNsense console versions installation

Known issues

• Popup with information about recovery mode is still displayed after flashing with a valid binary
• pfSense boot time
• Double characters in pfSense initial boot phase

Binaries

protectli_vp2420_v1.0.1.rom sha256 sha256.sig

To verify binary integrity with hash and signature please follow the instructions in Dasharo release signature verification using this key

SBOM (Software Bill of Materials)

• coreboot based on c86c926 revision 54cbbc5b
• edk2 based on 7f90b9cd revision e31b7a71

v1.0.0 - 2022-12-22

Added

• Support for VP2420 platform
• Vboot Verified Boot
• TPM Measured Boot
• Vboot recovery notification in UEFI Payload
• UEFI Shell
• UEFI Secure Boot
• BIOS flash protection for Vboot recovery region
• UEFI boot support
• Intel i225 controller network boot support
• Customized boot menu keys
• Customized setup menu keys
• Configurable boot order
• Configurable boot options

Binaries

protectli_VP2420_v1.0.0.rom sha256 sha256.sig

How to verify signatures:

wget https://3mdeb.com/open-source-firmware/Dasharo/protectli_vault_ehl/v1.0.0/protectli_vp2420_v1.0.0.rom
wget https://3mdeb.com/open-source-firmware/Dasharo/protectli_vault_ehl/v1.0.0/protectli_vp2420_v1.0.0.rom.sha256
wget https://3mdeb.com/open-source-firmware/Dasharo/protectli_vault_ehl/v1.0.0/protectli_vp2420_v1.0.0.rom.sha256.sig
gpg --fetch-keys https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/master/keys/master-key/3mdeb-master-key.asc
gpg --fetch-keys https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/master/dasharo/3mdeb-dasharo-master-key.asc
gpg --fetch-keys https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/master/customer-keys/protectli/release-keys/protectli-dasharo-firewall-release-1.0-key.asc
gpg --list-sigs "3mdeb Master Key" "3mdeb Dasharo Master Key" "Protectli Dasharo Firewall Release 1.0 Signing Key"
sha256sum -c protectli_vp2420_v1.0.0.rom.sha256
gpg -v --verify protectli_vp2420_v1.0.0.rom.sha256.sig protectli_vp2420_v1.0.0.rom.sha256

SBOM (Software Bill of Materials)

• coreboot based on c492b427 revision c86c9266
• edk2 based on e461f08 revision 7948a20
• iPXE for EFI revision 988d2