Latest "stable" Libreboot is very slow to boot Trisquel on my X200
I am a translator!
I previously had the version 20160907. I used to have the "full disk encryption" option with Trisquel 9 but I think at some point I reinstalled Trisquel 10 with unencrypted boot.
In my recollection, between the boot menu and getting the graphical screen with the cryptsetup passphrase box, it took less than 10s.
With the "stable" 20220710 version, the time it takes is much longer. I just tried 3 times and checked the exact timing. When I select the entry to load encrypted system, I see "Booting Trisquel" and the deer for quite a long time:
- First attempt: 50s then I see the cryptesetup passphrase box
- Second attempt: 120s then I see the graphical screen with the Trisquel fading and coming back. After 40s more, I see the cryptsetup passphrase box.
- Third attempt: 75s then I see the cryptsetup passphrase box
Is anyone using that version of Libreboot? I am considering to flash the 20160907 version again, it really looked more reliable.
Hey!
I think this problem stems from the coreboot used in the stabilization of libreboot. This was corrected in the test release 20221214. Then go ahead.
https://www.mirrorservice.org/sites/libreboot.org/release/testing/20221214/
Newer versions of libreboot contain nonfree software.
I am a translator!
I heard about these microcode updates.
I also heard that they are supposed to improve "security" and reduce performance, the "security" enhancement being things against meldown or spectre, which look pretty irrelevant for a computer running only free software for a single user, so this is one more reason why I'd like not to have them.
Is 20160907 the last "good" version for an X200 without them? Or is there another one?
On the T400 I bought from minifree, it is osboot that was provided, so these updates are there unfortunately. However, as I have no way to do external flashing, my manual skills are very poor (I was very very hesitant to flash my X200, now I somehow regret it), and I don't know anyone skilled to changed that, I am living with it curently.
"Page Table Isolation (pti, previously known as KAISER 1) is a countermeasure against attacks on the shared user/kernel address space such as the “Meltdown” approach 2."
"Protection against side-channel attacks is important. But, this protection comes at a cost:"
https://www.kernel.org/doc/html/latest/x86/pti.html
"When two major vulnerabilities known as Meltdown and Spectre were disclosed by security researchers in early 2018, Firefox promptly added security mitigations to keep you safe. Going forward, however, it was clear that with the evolving techniques of malicious actors on the web, we needed to redesign Firefox to mitigate future variations of such vulnerabilities and to keep you safe when browsing the web!"
https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/
"Mitigating Side-Channel Attacks
At the beginning of 2018, researchers from Google's Project Zero disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. Security researchers will continue to find new variations of these and other side-channel attacks. Such techniques have implications for products and services that execute third-party code, including Chrome and other browsers with support for features like JavaScript and WebAssembly.
The Chrome Security Team has written a document covering the variety of defense techniques available.
Protecting users with Site Isolation"
https://www.chromium.org/Home/chromium-security/ssca/
https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/
Libreboot is pushing proprietary blobs for all supported devices? Even those who work unarmed? For example, intel p8600, Penryn, in the T400?
"Known issues
Intel ME firmware missing in ROMs that need it
If you compile ROM images with lbmk directly, the build system automatically fetches ME images from the internet and neuters plus truncated them, using me_cleaner. This downloading is done to avoid distributing them directly in Libreboot, and they get scrubbed by the release build scripts.
To re-insert neutered/truncated ME into your image, look at the guide.
This applies to sandybridge, ivybridge and haswell Intel platforms, e.g. X220, T420, X230, T430, T440p. On older Intel platforms such as GM45+ICH9M (X200, T400, etc) the Intel ME image isn’t needed and Libreboot ships with ME-disabled configuration"
https://libreboot.org/news/libreboot20221214.html#intel-me-firmware-missing-in-roms-that-need-it
.
It is time to migrate to POWER ISA. But that is a long way, so I still use old x86 hardware.