Project X hopes to eXorcise binary blobs from Coreboot

21 replies [Last post]
commodore256
Offline
Joined: 01/10/2013

https://www.phoronix.com/scan.php?page=news_item&px=Project-X-AMD-Zen-Coreboot

I hope if this can support Ryzen 5000 that the LLVMPipe performance will be so good, it would be faster than my x4500HD and who knows, maybe I won't need LLVMPipe if this is transferable to GPU firmware.

PublicLewdness
Offline
Joined: 03/15/2020

I will be really excited if this gets Zen GPUs working on libre distros. I'll save my excitement for then though, no telling what if any success they will have or how long it will take.

nadebula.1984
Offline
Joined: 05/01/2018

Up to IvyBridge, coreboot can be blobless. However, for Haswell and Broadwell systems without Boot Guard, a few blobs are still necessary before total reverse engineering. Anyway, coreboot is still far superior to libreboot, which refuses to do anything to protect new platform users' freedom.

GNUbahn
Offline
Joined: 02/18/2016

coreboot is still far superior to libreboot, which refuses to do anything to protect new platform users' freedom.
Will you explain?

nadebula.1984
Offline
Joined: 05/01/2018

Let's compare coreboot with libreboot:

coreboot can perfectly liberate almost any system up to Ivy Bridge without any non-free blob. It can also liberate NV Haswell and some ULV Haswell/Broadwell systems without Boot Guard, though very few blobs are still needed until completely reverse engineered. It is true that starting Nehalem, a minimized, non-functional portion of ME must be retained in order to defuse the 30-minute time bomb. But it is Intel, who planted the time bomb, that should be condemned, not coreboot.

By contrast, libreboot refuses to do anything to protect new platform users' freedom, simply saying that since the ME cannot be completely neutralized, we won't do anything on such platforms. This is an anti-scientific attitude that we should firmly against.

tonlee
Offline
Joined: 09/08/2014

> Haswell and some ULV Haswell/Broadwell

About newer x86 cpus
only intel signed
software can get installed on the cpu?
And the cryptography is that strong
that the only way to circumvent it is, if
you are able to discover an exploitable error
in the implementation. Wasn't that how
they managed to partly get rid of the me?

Do you say the above mentioned systems do not require software signed by intel? Because if they do,
reverse engineering does not matter. Do you
say, it is achievable that the haswell and broadwell systems in question might be able to run entirely on free
software if certain reverse engineering efforts
succeed? Though some non free me software will be located
on the computer but turned off.

> anti-scientific attitude

The reason why libreboot does not engage in these
activities is, that libreboot has decided that
no piece of non free software is acceptable. That is
a policy decision. Which you will agree on
depending on your view about non free software. If
the signing cryptography cannot be countered, then
there is no reason for participating in
reverse engineering anything about the newer
cpus.

nadebula.1984
Offline
Joined: 05/01/2018

This is hilarious. Even RMS himself didn't say that not a single piece of non-free software is acceptable.

If RMS never tolerated (albeit temporarily) non-free software, there would be no free software today at all.

Therefore the guiding thought of libreboot is not only anti-scientific, but also a betrayal of history.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I am quite sure RMS would disagree. Here is something he wrote, on the history of GNU:

Unix was (and is) proprietary software, and the GNU Project's philosophy said that we should not use proprietary software. But, applying the same reasoning that leads to the conclusion that violence in self defense is justified, I concluded that it was legitimate to use a proprietary package when that was crucial for developing a free replacement that would help others stop using the proprietary package.

But, even if this was a justifiable evil, it was still an evil. Today we no longer have any copies of Unix, because we have replaced them with free operating systems. If we could not replace a machine's operating system with a free one, we replaced the machine instead.
https://www.gnu.org/gnu/thegnuproject.html

Reread the last sentence.

tonlee
Offline
Joined: 09/08/2014

If you write something and it rises
questions directed at you, you should respond. I
asked you some questions, which you skipped.

> didn't say that not a single piece of non-free software is acceptable.

Maybe what you are saying hold some truth.
Someone said, the respect your freedom certification
is pragmatic. Meaning the hardware which is as
close as possible to being run fully on
free software will be able to get a respect
your freedom certificate. Even if that entails
hardware requiring non free software. About
libreboot they have identified the computers which
best comply to the free software principles.
Any other computer would be a retrograde step
and not be able to get a respect your freedom
certificate.

> libreboot is not only anti-scientific, but also a betrayal of history.

You reject libreboot when they conclude, there is
no counter measure about the signing matter?

nadebula.1984
Offline
Joined: 05/01/2018

> no counter measure about the signing matter?

There are certain countermeasures. For example, not all OEMs refuse to offer firmware signing service. At least we already implemented coreboot on a non-official ThinkPad motherboard with Coffee Lake processor. The digital signature is not executable code, therefore not counted as "blob".

Of course, we have been trying hard to figure out other workarounds (not so "Mission Impossible"). But since the FSF and libreboot worshipers won't listen, we won't say them either. Ultimately, refusing to do any research is definitely anti-scientific, let alone on the basis of false, biased grounds.

When it comes to FSF's "Respects Your Freedom" certificate, We'd like to say that we disagree with most viewpoints of RMS or FSF. Most if not all vendors certified by RYF are vampires, exploiting their customers mercilessly. We have been trying hard to dissuade community users from buying anything from RYF vendors.

lutes
Offline
Joined: 09/04/2020

I do not understand how your post is supposed to be going against the Community Guidelines. You are completely on topic and generally not using inflammatory language. Maybe "vampires" would need further qualification, but no down vote.

People may or may not agree with your points but down-voting without even making the effort to provide a reason, instead of providing arguments, is creating the impression that they are trying to ostracize you for not toeing the party line. This is not a political tribunal, this is a place where users of various levels of technical knowledge are trying to share information, experience and knowledge in order understand better, turn things around and become the masters of the tools they are using.

For instance, I am still at a loss to understand what people in this thread mean by "newer x86 systems". At least, you are giving names and telling us what has been possible to do with these according to what seems to be your own experience.

EDIT: outcast -> ostracize, "outcast" not being a verb - yet.

EDIT: it appears someone has reversed their downvote, in effect upvoting your post. My comment still stands for your previous posts.

tonlee
Offline
Joined: 09/08/2014

> refuses to do anything to protect new platform users'

Libreboot likely did investigate if any newer cpu
would be able to match the
level of free software
compliance that already libreboot supported
cpus do. And none does. Cryptographers
say, you cannot get around the signing.

> not all OEMs refuse to offer firmware signing service.

Can you elaborate? Does the oem have the
signing keys? Does coreboot
have them? Who has the keys? They are
not public available? If a cpu requires signed
software to run on the cpu, then the signing
key has to be public. Such that anybody can install
software of their choosing on the cpu. Else
you just change the master of the encroachment from
one entity to another.

> coreboot on a non-official ThinkPad motherboard with Coffee Lake processor.

Did you have the keys to sign coreboot? Are
the signing keys public accessible? No non
free software is working on the cput?

> The digital signature is not executable code

I agree, signing a piece of software is
nothing non free software. But if everybody does
not have the signing keys, then that is not
an acceptable circumstance.

> vendors certified by RYF are vampires

My reading is, you say, that the sellers of
ryf certified computers make a reprehensible
profit on each unit? You should provide documentation
for such a claim. I find the prices high too. But
the finance reports of the companies will probably
tell, that no one is making an inadequate
profit from ryf items.
Think penguin has allocated profits into free
software projects.
To my knowledge ryf is a free software certification
only. It does not regulate how sellers set their
prices.

andyprough
Offline
Joined: 02/12/2015

> "Most if not all vendors certified by RYF are vampires, exploiting their customers mercilessly."

Do they make a small profit? Probably some of them do. Are they engaged in vampiric levels of exploitation? Of course not.

If you want to see vampiric, look at the way universities exploit students and their families. That's debt slavery, with many universities now going so far as taking direct contracts for a percentage of students' future income. Because the student loan debt slavery system wasn't vampiric enough for them.

lutes
Offline
Joined: 09/04/2020

> If you want to see vampiric, look at the way universities exploit students and their families.

As a respected member of the Friendly Fang Fellowship, I have to protest against this totally unprovoked libel.

Vampires have never been that harsh and that twisted. We never foster and educate people for their blood while trying to convince them that it is for their own good. We do not do cattle. We unquestionably suck blood, that much is granted, but we have recently taken to give some back to educational charities.

andyprough
Offline
Joined: 02/12/2015

And how about the college textbook scam? I doubt that any self respecting vampire would ever stoop that low, to squeeze even more blood out of a victim that they've already sucked dry.

PublicLewdness
Offline
Joined: 03/15/2020

Libreboot is a dead project as far as I know. It's not so much that they refuse to do anything as much as there is nobody still working on it to make it work with newer systems.

jxself
Offline
Joined: 09/13/2010

"Libreboot is a dead project as far as I know"
It is still quiet active as evidence by git; https://notabug.org/libreboot/libreboot

"newer systems"
Newer x86 systems are unsupportable without proprietary software. This is addressed in their FAQ: https://libreboot.org/faq.html#intel
Adding them would go against the whole project goal of not having them - it would be more like coreboot, which has no problem with adding proprietary junk.

Please don't mislead yourself into thinking that Project X is going to result in something along the lines of libreboot for AMD Zen CPUs. There are a number of proprietary pieces of software involved in booting (the PSP is only but one example) and this Project X is not addressing those. Because they can't. At least not until we get sufficiently large quantum computers in order to figure out the key that said proprietary software is signed with.

nadebula.1984
Offline
Joined: 05/01/2018

> Newer x86 systems are unsupportable without proprietary software

This is not true. Up to Ivy Bridge, coreboot can be completely free/libre. The minimized, non-functional part of ME (in order to defuse the 30-minute time bomb) is not part of coreboot, though it co-exists with coreboot in the SPI flash.

> Adding them would go against the whole project goal of not having them

This is not true, either. (Until Ivy Bridge,) coreboot did not add any non-free software on top of libreboot. It just retained a minimized portion of ME (which can be treated as a harmless circuit because it's no longer functional) in order to support newer platforms. Therefore, it is libreboot that is misleading users and uses the fact that ME cannot be fully neutralized on newer platforms to cover its anti-scientific nature. It is not coreboot that is defeating the so-called goal. It is libreboot that is self defeating.

PublicLewdness
Offline
Joined: 03/15/2020

"It is still quiet active as evidence by git; https://notabug.org/libreboot/libreboot"

I'm happy to be wrong.

lutes
Offline
Joined: 09/04/2020

> Up to IvyBridge, coreboot can be blobless. However, for Haswell and Broadwell systems without Boot Guard, a few blobs are still necessary before total reverse engineering.

> Newer x86 systems are unsupportable without proprietary software.

Do you in fact agree with each other about this? Is the limit between x86 "newer" systems and older systems between IvyBridge and Haswell/Broadwell?

EDIT: it appears this is not the case. I am a bit lost now about what are "newer x86 systems".

> Coreboot is still far superior to libreboot, which refuses to do anything to protect new platform users' freedom.

> Adding them would go against the whole project goal of not having them

I guess this is the old debate between putting priority on full freedom or on as much freedom as possible given the hardware constraints. I am currently using neither boot system, so my situation might arguably be even worse. I am usually not in a position to choose which hardware I am installing Trisquel on, though.

lutes
Offline
Joined: 09/04/2020

Minifree has become RetroFreedom and re-opened yesterday:

https://retrofreedom.com/

PsychicEcho
Offline
Joined: 04/05/2020

Nice, and they accept bitcoin.