Should I be worried about firmware/BIOS, and chips?
Hello,
I'm running Trisquel, but I don't know anything regarding whether or not the BIOS/firmware/chip(s) on my laptop is/are "free as in freedom". I've heard of this as a concern, but as a non-progammer, I don't have the expertise to be certain about my situation.
Is it the case that, since I successfully installed Trisquel and haven't made any sort of modifications, that these non-free threats are neutralized? The list of distros endorsed by the FSF on the gnu.org site includes Trisquel and says that all endorsed distros will "reject nonfree applications, nonfree programming platforms, nonfree drivers, nonfree firmware “blobs,” nonfree games, and any other nonfree software, as well as nonfree manuals or documentation." (https://www.gnu.org/distros/free-distros.html)
does this mean I'm inherently in the clear regardless of which computer/laptop I'm running on? as long as Trisquell successfully booted and installed?
thank you,
Trisquel does not distribute nonfree firmware (such as those in linux-firmware). Nevertheless, there is much firmware burnt in your different devices too. Some can and should be replaced by whoever values her freedoms... but we do not always have free replacements. One such firmware is the BIOS/UEFI and Libreboot supports some (old) hardware: https://libreboot.org
How much more there is? I mean my X200T is librebootet but is there something more to be done? Isn't it fully libre? My desktop is not librebooted but runs Trisquel fine. One just can't go to a store and buy a fully libre computer right now. This is quite confusing also. You got a libre computer but it's not fully libre but you can't get more libre, eh?
> Is there something more to be done?
https://trisquel.info/en/forum/librebooting-my-desktop#comment-166973
If you consider nonfree firmware that is not meant to be upgraded, there is more. Essentially in every peripheral (hard disk drives, solid-state drives, optical disc drives, video BIOS, printers, scanners, webcams, USB flash drives, etc.): https://en.wikipedia.org/wiki/Firmware#Computers
Before running the Linux kernel and all the GNU tools distributed by Trisquel, the CPU in your computer is running a programme called "bootloader" (that can be several programmes launching each other, which can be called "first-stage bootloader", "second-stage bootloader", "secondary program loader" or other names but the number of stages and details can depend on the exact CPU model).
The bootloader programme may be stored on a ROM (cannot be modified) or a flash memory (can be modified).
That programme may completely stop running when Linux and the GNU programmes are started, but it may be still running and do some things. However, from within Trisquel, you may not be able to see whether it is running or not, it could be impossible to detect.
So the only way to have full control over what the CPU does in your computer would be to be able to study the bootloader and modify it.
Unfortunately, on most computers, the bootloader is proprietary software. Worse, modern Intel and AMD CPUs will stop running if that programme does not include a part crytographically signed with a key that is only available to them, so you can't replace that part.
Libreboot is a free software replacement for the bootloader (actually, for one piece of the bootloader, libreboot calls GRUB which is also a bootloader, in order to boot Linux and trisquel).
However, it is only supported on somehow old (but still functional) generations of Intel CPUs. On newer Intel and AMD CPUs, the best one can do is use coreboot, that is a free software but it still must include the proprietary parts necessary to use the CPU (libreboot is a distribution of coreboot that, until now, does not include any non-free part).
There are alternative modern CPUs that can run with an entirely free bootloader, some ARM CPUs but Trisquel is not easy to install on them and the POWER 9 but Trisquel does not support it yet and it is really expensive.
As I am worried about this, I bought a D8 from Vikings, which uses coreboot without non-free part (similar to libreboot). It works well with Trisquel 11 (not officially released yet, but it actually works fine for me), but it wasn't working well with Trisquel 10 (I had switched to Debian before).
If I now had to get a computer and couldn't get one with a free bootloader, I would probably try getting something really cheap so, if I can change it later to get a computer with a free bootloader, I did not waste too much money.
That is the best advice I can give now.
Note: as explained on Libreboot web site, there may be other processors in your computer, e.g. "embedded controller" typically in a laptop, or the processor controlling your HDD/SSD.
As far I as am aware, there is no HDD/SSD with a processor running free software. Could your computer do things out of your control because of that? Most likely yes. Am I worried about this? Yes, but besides encrypting my disk, to reduce risks of unexpected interference, I know no solution.
Firmware is software, and all software must be free.
thanks for all your responses.
so it sounds like just because i successfully installed, Trisquel, that doesn't deactivate all binary blobs etc. in the firmware?
.... but if i got a laptop pre-installed with libreboot, i would be free of al binary blobs?
> .... but if i got a laptop pre-installed with libreboot, i would be free of al binary blobs?
Running on the main processor, yes.
Still, if you have this on a Lenovo laptop (like X200, T400 or T500):
- the embedded controller ("EC", a separate processor) is running some proprietary firmware from Lenovo
- the disk controller (a separate processor) is running proprietary software, but that is in every disk.
As far as I am aware, there is currently no disk with a processor running free software, so it is the same situation whatever computer (and disk) you are using.
Libreboot site mentions that https://libreboot.org/docs/hardware/c201.html has a free EC firmware, but it is more limited and less easy to find.
PS: I am a happy user of an X200 and of a T400.
Read the article about the ASUS chromebook C201 at the link mentioned. It says that GRUB is not used, but 'depthcharge' instead, it says "This is free software, maintained by Google." If Google is involved, is it trustworthy?
Since it is free software, you or anybody else is free to study the source code, to modify it (for instance to correct a bug) and to redistribute the improved source code. It is a great incentive to not be malware. It is possible to disguise a backdoor into a bug. But why the hassle? If Google wanted a backdoor, it would be easier to only distribute binaries.