Coreboot Ported To The Librem 13 Laptop, Without Purism

32 réponses [Dernière contribution]
Mzee
Hors ligne
A rejoint: 07/10/2013

There is some interesting news about the Librem project:

"The controversial, crowd-funded Librem laptop that aimed to be fully open down to the firmware but ended up shipping with an AMI UEFI firmware for the initial release has now been ported to Coreboot for the Librem 13 model. The Coreboot support wasn't done by Purism, the company behind the Librem, but rather a Coreboot developer at Google." (https://www.phoronix.com/scan.php?page=news_item&px=Coreboot-Hits-The-Librem-13)

Please note, that "the port allows for Coreboot to boot the Librem 13 with Coreboot. However, it's not fully-open but relies upon the Intel firmware blobs, as is sadly the case for all recent generations of Intel processors." Thus, there's still no chance to boot these laptops with libreboot....

davidnotcoulthard (non vérifié)
davidnotcoulthard

...leaving Librem a tiny bit freer than Chris' laptops (a tad ironic considering how Chris doesn't do false kickstarters and all those things)?

Allanitomwesh
Hors ligne
A rejoint: 10/24/2015

It is rather disappointing that the Librem guys just gave up on what was at the very least,a worthy attempt at free hardware.
From their recent commentary it seems they won't be bothering with total freedom anymore but rather privacy and openness.

onpon4
Hors ligne
A rejoint: 05/30/2012

Let's be perfectly clear: there was never a chance at all for Purism's laptops to be "free hardware", or 100% libre software, or even privacy-respecting. The hardware they have sold to people is hardware which will not run without the Intel ME, which must be signed by Intel and which Intel couldn't release as libre software even if it wanted to.

If the people behind Purism aren't frauds, they are massively deluded. They also have not given up. Giving up, in my opinion the only ethical thing they could do after all the false statements they have used to convince people to pay premiums for average laptops, would mean offering to refund all of their customers in full and shutting down their operations. They have not done this.

Allanitomwesh
Hors ligne
A rejoint: 10/24/2015

They did seem to be deluded,even claiming they would reverse engineer the 5th generation Intel chip and "talk to Intel about the ME key" even though Google couldn't get it out of Intel after a fleet of Chromebooks

duncan@bguthrie.plus.com
Hors ligne
A rejoint: 02/07/2016

They made false statements, so I would say they misled their customers. They
thought they could bring free hardware to the mainstream audience but the
only way they could see how to do this was by using hardware known to be
flawed, and in doing so alienated the people who have been interested in free
hardware for a long time (and other people who read the small print). If they
had the resources to produce their own hardware, then they should have chosen
some sort of ARM chipset. Certainly they did mislead people about what free
hardware really is. It is difficult to tell why they did this, though.

Allanitomwesh
Hors ligne
A rejoint: 10/24/2015

They did seem to be deluded,even claiming they would reverse engineer the 5th
generation Intel chip and "talk to Intel about the ME key" even though Google
couldn't get it out of Intel after a fleet of Chromebooks

duncan@bguthrie.plus.com
Hors ligne
A rejoint: 02/07/2016

They are using Intel chips, so it has the backdoor. So they aren't really
catering to privacy, except for the fact they have removed Windows.

onpon4
Hors ligne
A rejoint: 05/30/2012

Let's be perfectly clear: there was never a chance at all for Purism's
laptops to be "free hardware", or 100% libre software, or even
privacy-respecting. The hardware they have sold to people is hardware which
will not run without the Intel ME, which must be signed by Intel and which
Intel couldn't release as libre software even if it wanted to.

If the people behind Purism aren't frauds, they are massively deluded. They
also have not given up. Giving up, in my opinion the only ethical thing they
could do after all the false statements they have used to convince people to
pay premiums for average laptops, would mean offering to refund all of their
customers in full and shutting down their operations. They have not done
this.

vita_cell
Hors ligne
A rejoint: 07/19/2015

As I can see, here still no freer computers, that librebooted laptops.

GNUtoo
Hors ligne
A rejoint: 11/10/2009

The fact that the ME is required to boot the computer depends on the generation of the intel platforms.

On older platform such as GM45/GS45 it's not.

On some more recent platform it is. Code has to run and initialize things that are required to permit code execution on the main CPU (I don't remember exactly what, probably clock lines).

The issue is that the ME firmware is signed on most laptops.
It's totally unknown if it's signed on the puri.sm laptops.

Some early silicon revision (I don't remember on which generation) have the ability of having the bootrom replaced by a flash chip, making it possible to bypass the signature check.

Having the ME chip disabled is good, but not good enough for me to actually use a computer with such chip as my main computer.

Without free software running on it, we won't have good documentation of what that chip is actually capable of.

Most of us probably know the dangers of such chips when running proprietary software, but do we know its dangers when it's supposedly off? Hard to say without documentation.

-> As far as I know, the ARC architecture (which used in older ME) permits defining your instructions, I've no idea if that's permanent or if it permits to override instructions.
-> Part of the code running on the ME is in rom, and it cannot easily be dumped.

So, is the ME bootrom responsible for powering itself off when reading some flash descriptor bits? If so can the modification of instructions be enough to have persistent code execution even when no firmware is given to that ME? What else would that ME be capable of?

Having a free firmware would also permit us to run 100% free sofware on more recent computers.

Given the amount of RAM that is reserved to the ME, having GNU/Linux on it would make sense. That can probably result in some creatives uses of it.

According to some blog posts, there are actually people using AMT under GNU/Linux volountarly, because of the out of band features it offers.

Even if it was free, I wound't use it for that. It however may be useful for other things for instance, to create a test farm for coreboot/libreboot. I don't have other ideas (yet) to use it.

Edited short after posting for correcting typos, linebreaks, and clarified it.

Denis.

vita_cell
Hors ligne
A rejoint: 07/19/2015

Sorry, what is AMT?

jxself
Hors ligne
A rejoint: 09/13/2010

It's the backdoor:
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Look at what's listed in "Applications" to see what is possible remotely.

And what's worse: "Almost all AMT features are available even if PC powered is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed."

vita_cell
Hors ligne
A rejoint: 07/19/2015

Thanks you jxself, yes, I know what it is. Just forgot that AMT is Active Management Technology. But, I don't know how dangerous it is, and what they can do with your computer. I use a desktop computer with i7 2600, cuz I need it for play games. Yes, I know, it is backd00red and blobed, but not my OS.

Is ATM (and other Intel's crap) is removed from Librebooted laptops? (I am using Macbook 2,1 and x60).

jxself
Hors ligne
A rejoint: 09/13/2010

"But, I don't know how dangerous it is, and what they can do with your computer."

Look at the "Applications" section in the Wikipedia link I provided earlier to see what AMT can do.

* Remotely power up, power down, power cycle, and power reset the computer.
* Remote boot the PC by remotely redirecting the PC's boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM or DVD, remediation drive, or other boot device. (So someone could boot the computer using their own remote disk image.)
* etc.

BCG
BCG
Hors ligne
A rejoint: 07/07/2015

That is terrifying and unbelievable. I never look that up before but I'm glad you pointed that out. Makes me real glad that I started using Libreboot last year.

vita_cell
Hors ligne
A rejoint: 07/19/2015

But, I can not understand, why they need/want these features?

onpon4
Hors ligne
A rejoint: 05/30/2012

It makes it possible to control your computer remotely in a really advanced way. Can be used to counter theft, restart down servers remotely, stuff like that.

onpon4
Hors ligne
A rejoint: 05/30/2012

It makes it possible to control your computer remotely in a really advanced
way. Can be used to counter theft, restart down servers remotely, stuff like
that.

BCG
BCG
Hors ligne
A rejoint: 07/07/2015

That is terrifying and unbelievable. I never look that up before but I'm
glad you pointed that out. Makes me real glad that I started using Libreboot
last year.

vita_cell
Hors ligne
A rejoint: 07/19/2015

But, I can not understand, why they need/want these features?

lembas
Hors ligne
A rejoint: 05/13/2010

> But, I don't know how dangerous it is

It can do anything you can at your computer and then some.

duncan@bguthrie.plus.com
Hors ligne
A rejoint: 02/07/2016

Libreboot removes it all, using painful reverse-engineering. Although some
firmware does remain in the embedded controller (which controls various bits
of hardware), it is considered 'trivial' because it is low-level; it can't be
updated easily so is considered 'hardware'. However someone is working on a
free replacement. Libreboot is removes the really concerning Intel firmware,
essentially.

jxself
Hors ligne
A rejoint: 09/13/2010

"But, I don't know how dangerous it is, and what they can do with your
computer."

Look at the "Applications" section in the Wikipedia link I provided earlier
to see what AMT can do.

* Remotely power up, power down, power cycle, and power reset the computer.
* Remote boot the PC by remotely redirecting the PC's boot process, causing
it to boot from a different image, such as a network share, bootable CD-ROM
or DVD, remediation drive, or other boot device. (So someone could boot the
computer using their own remote disk image.)
* etc.

lembas
Hors ligne
A rejoint: 05/13/2010

> But, I don't know how dangerous it is

It can do anything you can at your computer and then some.

vita_cell
Hors ligne
A rejoint: 07/19/2015

Thanks you jxself, yes, I know what it is. Just forgot that AMT is Active
Management Technology. But, I don't know how dangerous it is, and what they
can do with your computer. I use a desktop computer with i7 2600, cuz I need
it for play games. Yes, I know, it is backd00red and blobed, but not my OS.

Is ATM (and other Intel's crap) is removed from Librebooted laptops? (I am
using Macbook 2,1 and x60).

jxself
Hors ligne
A rejoint: 09/13/2010

It's the backdoor:
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

Look at what's listed in "Applications" to see what is possible remotely.

And what's worse: "Almost all AMT features are available even if PC powered
is off, the OS is crashed, the software agent is missing, or hardware (such
as a hard drive or memory) has failed."

vita_cell
Hors ligne
A rejoint: 07/19/2015

Sorry, what is AMT?

duncan@bguthrie.plus.com
Hors ligne
A rejoint: 02/07/2016

I think that the main problem with proprietary BIOSs is the Intel
'management' engine. Coreboot is barely better other than being faster. Intel
simply don't care about releasing the source, or they have some kind of
sinister interest in keeping it proprietary...

davidnotcoulthard (non vérifié)
davidnotcoulthard

...leaving Librem a tiny bit freer than Chris' laptops (a tad ironic
considering how Chris doesn't do false kickstarters and all those things)?

vita_cell
Hors ligne
A rejoint: 07/19/2015

As I can see, here still no freer computers, that librebooted laptops.

Allanitomwesh
Hors ligne
A rejoint: 10/24/2015

It is rather disappointing that the Librem guys just gave up on what was at
the very least,a worthy attempt at free hardware.
From their recent commentary it seems they won't be bothering with total
freedom anymore but rather privacy and openness.

GNUtoo
Hors ligne
A rejoint: 11/10/2009

The fact that the ME is required to boot the computer depends on the
generation of the intel platforms.
On older platform such as GM45/GS45 it's not.
On some more recent platform it is. Code has to run and initialize things
that are required to permit code execution on the main CPU (I don't remember
exactly what, probably clock lines).

The issue is that the ME firmware is signed on most laptops.
It's totally unknown if it's signed on the puri.sm laptops.

Some early silicon revision (I don't remember on which generation) have the
ability of having the bootrom replaced by a flash chip, making it possible to
bypass the signature check.

Having the ME chip disable is good, but not good enough for me to actually
use a computer with such chip as my main computer.
Without free software running on it, we won't have good documentation of what
that chip is actually capable of.

Most of us probably know the dangers of such chips when running proprietary
software, but do we know its dangers when it's supposedly off? Hard to say
without documentation.

-> As far as I know, the ARC architecture (which used in older ME) permits
defining your instructions, I've no idea if that's permanent or if it permits
to override instructions.
-> Part of the code running on the ME is in rom, and it cannot easily be
dumped.

So, is the ME bootrom responsible for powering itself off when reading some
flash descriptor bits? If so can the modification of instructions be enough
to have persistent code execution even when no firmware is given to that ME?
What else would that ME be capable of?

Having a free firmware would also permit us to run 100% free sofware on more
recent computers.

Given the amount of RAM that is reserved to the ME, having GNU/Linux on it
would make sense. That can probably result in some creatives uses of it.

According to some blog posts, there are actually people using AMT under
GNU/Linux volountarly, because of the out of band features it offers.

I wound't use that but that could still be useful, for instance, to create a
test farm for coreboot/libreboot. I don't have other ideas (yet) to use it.

Denis.