Researching for a laptop
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
Hi,
I am looking for a new laptop but I can't seem to find what fits my requirements:
0. RYF (or as close to it as possible)
1. I need power - decent CPU performance, HD graphics (preferably 4K), lost of RAM (32GB+). Not really what one can find on ryf.fsf.org
2. I don't like to spend money for refurbished stuff. To my mind buying a machine is investment in the future, not in the past.
3. I hate the CPU vulnerabilities. I need a secure system, not something flawed by design and patched. AFAIK modern CPUs, e.g. AMD's', are not affected. (if you know more about it please share)
4. I want to have this "today" (i.e. not wait for months and years for what may or may not come in future, however wonderful that may be).
More considerations:
In another recent thread [1] it was said that "coreboot is way better than libreboot". Unfortunately I have not used either, so I would appreciate more info.
The top experts who know much more about computers don't seem to be "afraid" to use non-RYF hardware [2]. So one could ask a logical question: Why should I be?
I wonder what my options are.
Please share thoughts and info.
[1] https://trisquel.info/en/forum/lenovo-reputation#comment-154634
[2] https://linux.slashdot.org/story/20/07/03/2349231/linus-torvalds-likes-his-new-amd-threadripper-system
*Correction: "4K" should read "4K output"
If you want something right now, the best you can probably do is the System76 Serval laptop with an AMD chip and Nvidia graphics, but I don't think it has coreboot: https://system76.com/laptops/serval
Could be that the Serval is right in line with what you are looking for if you need something now.
If you are willing to wait longer, System76 is supposed to be coming out at some point with a laptop with coreboot and with an AMD chip and AMD graphics.
In what particular sense is that RYF?
It's not - that's what I'm saying. The closest you are going to get to your wish list right now is an AMD laptop without coreboot. There's nothing RYF about any of it. Or you could look at Purism's offerings - they will claim to be close to RYF, but they aren't offering any AMD chips I don't think.
Hopefully System76 will start selling the fully AMD laptop with coreboot sometime this year. It still won't be RYF. If you want RYF, you need to look at old thinkpads or at Talos Raptor workstations, or Vikings sells an RYF workstation with older AMD Operon processors: https://store.vikings.net/ryf-certified-hardware/d8ryf
> In another recent thread [1] it was said that "coreboot is way better than libreboot". Unfortunately I have not used either, so I would appreciate more info.
Coreboot requires blobs on some hardware, and on some hardware can run blobless. Libreboot is a downstream project that only makes releases for targets that don't require blobs. The FSF endorses libreboot and not coreboot because libreboot never requires blobs, whereas coreboot sometimes does. However, freedom-wise libreboot is not any better than blobless coreboot. Basically, libreboot is for people who don't want or know how to have to research different coreboot targets to determine whether/which blobs are needed.
The arguments that coreboot is better are (1) coreboot receives more timely and frequent updates, and (2) if none of the targets that run blobless meet your needs (they won't, in your case), coreboot offers a compromise by supporting some targets with blobs, whereas libreboot offers no middle ground between zero blobs and a completely proprietary BIOS.
Here is a list of motherboards supported by coreboot:
=> https://coreboot.org/status/board-status.html
> The top experts who know much more about computers don't seem to be "afraid" to use non-RYF hardware [2]. So one could ask a logical question: Why should I be?
The RYF criteria are optimized for maximum software freedom. Where software freedom conflicts with power or security, power and security lose under the FSF's criteria. It sounds like you have a preference for software freedom, but also have requirements for power and security that the FSF does not factor in, so you will reach different conclusions than the FSF.
The only RYF hardware that might meet your power and security requirements is the Talos II. Since you are looking for a laptop right now, that's not an option, but it's something to keep in mind if you are ever looking for a workstation.
Thanks for the info chaosmonk. I will look at the board list. Do you know which particular ones are without blobs?
As for Talos - right now I am looking for a laptop.
> Talos II.
In an email raptorcs.com wrote me, the company
will only manufacture hardware that comply
with the respect your freedom
requirements. Therefore I assume the
https://www.raptorcs.com/content/BK1SD1/intro.html
raptorcs blackbird computer complies with
the respect your freedom requirements. Maybe
raptorcs.com has not applied for respect your
freedom certificate about the computer.
Don't want to buy a used computer? Then I've nothing to recommend.
By contrast, I'm willing to "invest in the past" rather than the "future". The reason is simple and straightforward: Newer means more anti-feature. I'm not stupid enough to treat purchasing such anti-feature as "investment".
However, here are still some "obsolete" devices you may be interested in: ThinkPad W520, W530, W540 and W541 with coreboot, all of which support 32 GiB of memory (four 8-GiB DDR3L modules). E450 and E550 (with Broadwell processors) also support 32 GiB of memory (two 16-GiB DDR3L modules), and they are being experimented by coreboot community (no Boot Guard).
Finally, it was I that said coreboot was way better than libreboot. Up to Ivy Bridge platform, coreboot can be as free/libre as libreboot (i.e., completely reverse-engineered). Therefore ThinkPad W520 and W530 with coreboot are good choices. W540 and W541 can use T440p's coreboot implementation. Although very few blobs are still needed, we're actively working on reverse engineering and will remove the blobs as soon as we hacked it. For E450 and E550, we're sure that there's no Boot Guard and we are doing research on them. (Indeed, purchasing such coreboot-able computers is, by contrast, really "investment in the future", because they can be liberated, not only theoretically but also practically.)
nadebula.1984,
Very interesting info, new for me. Thanks.
Which of the models you mention can be used without any blobs whatsoever? (which I believe would make them equivalent to Libreboot, freedom-wise).
Also are there any companies that sell them corebooted? If not - what does one need to do it oneself?
> can use T440p's coreboot implementation
What does this mean? (I am not a coreboot user for the moment)
> Don't want to buy a used computer? Then I've nothing to recommend.
[I know what I have said in the past about the manufacturer but still for the sake of research completeness]: What do you think about the Librem 14 and Librem Mini? I am asking because you mentioned coreboot-capable hardware with blobs which are being worked on, which seems to be the same situation as with these two. I.e. this is modern hardware which (if I am reading you correctly) has the same freedom issues, but it is new and more powerful.
For most of your questions, see chaosmonk's reply.
In addition to purchasing computers from companies, you can also seek help from local GNU/Linux user group. Maybe someone has the tools (mainly, external programmer) to flash coreboot for you.
Regarding new computers (i.e., Skylake or newer), it is possible that certain OEMs provide firmware signing service so that you can bypass the (in)famous Boot Guard. However, Boot Guard is not the only anti-features that new platforms have. For me, another important consideration is the instruction set support. AVX2 was supported starting Haswell (4th gen. Core), but the next instruction set AVX512 was not supported (we talk about mainstream platforms only here) until Ice Lake (10th gen. Core) but not Comet Lake/Amber Lake (also 10th gen. Core). If I purchased a Comet Lake processor (e.g., i7 10710U) based computer, I didn't receive any instruction set upgrade but purchased lots of anti-features introduced generation after generation. This is why I showed no interest in platforms newer than Haswell/Broadwell (for models without Boot Guard only, of course).
If you really want to purchase new computers, it's strongly suggested that you avoid any processors that don't provide instruction sets newer than AVX2. One extreme example is the low end Amber Lake, which only supports SSE 4.1 (even worse than the 1st gen. Core, Nehalem). The results is that my programs compiled on Nehalem (SSE 4.2 optimized) won't run on Amber Lake.
Thanks.
> bypass the (in)famous Boot Guard
AFAIK me_cleaner does cannot remove it but is not a big security concern as the whole ME is basically crippled to a non-functional state. Still I agree it is a blob, i.e. undesired. If you know anything more I would appreciate if you share it.
> anti-features introduced generation after generation
I read everything you say. If I understand correctly (please correct me if I am wrong) you are saying that it makes no sense to buy something new if it doesn't support the latest greatest features in order to balance the anti-features it introduces.
Could you still explain what particular anti-features the Librem 14 and Librem Mini have, which the W530 (the most powerful completely deblobbbed one which I know of, so far) doesn't?
Can we also discuss this: AFAIK newer processors come with hardware-mitigated vulnerabilities which makes them more secure. What is the situation with W530 in regards to that? Perhaps another balance to consider.
Starting Nehalem (1st gen. Core), it is true that ME cannot be completely removed, otherwise the system will be forcibly powered off in 30 minutes. What me_cleaner did is to cripple it so that it was no longer functional. This meets Richard Stallman's definition of "circuit" firmware, because it could never be updated and couldn't do any more harm. If you don't want these at all, the best computer for you is T400s. Ultimately, it is Intel that should be condemned for planting the 30-minute time bomb, not coreboot or me_cleaner. We just did our best to defuse the time bomb. Take it or leave it.
For Librem 14, it comes with coreboot, but I'm sure whether users are free to sign their own firmware. If the users cannot freely sign their modified versions of coreboot, then the Boot Guard is still an anti-feature, leaving users at the mercy of Purism. (Purism is still a commercial company, so it's no better than Microsoft or Apple. It makes money by exploiting their workers and customers.)
And I don't believe that CPU vulnerabilities can be "hardware-mitigated" (because I can't audit this). I only trust operating system kernel hardening.
> Starting Nehalem (1st gen. Core), it is true that ME cannot be
> completely removed, otherwise the system will be forcibly powered off
> in 30 minutes. What me_cleaner did is to cripple it so that it was no
> longer functional.
I am aware of that. A few years ago I me_cleaned a desktop with i7-3770
and was using it for a long time.
> This meets Richard Stallman's definition of "circuit" firmware,
> because it could never be updated and couldn't do any more harm.
I don't know what he meant by that. To my mind a fixed malware is not
less malicious than a changeable one. It is even worse because being
fixed makes it impossible to replace with a reverse engineered or
otherwise freed firmware.
> We just did our best to defuse the time bomb.
Just for the sake of clarity: when you say this and your previous
"we're actively working on reverse engineering" - do I understand
correctly that you are a developer participating directly in these
things?
> For Librem 14, it comes with coreboot, but I'm sure whether users are
> free to sign their own firmware.
What does it mean "to sign my own firmware"?
> Purism is still a commercial company, so it's no better than
> Microsoft or Apple.
I don't understand. How being commercial makes them equally bad to
these two PRISM companies?
> It makes money by exploiting their workers and customers.
Are their workers underpaid or what do you mean? Also how do they
exploit the customers?
> And I don't believe that CPU vulnerabilities can be
> "hardware-mitigated" (because I can't audit this). I only trust
> operating system kernel hardening.
I audit the result of it by running:
grep . /sys/devices/system/cpu/vulnerabilities/*
as well as https://github.com/speed47/spectre-meltdown-checker
Also AFAIK kernel experts seem to consider microcode mitigation to be
the standard way to deal with those and the software mitigation to be
sub-optimal.
What is your info and approach to that?
You seem to know quite a lot. What do you think about the System76
laptops:
I am asking because they are:
- new: not refurbished; perhaps not affected by vulnerabilities
- more powerful than those by Purism (perhaps matching your instruction
set criteria)
- sell with coreboot, i.e. one doesn't have to risk to brick his newly
purchased computer while flashing it (I still have no info about
their blobs though, maybe you do)
- not by Purism but by another commercial company
Your thoughts and expertise are much appreciated.
Just a few comments: First, regarding the minimalized, non-functional remnant part of ME, we don't like it either, and we are willing to replace it with free/libre executive codes as long as such free/libre codes can defuse the 30-minute time bomb. According to RMS, such "circuit"-like firmware are tolerable. It is very interesting that you can tolerate such "blob" in Librem 14, but not the same one in W520.
If you want to buy a Librem 14, I won't try to dissuade you. Just keep in mind that although it comes with coreboot, chances are that the users cannot freely sign their modified versions of firmware image. In such cases, the users cannot defend themselves against the malicious codes implanted by Purism. Don't forget that Purism is also a commercial company so it's equivalently bad as Microsoft or Apple by nature.
I was hoping for answers, but it seems there is some confusion.
Please let me clarify:
I did not say that I tolerate irreplaceable firmware. On the contrary.
Otherwise I wouldn't ask explicitly which computers can work without
them.
Re. W520: chaosmonk explained it can use coreboot without blobs, so
nothing to tolerate.
Re. Librem 14: I asked what *you* think, because of it being similar
blob-wise to models you mentioned. I.e. what would *you* tolerate,
considering you sound like you are involved in the development process
and have a deeper knowledge about all this. Based on your answer about
instruction set, I put the additional questions about System76's models
which user other CPUs.
I would really appreciate answers to the questions in my previous
reply. Thanks.
> I was hoping for answers, but it seems there is some confusion.
I agree - Nadebula's answers could be confusing.
> What does it mean "to sign my own firmware"?
He must have meant signing your own coreboot image and flushing it to Librem's ROM. Mainstream computers/laptops with UEFI BIOSes sometimes make use of an antifeature, that (at least in theory) makes it impossible to use a ROM, that has not been signed by motherboard's manufacturer. It's achieved by assymetric cryptography. On boot, the CPU checks BIOS ROM's integrity and authenticity. In case of Intel, this is handled inside Intel ME, which boots before BIOS (and, as You probably know, also has its code's signature checked). You might we wondering, where the CPU gets motherboard manufacturer's public key to do the verification? Well, the manufacturer has to burn it onto the CPU (a one-time non-reversable operation) before putting it in a computer which it then sells to You. This means, that Purism does have the theoretical power to prevent its customers from using different coreboot images than those they provide. The question boils down to whether it does or will execute this power.
Purism itself claims it never burns any fuses on the CPUs. For a statement, see for example here[1]. Quotation:
"As applied to hardware this means that we do not institute any kind of write-lock or burnt fuses that would prevent the owner of the hardware from reflashing it with whatever firmware (new or otherwise) they choose."
I know of 2 reasons why Nadebula doesn't trust Purism. First - because Purism is "lying". Well, I have not seen any statement from them, that would strictly be a lie, so I can't confirm. But I do know, that Purism always boasts about things it has not yet achieved. It used to talk a lot about Coreboot in its laptops before it was ported. Now it talks about RYF certification, even though there's no way to actually replace Intel ME in its laptops (and hence no chance for RYF, unless FSF changes requirements under new leadership or something...). Perhaps that's enough for someone to feel being tricked. Second - Nadebula comes from a communist background (I conclude that from his posts in this forum) and therefore condemns all private companies.
In practice - I don't think Purism will use signature-checking on their coreboot images. It would be against all their supposed goals, it would ruin them (yes, ppl would eventually go away). If one is to reject Purism, the only valid reasons would be its boasting and nonfree blobs in its products.
Btw, if You buy a CPU separately, it shall always be free from this BIOS signing issue.
Let me now quote some other think Nadebula wrote:
> What me_cleaner did is to cripple it so that it was no
> longer functional. This meets Richard Stallman's definition
> of "circuit" firmware, because it could never be updated
> and couldn't do any more harm.
AFAIK, this is not true. RMS says, that if some device has its firmware updatable, then it's a computer and the firmware should be free. If the firmware is not updatable, it is described as "analogy to circuitry". That would be typical for something like a washing machine. We know there's some firmware running there and that it's nonfree, but it's not different from having the same functionality in an integrated circuit. Since we don't consider devices with nonfree circuits evil (otherwise every purchasable processor would be evil), there's no reason to consider those evil. This analogy to circuitry principle is what allows HDDs and SSDs with nonfree firmwares to be present in RYF-certified computers. That's what RMS came up with. Some ppl disagree. Most notably Chaosmonk, whom I once argued about that [2]. I admit, I should have done better in that debate...
Nevertheless, Nadebula claims, that disabled Intel ME is non-updatable and is hence equivalent to circuitry and theoretically not an obstacle to software freedom. In this case, I disagree. Initial code of Intel ME is factory-burnt in the CPU's southbridge, which makes it really circuitry. But then, it loads and verifies some more code from motherboard's ROM.
This code gets to do quite a few things b4 reaching the point where Intel ME is disabled via HAP bit. This code *is* updatable, because if Intel signs and releases a new version of Intel ME, this new version can be put in the coreboot image instead of the old one and and flushed to the ROM. The only way to make this platform RYF-capable would be to either
1. Get Intel's private keys to be able to sign one's own version of Intel ME
2. Find a bug in the early code burnt in the CPU's southbridge and exploit it to run one's own code *before* Intel's unmodified code from the ROM gets to execute.
Number 1. needs no commentary... Number 2. is highly unlikely. "Rushans" from Positive Technologies have supposedly RE'd all that code and have only found such bugs in later code, which does not satisfy us. Well, they had to assume, that some code in Intel ME's pre-release image is the same code, that's burnt into the southbridge[3]. We can't be 100% sure that's the case, but... Here's a quote from PT's blog:
"However, one can find pre-release versions of ME firmware on the Internet containing the ROMB (ROM BYPASS) section which, as we can assume, duplicates the functionality of ROM. So by examining such firmware, it is possible to reproduce the basic functionality of the initialization program."
A question, that comes to my mind, is whether it would be possible to design one's own southbridge to work with Intel's CPUs... I haven't seen any1 talk about that, so I guess it's not easier that manufacturing one's own CPUs :/
I hope I clarified some of the things. PT blogs should give You the most info on Intel ME if You haven't read them yet.
[1] https://forums.puri.sm/t/does-respects-your-freedom-certification-allow-updating-of-proprietary-firmware/9484
[2] https://trisquel.info/en/forum/pine-thoughts
[3] http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> I hope I clarified some of the things.
You have. Thank you.
> Librem
https://trisquel.info/en/forum/librem13-fully-free-time
You should inform yourself about the purism company.
> Do you know which particular ones are without blobs?
I don't actively keep up with the status of Coreboot targets. nadebula.1984 does, so his recommendations are probably your best bet. It seems like the way he explained them was unclear to you. What I think he means is:
* W520 and W530 meet your hardware requirements and run blobless Coreboot right now.
* W540 and W541 are similar enough to T440p that they can run a modification of the version of Coreboot for the T440p. They currently require some blobs, but these are in the process of being reverse engineered.
* E450 and E550 cannot yet run Coreboot, but because they do not have boot guard they are viable future targets for Coreboot.
Since you are not a free software purist, and you are concerned with non-free blobs mostly for security reasons, you may want to ask the Coreboot community about the specific blobs needed for the W540 and W541 to get an idea of how isolated or capable they are. That may determine whether or not you decide they are tolerable.
> Also are there any companies that sell them corebooted?
Yes, a few here and there, but your shipping location and the model(s) you decide on will likely narrow your choices down to zero. It's worth checking eBay; different models come and go there, so you might get lucky and find what you're looking for.
> If not - what does one need to do it oneself?
It depends on the model. Some support internal flashing, in which case you just need to run terminal commands. Others require external flashing for the initial installation, which requires some dissasembly and flashing Coreboot from a SOC (only for the initial installation, upgrading can be done internally).
> What do you think about the Librem 14 and Librem Mini? I am asking because you mentioned coreboot-capable hardware with blobs which are being worked on, which seems to be the same situation as with these two.
You make it sound like you know of someone working on reverse engineering these blobs. Is that the case, and if so, who? If someone is indeed doing that work, it is quite unlike Purism to not be loudly taking credit for it. To be clear, Purism has no track record of ever reverse engineering anything themselves, so don't expect it to happen unless someone else is actually working on it.
Thanks.
> W520 and W530 meet your hardware requirements and run blobless Coreboot right now.
Where can one check this info please?
Also if that is the case, it makes them as free as the Libreboot laptops. How come they are not on the RYF list?
> Since you are not a free software purist, and you are concerned with non-free blobs mostly for security reasons
Yes.
> Yes, a few here and there
Do you have names and/or websites please?
> It depends on the model.
How can one know?
> You make it sound like you know of someone working on reverse engineering these blobs.
As of this phase of my research I am still reading what others say:
Purism:
I read the FAQ on their website saying that they are "spending real money to advance that toward complete binary freedom". I read it as "we pay someone to work on this". Otherwise I don't see what it may mean. Of course these are just words which I cannot fact check.
nadebula.1984 said:
> Although very few blobs are still needed, we're actively working on reverse engineering and will remove the blobs as soon as we hacked it.
You said:
> They currently require some blobs, but these are in the process of being reverse engineered.
In summary: so far I have 3 different sources saying the same thing. Based on just that I have no idea what actual facts are behind these words or when such potential work may be completed or not. That's why I am putting all these questions.
> Purism has no track record of ever reverse engineering anything themselves
I am in no way justifying them and I am pretty well aware of their heavy marketing language. We have talked about that in the past. However I want to be unbiased and base what I think or do on facts.
> Where can one check this info please?
The Coreboot docs have flashing guides for each target, which contain information specific to that board.
=> https://doc.coreboot.org/mainboard/index.html
Where a board requires blobs, they appear to explain this in the instructions with a statement like
"SMSC SC5545 EC firmware is optional, however lack of the binary will result in EC malfunction after power failure and fans running at full speed. The blob can be extracted from original firmware. It should be located under a file with..."
=> https://doc.coreboot.org/mainboard/dell/optiplex_9010.html
or
"To build a minimal working coreboot image some blobs are required (assuming only the BIOS region is being modified)."
=> https://doc.coreboot.org/mainboard/purism/librem_mini.html
The instructions for W520 and W530 do not contain such instructions, which implies that non-free submodules do not need to be checked out during the build process.
=> https://doc.coreboot.org/mainboard/lenovo/Ivy_Bridge_series.html
=> https://doc.coreboot.org/mainboard/lenovo/w530.html
This is a little less explicit than I would like. The old Coreboot wiki has a clear section on each page regarding required proprietary components, but since that wiki appears to be deprecated in favor of doc.coreboot.org I don't trust the information to be up-to-date.
=> https://www.coreboot.org/Board:lenovo/w520#Proprietary_components_status
If you want confirmation or more details about the status of a particular board, I would hop on #coreboot on freenode and ask.
> Also if that is the case, it makes them as free as the Libreboot laptops. How come they are not on the RYF list?
The FSF endorses products as sold by particular vendors, so there would need to be a vendor selling such laptops pre-flashed with blobless coreboot, who would then need to go through the RYF verification process.
> Do you have names and/or websites please?
Sorry, I didn't keep track of them because none of them shipped to my country. I also only recall finding ones that sell X230's. If there are any vendors selling pre-flashed W520's or W530's in your country, I wouldn't be able to find them any more quickly than you could.
>> It depends on the model.
> How can one know?
You try to find someone selling the model you want pre-flashed in your country, and if you can't find anyone after searching for a reasonable amount of time you conclude that no one is selling it. If you are willing to learn the skill of flashing Coreboot, that simplifies things, as it should be easy to find any of these models being sold with the stock firmware.
> Purism:
> nadebula.1984 said:
> You said:
I was just clarifying what nadebula said because the way he explained it didn't seem to make sense to you. In my experience, nadebula has a history of being reliable when it comes to the topic of hardware, and when I've looked into or acted on his advice it has always turned out to be correct. He is not trying to sell you a W540 or W541, so he does not have a financial incentive to persuade you that these blobs will be reverse engineered soon. That doesn't mean his word should be taken as proof, but I consider his word good enough to use as a starting point for further research. Since the statements he has made are very specific, it should be easy to go on #coreboot and ask for confirmation and further details. If I were in your situation, that would be my next step.
As for a vague statement like "spending real money to advance that toward complete binary freedom", I don't really know what that means. Unlike nadebula's statements, it is not specific enough for me to know how to investigate it. I wouldn't know who to ask or what to ask them, because I don't know who is supposedly doing what.
Thanks for the good info.
> This is a little less explicit than I would like.
Yes.
> If you want confirmation or more details about the status of a particular
> board, I would hop on #coreboot on freenode and ask.
Will do. As soon as I am ready for this step.
BTW following the links on the pages you shared I found this system and it doesn't mention anything about blobs:
https://doc.coreboot.org/mainboard/system76/lemp9.html
From that I found that System76 sell new (not refurbished) laptops with coreboot. Even their top model is said to come with "System76 Open Firmware" and "System76 Open Source Embedded Controller Firmware". Their other systems are not listed on coreboot's website though. Perhaps I should contact them to find out what blobs remain (if any) and what security issues they may be related to.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires