libreboot vs canoeboot vs gnuboot

9 respostas [Última entrada]
Psion
Desconectado
Joined: 12/29/2023

If DRM is fangless/disabled like coreboot + intel me disabled, or similar with or without microcode upgrades, I still have yet to understand how any "freedom is lost"

If backdoors can't do their job due to being disabled, I see no loss.

This being said, what freedom do you gain from removing blobs that don't do any harm?

I still have yet to understand. I agree with stallman about DRM being evil, proprietary software being evil, libre software being needed, but this is one area where I am stumped.

Especially since x86 is proprietary anyhow.

If it doesn't do any remote dialing, then why should such hardware be left unused? Otherwise you are restricted to "20160907" level libreboot hardware.

I honestly don't see a gain in such thinking.

You won't gain any additional privacy or security by avoiding current libreboot. Don't get me wrong, people have their moments. I don't think Leah is mocking FSF out of harm, I think she is trying to make it clear that their guidelines are hurting software freedom by making people think you have to be mega restrictive in what hardware you use to the omph degree.

Point being, threat analysis should be considered before saying what is or isn't freedom.

Can someone tell me what the specifics of where FSF/GNU and their supporters are coming from?

Its an enigma to me.

nparafe

I am a member!

Desconectado
Joined: 10/20/2020

Hi Psion,

Although "disabled/neutralized" IME leaves as little as 84Kb in Gen2[1] of the original firmware (from 1.5 ~ 5 Mb depending on the model), there is still non-free Intel ME code running inside the computer. If someone removes this part, then the computer won't function.[2].

Although security and freedom are closely tied concepts, they are not identical. Let's say we say that a few Kb of code are acceptable. How many Kb is the limit?
We must invent an new category, i.e. "somewhat free", between free and non-free software. How does this help our movement or society to understand software freedom?
Treating the firmware as free or not free, based in the condition of it's ability to change or not[3], in my mind, has strong foundations in respecting my user rights and my freedom. At least until we find another alternative.

Returning to the subject of security, although 84Kb is not much, imagine what someone can do with a full privileged 84kb of code inside a computer system [4]. And this is way bigger (in code size) in next generations of IME.
Until today, I haven't found a complete security audit of the "disabled/neutralized" IME. Also please keep in mind, that in cybersecurity trusting something that you shouldn't is way worse than using something that you know that you shouldn't trust.
Of course I support the efforts of projects like coreboot and libreboot, but I believe that this is something that all users should know.

[1] https://media.ccc.de/v/34c3-8782-intel_me_myths_and_reality
[2] https://www.gnu.org/software/gnuboot/web/faq.html#Intelme
[3] https://www.gnu.org/philosophy/free-hardware-designs.html#boundary
[4] One example is "Silent Bob is Silent". More details at https://www.trendmicro.com/en_us/research/17/k/mitigating-cve-2017-5689-intel-management-engine-vulnerability.html

PS: I am not in anyway affiliate with FSF/GNU, other than supporting activities and theory of the free software movement.

Avron

I am a translator!

Desconectado
Joined: 08/18/2020

> I still have yet to understand how any "freedom is lost"

If you own a CPU and that CPU has can run a Management Engine, shouldn't you have the possibility to setup a Management Engine that obeys you and only you, and that you can control and modify as you wish? In addition, these modern CPUs don't only run the IME, they run a lot of things that you have no control over, including DRM enforcement, which prevents you from using your own CPU as you want. Sure, you can still use a free OS, but with a CPU that has restriction made by software that prevents you from using all the physical capabilities of your CPU. Isn't that unfair?

> blobs that don't do any harm

As long as blobs are not entirely reverse engineered, there can not be any evidence that they don't do any harm. Removing them at least ensures that they will make no harm, but having them reverse engineered and modified freely would be much better from a freedom perspective.

> You won't gain any additional privacy or security by avoiding current libreboot.

For my machines supported by GNU boot, I intend to flash GNU boot because, when I asked about problems with Trisquel on libreboot/osboot, the maintainers clearly replied they did not care about it. Actually, they even made it clear that they think FSDG distros are wrong and people should use non-free firmware.

For machines that cannot be supported by GNU boot, no one says to avoid current libreboot. However, libreboot promotes itself as free software, omitting the fact that it must be installed with non-free software, so it is misleading people and I find the gain of libreboot vs. proprietary firmware rather unclear. People pretend the IME is disabled so it is fine, but there is no evidence that the remaining blob is harmless, and as time passes that remaining blob is bigger and bigger.

If you want to be safe, it may be a good idea to find a machine that runs without blobs.

Psion
Desconectado
Joined: 12/29/2023

You raise some good points. I don't honestly think once hap bit is set in place its a threat due to my reason below regarding the NSA and Google wanting it to be fully off for them.

Yeah, I do agree with you there, free software distros do have value. She doesn't' see that as much now. So I will give you that.

I hope though GNU Boot is getting updates as much as possible though. Its likely canoeboot is going to be much more up to date.

All depends on risks vs rewards of both and what you want, etc...

jxself
Desconectado
Joined: 09/13/2010

"Can someone tell me what the specifics of where FSF/GNU and their supporters are coming from?"

Not from the privacy/security point of view as this is being framed. It's important to note that it's the "Free Software Foundation", not the "Privacy-Respecting Software Foundation" nor the "Secure Software Foundation." RMS didn't start this movement to make a replacement for UNIX because with the goal of enhancing privacy or security. I encourage you to listen to this piece and hear it from the person himself: https://jxself.org/better.ogg.

As you can hear from the recording, free software is based in ethics - in right and wrong, not in any other issue. About how proprietary software subjugates you. And so programs like GNU Boot are ethically superior just as he was talking about how GNU was ethically superior to UNIX. Not everyone globally subscribes to the belief that proprietary software is unethical. An example of that is the open source movement which doesn't talk about ethics at all but instead frames the issue about "higher quality, better reliability, greater flexibility, lower cost" - see https://opensource.org/about/ which is a completely different issue. However, if you're truly interested in grasping the perspective of the free software movement initiated by RMS, I urge you to delve into the ethical case RMS presents against proprietary software. About how it subjugates users. He covers it in many of his speeches. This ethical stance remains valid irrespective of any security issues or privacy invasions or other issues that software might also entail, and even if there are none.

Psion
Desconectado
Joined: 12/29/2023

Fair point, I suppose he did call it the free software foundation.

Actually the difference between open source and free software is obvious, one is always free, the other has mixed purposes.

That is the main problem I see with "open source"

It can have proprietary parts as well as libre parts.

I will however say most users seeking BSD or GNU/Linux probably will say its enough to disable the intel me + coreboot/current libreboot unless they are full GNU supporters.

Btw, you still can't reproduce intel or amd processors.

I mentioned this to Leah at one point by the way:

https://wikiless.funami.tech/wiki/Intel_Management_Engine?lang=en#cite_note-auto2-43

Supposedly using the hap bit to disable intel me in processors with version 11 or newer is possible.

Very much doubt this to be a problem because even google and the NSA were concerned about the intel me being on when they use intel devices.
So the hap bit probably was put there because of their concerns. They never meant it to be discovered by advocates of libre software, etc... Long story short, it ain't going away in the foreseeable future.

At most probably they will change the rules when no one is looking.

In any case, appreciate your reply and the above ones.

megurineturilli
Desconectado
Joined: 01/10/2012

My long term is to migrate away from x86 to OpenPOWER. The Talos II from which I am writing this text is supported by Coreboot / Dasharo but at he moment, I just use the stock firmware from Raptor / IBM.

The reason why x86 has microcode is the complexity of the ISA. RISC ISAs like PPC and ARM are much simpler, the do not need any microcode. Both architectures are supported by Das U-Boot which can be blob free. I prefer having libre boot firmware in Guix.

Psion
Desconectado
Joined: 12/29/2023

Ditching proprietary processors including ARM64, would be lovely in the distant future. I don't think it will happen till then.

But if it does, even better.

ARM64 probably is the least harmful of the proprietary processors though if I had to guess on a privacy/security level.

No proof?

Perhaps, but more zero days exist on x86... so... yeah.

andyprough
Conectado
Joined: 02/12/2015

>"The Talos II from which I am writing this text is supported by Coreboot / Dasharo"

Are you able to use Trisquel on your Talos II?

Also, did you add your own ram and ssd? If you did add your own ram and ssd, was there any complicated configuration required, or was it just plug and play?

jxself
Desconectado
Joined: 09/13/2010