libreboot not supporting post-2008 Intel hardware?
Got this from some forum. https://libreboot.org/faq/#intel --- Why is the latest Intel hardware unsupported in libreboot? #intel It is extremely unlikely that any post-2008 Intel hardware will ever be supported in libreboot, due to severe security and freedom issues; so severe, that the libreboot project recommends avoiding all modern Intel hardware. --- There are similar concerns about AMD from Joanna Rutkowska: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf pp 44-45 Is there safe off the shelve hardware and sufficiently powerful? (Don't think android is an option) This is not intended as flamewar Intel vs AMD vs whatever.
There are similar concerns about AMD from Joanna Rutkowska: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf pp 44-45
Yes, I *really* wish there were more AMD64/ARM32/ARM64 experts, most seem to focus on x86/x64. Even at AMD and ARM. If Linaro finishes porting LUV-live (including BITS, CHIPSEC, FWTS) from Intel to AArch64, CHIPSEC will run on ARM, and the UEFI tests will work, but there won't be any new ARM64-centric security tests, as the few dozen Intel-centric ones won't apply to ARM boxes. We need some arch-centric security experts to create a list of security tests, like Intel ATR team does with chipsec_main security modules. One interesting thing about AMD64 is -- *I think* -- that some boards have blob-free options in the coreboot tree, not relying on AGESA binaries. That is something, for the blob-concerned community. Fewer blobs than Intel FSP. Unclear which models, and which branches of the coreboot tree to look at, and if any of those models have modern supplies of hardware, or are ancient. There *are* blob-free ports of Libreboot to modern ARM boxes, some Chromebooks. And Olimex is apparently working on an ARM64 open source chip, and laptop, that might be interesting. Also, the SeaBIOS project is adding TPM and other security features in recently, it'll be interesting to see that BIOS added to some Libreboot and other systems, for security + configurability, not just the latter. Hopefully 2016 will get some OEM to bring us a Stateless x86 Laptop, and a RISC-V-based laptop. And more Novenas. Lee RSS: http://firmwaresecurity.com/feed
On 1/11/16, Blibbet <blibbet@gmail.com> wrote:
... Yes, I *really* wish there were more AMD64/ARM32/ARM64 experts, most seem to focus on x86/x64. Even at AMD and ARM.
have you played with USB Armory yet? it's my new favorite ARM platform. https://github.com/inversepath/usbarmory
If Linaro finishes porting LUV-live (including BITS, CHIPSEC, FWTS) from Intel to AArch64, CHIPSEC will run on ARM, and the UEFI tests will work, but there won't be any new ARM64-centric security tests, as the few dozen Intel-centric ones won't apply to ARM boxes. We need some arch-centric security experts to create a list of security tests, like Intel ATR team does with chipsec_main security modules.
the joy of ARM is avoiding all the usual platform UEFI, CHIPSEC, etc! the parts of ARM which i enjoy more are the secure boot with signed boot images. of course, if you're not a developer this is less compelling. this all uses TrustZone and fuse memory, under the hood: http://genode.org/documentation/articles/usb_armory https://github.com/inversepath/usbarmory/tree/master/software/secure_boot
One interesting thing about AMD64 is -- *I think* -- that some boards have blob-free options in the coreboot tree, not relying on AGESA binaries.
if you find any, let me know! i don't believe they exist. also, BIOS security on AMD may be even worse than Intel. use an external SPI flash programmer, not a built in one, in that case.
That is something, for the blob-concerned community. Fewer blobs than Intel FSP. Unclear which models, and which branches of the coreboot tree to look at, and if any of those models have modern supplies of hardware, or are ancient.
those blob concerned are going to be increasingly disappointed into the future. on the other hand, for those with heirloom device funds, check out Librem: https://www.crowdsupply.com/purism/librem-13
There *are* blob-free ports of Libreboot to modern ARM boxes, some Chromebooks. And Olimex is apparently working on an ARM64 open source chip, and laptop, that might be interesting.
you're aware of Novena, too? :) https://www.crowdsupply.com/sutajio-kosagi/novena
Also, the SeaBIOS project is adding TPM and other security features in recently, it'll be interesting to see that BIOS added to some Libreboot and other systems, for security + configurability, not just the latter.
indeed!
Hopefully 2016 will get some OEM to bring us a Stateless x86 Laptop, and a RISC-V-based laptop. And more Novenas.
i'm playing with stateless lenovo via USB Armory as OS fill via USB. not quite what you're asking, but might be a nice stop-gap for those seeking better boot authenticity... best regards,
Yes, USB Armories are nice. But they're like a dev board, not a laptop. What I think we need is for Cyperpunk community to join Open Compute Project and define the Stateless Laptop. A fat, modular laptop that let you swap out the Intel/ARM dev board of the year, with a USB Armory or Arduino or other device to act as IPMI BMC. Like the modularity of blades/racks, but at the laptop level, like old laptops had bays where you could put in optical drive or battery or hard drive. Maybe multiple boards, like a cluster of RPI2s. OCP is for enterprises to build cheap enterprise hardware, there is no effort to build a privacy/secure citizen-focused device profile for OEMs to use.
the joy of ARM is avoiding all the usual platform UEFI, CHIPSEC, etc!
Except UEFI is an option for ARM as well. For AArch32, I presume it's used by APPL/MSFT/other vendors as a form of DRM to keep others from removing their OS choice from their HW. On AArch64, apparently it is there because server admins expect the UEFI pre-OS env for servers, and AArch64 wants to get into the server market. But unlike x86, UEFI is optional, U-Boot and coreboot are other options. Linaro offers both UEFI and U-Boot, their UEFI is a fork of Tianocore, with more ARM updates. I've not studied it closely, but I think there are multiple blob-free ARM UEFI implemenations, at least in the Linaro dev boards supported, and you can update the firmware on most dev boards. Linaro is porting CHIPSEC to ARM (AArch64), as part of their port of LUV (Linux UEFI Validation). CHIPSEC and BITS are not ported yet. https://wiki.linaro.org/LEG/Engineering/luvOS There is a lot of ARM/UEFI development going on in Linux and even FreeBSD, UEFI is not Intel-centric. I used to think that U-Boot was ARM-centric, but it also has Intel support now. So coreboot, U-Boot, and UEFI are all options for both Intel and ARM. Last week at the RISC-V workshop, I hear that someone has already (or is porting) UEFI to RISC-V. Personally, I like CHIPSEC. It is a firmware vulnerability tool. Without this tool, it'd be a lot harder to determine security profile of a device. I wish it was available on other chips (and had chip-centric security tests so it was useful). I wish CHIPSEC was available for coreboot and U-Boot, not just BIOS and UEFI.
On Mon, Jan 11, 2016 at 09:22:34AM -0800, coderman wrote:
One interesting thing about AMD64 is -- *I think* -- that some boards have blob-free options in the coreboot tree, not relying on AGESA binaries.
if you find any, let me know! i don't believe they exist. also, BIOS security on AMD may be even worse than Intel. use an external SPI flash programmer, not a built in one, in that case.
Does libreboot support modern AMD? Didn't see it in supported hardware and in the faq they mention only intel.
On 01/12/2016 07:47 AM, Georgi Guninski wrote:
On Mon, Jan 11, 2016 at 09:22:34AM -0800, coderman wrote:
One interesting thing about AMD64 is -- *I think* -- that some boards have blob-free options in the coreboot tree, not relying on AGESA binaries.
if you find any, let me know! i don't believe they exist. also, BIOS security on AMD may be even worse than Intel. use an external SPI flash programmer, not a built in one, in that case.
Does libreboot support modern AMD?
Didn't see it in supported hardware and in the faq they mention only intel.
The blob-free AMD systems are the ones supported prior to this 2014 date mentioned in the Phoronix and Libreboot FAQ entries below. Current AMD appears to be binary-only AGESA. AFAICT, if you want a blob-free AGESA, l look for AMD models targeted in the source drops before that 2014 cutoff. It would be really useful to know if any of those devices are in current product, or are only on EBay. I think it'll be easier to find new Libreboot candidates from the new ARM-based Chromebooks, instead of focusing on Intel/AMD. AMD (and Intel) aside, and are there any other x86/x64-compatible vendors out there, like Transmeta? "In 2011, AMD started cooperating with the coreboot project, releasing this as source code under a free license. In 2014, they stopped releasing source code and started releasing AGESA as binary blobs instead. This makes AGESA now equivalent to Intel FSP." "More worrying about the prospects for Coreboot on future hardware is that since the end of 2014, AMD stopped providing open-source AGESA code. AGESA releases by AMD are now binary-only, with this being the bootstrap protocol needed to initialize AMD processor cores, memory, and HyperTransport. Binary AGESA is similar to Intel not opening up their firmware support packages. " http://firmwaresecurity.com/2015/08/10/amd-clarifies-firmware-strategy/ http://www.coreboot.org/pipermail/coreboot/2014-November/078892.html https://www.reddit.com/r/libreboot/comments/40q4xd/why_is_the_latest_amd_har... https://libreboot.org/faq/#amd
participants (3)
-
Blibbet -
coderman -
Georgi Guninski