[HN Gopher] Ministry of Freedom - GNU+Linux laptops with Librebo...
___________________________________________________________________
Ministry of Freedom - GNU+Linux laptops with Libreboot preinstalled
Author : crazypython
Score : 174 points
Date : 2021-09-09 13:37 UTC (9 hours ago)
(HTM) web link (minifree.org)
(TXT) w3m dump (minifree.org)
| NexRebular wrote:
| How's the *BSD support on these ones?
| david_draco wrote:
| "Technically, Intel ME is still operational on this laptop.
| However, malicious features such as Intel AMT are removed using
| me_cleaner. For all intents and purposes, this laptop is very
| similar freedom-wise to a Libreboot laptop, but it is absolutely
| true that a Libreboot system is superior in terms of software
| freedom. However, if you're willing to slightly compromise
| (neutered Intel ME, after running me_cleaner, is fairly benign
| and does barely anything), these laptops offer a huge performance
| improvement over Libreboot thinkpads.
|
| Minifree runs me_cleaner which modifies the Intel ME up to the
| point where it is only active during the boot process, but
| otherwise disabled during normal operation. Only basic hardware
| initialization is still performed, but otherwise the Intel ME
| becomes benign from a security perspective, providing only basic
| power management. Coreboot is handling the vast majority of the
| hardware initialization and is 100% Free Software on this laptop.
|
| Proprietary features such as AMT are no longer present or
| accessible after me_cleaner is used. The me_cleaner program
| removes all networking from the Intel ME, thus removing any
| security risks associated with Intel ME."
| spijdar wrote:
| Yeah, there's something a bit ironic about a store with the
| tagline "GNU+Linux laptops with Libreboot preinstalled."
| putting a laptop without libreboot at the front. I understand
| _why_ , but at the same time, it feels ever so slightly
| disingenuous, since you can install coreboot/run me_cleaner on
| a pretty wide range of computers (e.g. Purism's laptops), while
| libreboot can only run on a handful of late 2000s laptops.
| leahlibre wrote:
| Coreboot is actually 100% free software on Intel sandybridge
| and Ivybridge laptops, such as the X230.
|
| The Intel ME still performs minor power management functions
| and minimal init functions via the BUP (BringUp) module.
|
| For all intents and purposes, osboot-preinstalled X230 is 99%
| as free as a Libreboot system, and I would argue that it is
| equally secure.
|
| However, the Libreboot X200 is also sold on the website, and
| Libreboot is fully endorsed by the Free Software Foundation.
| rnhmjoj wrote:
| Unless new progress has been made that I'm not aware of,
| you need at least another blob beside the ME firmware
| (me.bin) to build a full coreboot image on the X230:
| there's the "Intel flash descriptor" (ifd.bin). I'm not
| sure if that contains executable code or it can be
| generated similarly to the gbe.bin (ethernet controlled
| config).
| leahlibre wrote:
| yeah but that's not software. It's configuration data, in
| a binary format that's well-documented. There is also a
| tool for managing it in coreboot, called ifdtool.
|
| There is also the GbE NVM (non-volatile memory) region,
| which configures the onboard ethernet chipset.
|
| These configure the hardware, and the format is fully
| documented by datasheets.
| rnhmjoj wrote:
| Thanks for the explanation. Do you know if it would be
| possible to fully create an ifd.bin knowing the specs of
| the mainboard? Basically the opposite of `ifdtool
| --dump`. I'm surprised because it seems to contain some
| pretty secretive options like the HAP bit.
| leahlibre wrote:
| Yeah it's possible to know the format by reading the
| Intel datasheets (sandybridge/ivybridge ones). Certain
| parts are "reserved" but have been reverse engineered
| like you see in ifdtool.
|
| In Libreboot there is a tool that I wrote called ich9gen,
| which can entirely generate ich9 ifd+gbe from scratch.
| This does not exist yet for sandy/ivy i think, but yes
| there is that --dump option in ifdtool.
|
| By the way:
|
| bincfg is a nice tool in coreboot, and you can write a
| spec file for that, based on intel datasheet, to generate
| gbe/ifd images. I actually have this on my todo list, as
| I've been studying it. The datasheets are very confusing
| especially for the Gbe NVM region, making it look like
| it's not even documented, but it is, poorly.
| rnhmjoj wrote:
| > I actually have this on my todo list, as I've been
| studying it. The datasheets are very confusing especially
| for the Gbe NVM region, making it look like it's not even
| documented, but it is, poorly.
|
| That's very good news. I thank you for all the work
| you've done on this.
| pessimizer wrote:
| What's "disingenuous" about completely explaining the
| compromise being made, and what you get in return for that
| compromise?
| spijdar wrote:
| It's not false advertising, there are no lies or outright
| deception. However, it feels disingenuous to me because
| there are lots of laptops out there that can either have
| coreboot flashed or you can run me_cleaner on, possibly
| laptops that people already own.
|
| The store's branding overall and presentation leans hard on
| being 100% totally free, and once you deviate from that
| "absolutely totally free of proprietary" status your market
| options open up dramatically.
|
| This is still a valuable service to some people. I didn't
| mean to come off so negative, but I also feel people who
| read the page wouldn't realize they have other market
| options that are "just as free" as the X230. The benefit of
| buying from this storefront is supporting Libreboot
| development and Leah Rowe.
| leahlibre wrote:
| However, those other companies that advertise neutered ME
| are shipping newer Intel platforms where actual x86
| hardware initialization is handled by binary blobs (e.g.
| Intel FSP).
|
| Sandybridge and Ivybridge platforms (e.g. X220/X230) in
| coreboot are all free software for the x86 part, and
| that's the majority of it. It's only the ME that isn't.
| With me_cleaner used, it's very close to Libreboot.
|
| X230 used to be worse in coreboot; for instance, it
| previously had non-free raminit. Nowadays, it's all GPL
| code.
| fsflover wrote:
| Indeed, perhaps they should divide their store into two
| sections, devices really respecting freedom and devices
| with compromises.
| aidenn0 wrote:
| The body not matching the headline is always a bit
| annoying. Think of all of those cable advertisements with
| an asterisk next to the primary claim.
| fsflover wrote:
| This is about Libre X230 laptop, whereas, e.g., their Libreboot
| T400 does not have any ME at all and is endorsed by the FSF as
| "Respects Your Freedom".
| prewett wrote:
| If they are going to invoke 1984, it seems like Minifree would be
| a Windows laptop with WSL installed or something else that has
| the appearance of freedom while being completely the opposite.
| NikolaeVarius wrote:
| I find the name awkward since the "joke" is that the ministry
| explicitly did the opposite of what the name suggested
| luke2m wrote:
| Man, why do you need to go back to 2008-2013 to get real freedom?
| Unfortunately, I have to be pragmatic and use a modern machine.
| [deleted]
| dannyw wrote:
| Because after a certain year chipmakers started building
| silicon level backdoors; probably under pressure by the NSA.
| luke2m wrote:
| I understand that, just wish it wasn't true.
| [deleted]
| matheusmoreira wrote:
| We won't ever be free until we can compete with chipmakers
| ourselves. We can make free software at home but making
| computer hardware requires billions. Maybe one day it will be
| possible to manufacture chips at home.
| 2OEH8eoCRo0 wrote:
| > probably under pressure by the NSA.
|
| Probably? Do you have a source for that claim? Show me
| evidence that the NSA pressured for silicon level back doors.
|
| Why would the government backdoor or cripple the security of
| their own machines?
| vorpalhex wrote:
| https://www.schneier.com/blog/archives/2021/09/more-
| detail-o...
| NackerHughes wrote:
| Moore's law has pretty much flattened out since around the
| early 2010s. Most new laptops for sale these days are Core i5
| ~2.5 GHz with 4-8 GB RAM and 'HD' integrated graphics just like
| they were 10 years ago.
| manquer wrote:
| Intel has flattened out is probably more accurate.
|
| Processor speed improvements have indeed not kept pace in
| desktop / high TDP offerings.
|
| A _lot_ has however happened in the lower power chips used in
| laptops /mobiles in the last 10 years.
|
| Apple silicon or most ARM type SoC chips of today are so much
| much better than anything from late 2010s in performance at
| that power draw.
|
| This has also coincided with decreasing desktop demand as
| more people use phones or laptops as their primary or only
| device.
|
| I don't have enough know-how to state with certainty that it
| is the just the market movement with more R&D money in lower
| power processors or if there are hard tech limits but
| certainly is a factor
| luke2m wrote:
| https://www.cpubenchmark.net/compare/Intel-
| Core2-Duo-P8400-v...
|
| My $600 laptop's cpu performance is about double that of the
| x200. I'm not sure about transistor number, but the
| performance increase is huge. I upgraded from a Thinkpad T410
| this year, using a T60 until 2019. I can't go back.
| fsflover wrote:
| Then consider this: https://puri.sm/products/librem-14. The
| Intel ME is disabled there, Coreboot is installed.
| luke2m wrote:
| Would also like to consider this, but I can't spend almost
| $2k on a reasonably specced laptop.
| ozcanberkciftci wrote:
| also you can consider system76 devices,afaik they have
| intel me disabled and they come with open source coreboot
| marcodiego wrote:
| I understand your position. If enough people think different
| from you, we will still be able to buy devices with "real
| freedom". If too many people agree with you, we run the risk of
| having zero devices that respects our freedom.
|
| Right now, if you want a ryf-certified device, you have to
| choose a very old device (x86) or pay a lot of money for a very
| powerful one (POWER9). If enough people join the cause, we may,
| in the future, get affordable freedom respecting devices.
| hammyhavoc wrote:
| RISC-V. That is all.
| type0 wrote:
| the base is open hardware, but it still can have non free
| additions
| cultofmetatron wrote:
| I'm pinning my hope on the frame.work laptop.
| neilv wrote:
| These prices seem quite reasonable for sourcing a good vintage
| ThinkPad model (and spec variant) and flashing with Libreboot
| successfully.
|
| If people want to source and flash on their own, it's definitely
| doable, but IME (as primarily a software person) the difficulty
| ranges from mild headache to a major one, based on which ThinkPad
| model and phase of moon. :) https://www.neilvandyke.org/coreboot/
| awestroke wrote:
| What's the deal with GNU plus? I don't care if my coreutils are
| from GNU, I only care about running a Linux kernel
| teddyh wrote:
| See also h-node: https://h-node.org/hardware/catalogue/en
| johnklos wrote:
| This is interesting, but I'd love more details. How is
| proprietary firmware stripped from the SSDs, for instance? How's
| the firmware vetted for wifi interfaces?
|
| We really need more options for free and open hardware.
| fsflover wrote:
| The SSD firmware is not stripped, but it also does not have any
| access to the Internet or RAM. AFAIK they use WiFi adapters
| that use free firmware and drivers.
| e12e wrote:
| > The SSD... does not have any access to the Internet or RAM.
|
| Not DMA or equivalent bus access?
| candiddevmike wrote:
| On the topic of laptops, what brand has the best quality besides
| Apple? Or does the price for "quality" equal a MacBook?
| reginold wrote:
| System76 is the best Linux-only vendor: https://system76.com
| officeplant wrote:
| The only problem recently is they keep running out of stock
| on the cheaper spec'd versions of laptops so everything was
| $1200+ when I last checked.
| reginold wrote:
| Indeed! They are selling like hotcakes. You can sign up for
| notifications for when a model comes back into stock. But
| this doesn't extend to individual specs (i.e. if the i5
| spec is sold out on the Pangolin model)
| https://system76.com/laptops/pang11/configure
| hammyhavoc wrote:
| Aren't they rebranded Clevo?
| jeppesen-io wrote:
| Huge fan of my LG Gram 17"; Good batt life, big screen with the
| weight of a MacBook Pro 13
|
| Only downside is the built-in spekers do not work in Linux, so
| I have to use headphones on zoom
| apetresc wrote:
| Dell XPS seems to occupy the best sweet spot for HN types at
| the moment.
| seltzered_ wrote:
| I'm using an HP Elite x2 G4 (now G8) Tablet running Ubuntu
| and have been pretty happy with it - my goals were more about
| ergonomics (using on a stand detached with nuphy keyboard +
| apple trackpad.) Basically like having a Microsoft Surface
| but with a larger 13" screen and better repairability (ssd is
| removable, spare wwan slot if you go without LTE)
|
| Biggest weird thing I had to do was tune the speakers with
| PulseEffects. Think only the fingerprint reader isn't
| supported.
| vorpalhex wrote:
| The XPS 13 is my macbook replacement and so far happy with
| it. Got everything working under ElementaryOS with minimal
| fuss.
| toastal wrote:
| IMO, post like 2016, Apple had no such monopoly on 'premium'
| laptops in any capacity. There were better trackpads and
| keyboards in some, better screens in others, more compute in
| some, more ability to expand and repair in some, options for
| touchscreens, etc. ...and most laptops were cheaper with
| flagships from any brand checking a majority of those boxes.
| Some laptops are even more expensive going well beyond MacBook
| capabilities if you needed the most color-accurate screens or
| the most CPU cores or the biggest GPU.
|
| Pick any major brand and they probably have something great.
|
| The only things you really don't get in alternatives is a) the
| Mac OS and software software & b) better resale value because
| Apple sells lifestyle products.
| fouc wrote:
| I guess I've always looked at weight & battery life first,
| trackpad / keyboard & general build quality second, and then
| actual specs/performance third. As far as I can tell,
| Macbooks have always been the best choice for that.
| Especially once retina displays came out. And even now with
| the crazy performance of M1 Macbooks, that's gonna be hard to
| beat.
|
| weight, battery life, retina display (or 4.5K/5K display),
| great trackpad, snappy
| nbzso wrote:
| Agree. They are working hard to kill all the good stuff in
| macOS and if they have a way to close it, as iOS and replace
| it with iPadOS with some xcode implementation, it is over.
| Better to invest in multi-platform software and run VMs.
| Luckily for me I have seen the writings on the wall and
| switched this year. On a harware level, instead of giving
| Apple ton of money I now run in the office custom pcs with
| water-cooling and laptops are Thinkpad X1 Carbons.
| csmattryder wrote:
| I'll be the guy to recommend/shill Lenovo's Thinkpad range,
| I've been using my T480s for three years now, struggle with a
| reason to change to anything else.
|
| The trackpad _isn 't_ as good, goes without saying as Apple
| have a faustian deal on their trackpad tech, but apparently
| some folks have replaced the T480's trackpad with the glass one
| from the the X1 [1] with great results - something I'm thinking
| of once my T480s goes out of warranty.
|
| [1]
| https://old.reddit.com/r/thinkpad/comments/fo6hrc/i_replaced...
| jjuel wrote:
| I am a person who did that swap on my T480s with the glass
| trackpad. It is glorious. Easy to do and cannot recommend
| enough. Also very much satisfied with the T480s and I am a
| notorious laptop hopper. Although the System76's with
| Coreboot are starting to creep into my mind, but I know the
| quality will not be near that of the Lenovo.
| yepthatsreality wrote:
| The Framework laptops are intriguing but only offer 13" version
| currently. [0]
|
| [0] http://frame.work
| thom wrote:
| The X200 was more or less the last laptop to ship with a
| Trackpoint but no touchpad, and as such is a gloriously home-row
| friendly machine.
| falcrist wrote:
| I'm tempted to pick one up just because I already use Colemak.
|
| I'd be really tempted to try to change the keyboard firmware to
| behave more like my Pok3r keyboard (particularly replacing
| capslock with a function key and making fn+IJKL act as arrow
| keys).
|
| That sounds like heaven!
| hyperstar wrote:
| > Did you know that most modern Intel and AMD computers come with
| backdoors implanted by the NSA and other agencies? You do now,
| and it isn't pretty.
|
| The mere possibility that this is true should be enough for us to
| seek alternatives, but is there any evidence that it is actually
| the case? My impression was that the Intel Management Engine was
| a stupid idea but not intended to undermine security.
| TobTobXX wrote:
| There's this great talk from a CCC about reverse engeneering
| the PSP: Uncover, Understand, Own - Regaining Control Over Your
| AMD CPU
|
| https://www.youtube.com/watch?v=bKH5nGLgi08
|
| At 47:10, they mention that they haven't found anything evil.
| Ofc, this isn't hard proof, but if I trust anyone's answer,
| then it's theirs. (Btw, watch the whole talk, it's nothing
| short of incredible.)
| azalemeth wrote:
| I wish I knew what the intel ME and AMD's PSP _actually did_ for
| 'normal' users. The only time I've ever encountered IME has been
| in the context of out-of-band server management where it "makes
| sense" and I totally get it. But I _don 't_ get it on consumer
| computers. It's got to _cost_ something at some level -- there
| must be a reason why it 's worth the chip space. What is it?
| zozbot234 wrote:
| They do basic bring up and power management. They're the part
| of the chip that deals with properly bootstrapping the "main"
| cores, tweaking voltages and spinning up the fans when the
| computer gets hot. All of these things are really best done
| with the kind of micro-controller like logic that's part of
| IME, the main CPU is way too complex to deal with this stuff on
| its own.
| fouric wrote:
| It might not actually provide any benefit at all - it's
| entirely possible that ME/PSP are simply included because it's
| slightly easier/cheaper for Intel/AMD to design and ship a
| single unit than two separate units, or a single software
| configuration on that silicon instead of two different
| configurations - just like how they'll fab a single piece of
| silicon and then selectively disable pieces of some chips and
| sell those as lower-performance parts.
|
| Obviously, that doesn't make any sense to a consumer - but
| that's the logic that the manufactures might be following.
| shikoba wrote:
| https://en.wikipedia.org/wiki/Intel_Management_Engine#Assert...
|
| Look at the last paragraph. Intel usually document everything,
| but that thing they refuse...
| MerelyMortal wrote:
| Intel's quote saying that _they_ do not do that, nor do
| _they_ have access, could be true. However their statements
| allow for the possibility that someone else designs
| backdoors, puts them in, and can use them.
|
| > "Intel does not and will not design backdoors for access
| into its products."
|
| > "Intel does not put back doors in its products nor do our
| products give Intel control or access to computing systems
| without the explicit permission of the end user."
|
| It would be much easier to say, "there are no backdoors", but
| they don't.
| zelphirkalt wrote:
| I've been using an X200 with Trisquel and Guix package manager on
| it for a while now. While I have another non-free machine, which
| is quite powerful, everytime I code on my X200 it is a joy to
| work with. Very satisfied with it, but I think it is a matter of
| expectation management. You will not be able to play modern games
| or display some 4K videos on it (I guess). I do not need those,
| when I want to be productive and not get distracted from coding.
| dmitryminkovsky wrote:
| Is there a typo here or am I misunderstanding something:
|
| > Do you know have rights? Most computers nowadays will never spy
| on you and restrict your activities, but not ours! You have 100%
| control over your Libreboot system, free from surveillance.
|
| It should be: - never spy + spy
|
| right?
| boomboomsubban wrote:
| The line doesn't contain "never" now so I'd guess it was a
| typo.
| option_greek wrote:
| There is a awkward typo on the site: Most computers nowadays will
| never spy on you and restrict your activities, but not ours!
| atatatat wrote:
| The mental gymnastics involved in selling privacy theater are
| exhausting.
| marcodiego wrote:
| The girl who runs minifree has had many financial troubles while
| trying to keep it.
|
| I strongly recommend people buying products from people who are
| willing to make sacrifices to offer a product that respects your
| freedom.
|
| If we do not support people like her, we assume the future risk
| of having zero costumer really owned devices.
|
| Whenever you plan to buy a device and care about not being spied
| and having control over your owned device, please consider
| supporting vendors listed here: https://ryf.fsf.org/
| hammyhavoc wrote:
| How does buying used laptops and installing software on them to
| then sell to yet another party stop manufacturers preventing
| this in the future? Why can't people just buy the used laptop
| made by the big manufacturer and install it themselves? Why
| trust more third-parties than you absolutely have to?
| Wronnay wrote:
| It seems like the founder also develops libreboot, so by
| buying a laptop from her you ensure that libreboot keep
| around.
| LukeShu wrote:
| Well, the founder is also the Libreboot founder and lead. The
| Libreboot releases are signed with her GPG key, she isn't
| exactly a third party.
|
| So, as a sibling comment points out, buying from her helps
| ensure Libreboot's continued existence.
|
| Additionally, in the past (I'm not sure what the financial
| situation is today), buying from her has also also gone to
| actually hiring developers to work on Libreboot and port it
| to more hardware.
|
| _> Why can 't people just buy the used laptop made by the
| big manufacturer and install it themselves?_
|
| They can. The founder actually encourages this! At
| conferences she's run workshops to help people install it
| themselves.
| hammyhavoc wrote:
| This should be pointed out left, right and center. Does she
| have a monthly subscription like a Patreon to support her
| work? If not, there needs to be one. The work is ultimately
| more important than the computers sold, and I'm sure plenty
| who installed it themselves would directly fund her.
| kelnos wrote:
| It appears that she does:
| https://www.patreon.com/libreleah
| Hackbraten wrote:
| Flashing custom firmware may be difficult or risky for people
| with little experience. I can see why one would outsource
| that service to a vendor.
| leahlibre wrote:
| My finances are really good these days. I had temporary
| difficulties in early 2020, as did many people at the start of
| the covid pandemic, but those are long behind me now. The
| company has existed since 2014.
|
| The company is doing extremely well these days. I'm very
| grateful for everyone's support!
|
| PS:
|
| New Libreboot release soon.
|
| The current Libreboot 20210522 testing release (from May 2021)
| is more or less complete, and the most major issue (the reset
| bug) is now fixed in libreboot Git.
|
| I'm polishing the current Git and aiming for a new stable
| release.
| [deleted]
| marcodiego wrote:
| Hi Leah!
|
| I think the RockPro64 [1] as well as the rockpi4 can be run
| without any binary blobs. Why I don't see any vendor
| considering ryf-certifiying devices based on them?
|
| [1] https://stikonas.eu/wordpress/2019/09/15/blobless-boot-
| with-...
| [deleted]
| leahlibre wrote:
| The FSF must decide whether to endorse a product, and it
| must be requested by the supplier. So if a product could be
| endorsed, but isn't, it's either being reviewed or has not
| been submitted by the vendor.
|
| In fact, I'm interested in their product commercially for
| Minifree, and also interested in terms of Libreboot. You
| can replace the default uboot firmware with coreboot, which
| offers many more features and there's where my company
| could really offer some nice custom services.
|
| It has been on TODO for Libreboot since May 2021:
| https://libreboot.org/tasks/#investigate-u-boot
|
| It is mentioned here, in the context of u-boot
| specifically, but I'm aware that coreboot also supports it.
| marcodiego wrote:
| I acquired a Rockpi4 in the hope to use it blob-free. But
| I'd love to see vendors trying to ryf-certify it. Do you
| (or any other vendor) have plans to sell or certify it?
| leahlibre wrote:
| It's on my TODO.
| marcodiego wrote:
| Looking forward to it. Getting an rk3399 device ryf-
| certified would be great. They have accelerated 3d
| graphics and video codecs that are (AFAIK) fully
| supported by fully free software. It would be, although
| not very powerful, the most modern affordable ryf-
| certified device available. I really hope you do it.
|
| Also in your list of tasks you list ROCKPro64. Although I
| really like pine64 steps, I think the best rk3399 device
| for such a task is the Rock Pi 4 Model A Plus, it's got a
| faster processor, no wifi and the usb-c port is used for
| power only: no need to care about blobs for eDP! So, if
| you are thinking about a board to support, I'd suggest
| you to think about the Rock Pi 4 Model A Plus.
| kop316 wrote:
| > New Libreboot release soon.
|
| > The current Libreboot 20210522 testing release (from May
| 2021) is more or less complete, and the most major issue (the
| reset bug) is now fixed in libreboot Git.
|
| That's really exciting news! Is there any documentation on
| how to upgrade libreboot?
| leahlibre wrote:
| https://libreboot.org/docs/install/
| dmos62 wrote:
| I'm hopeful that open processors like RISC will be a big step in
| solving this. But, then there will still be all that other
| blob-y, closed hardware like SSDs, network cards, radios. In my
| humble opinion, there's something wrong with everyone having to
| use hardware (and software to a slightly lesser extent) that's
| not auditable and not patchable (by you). There should be a
| legislative framework for consumer protection.
| jorvi wrote:
| I've never seen a big problem with things like SSDs or sensors
| and likewise parts having their own blobs. Sure, it'd be nice
| if you can poke around in them, but they don't have DMA and
| they have no way to communicate with the outside world.
|
| It's as if you put a untrustworthy guy on a really far away
| island and occasionally go to him and ask him what the
| temperature is. He has no way to observe what is happening on
| the mainland, and even if he did he has no way to talk to
| anyone about it.
| josephg wrote:
| Hmm, I'm not sure I agree. Malicious firmware blobs in your
| disk controller could do all sorts of damage, like silently
| replacing parts of executable files with whatever they like.
| Someone made a proof of concept of this a few years ago -
| where they managed to replace some of the controller firmware
| in a hard disk. Their modified drive would then silently
| replace a certain executable with something else. And on that
| drive, the attack was persistent.
|
| And are modern NVMe drives isolated? Is your system secure if
| you have a malicious PCIe device attached? (Even if disk
| controllers are isolated, are graphics cards? Couldn't my
| NVMe drive just claim to be a GPU and DMA all it likes?)
| 3np wrote:
| Full-disk- or file-system-level encryption on everything
| reduces the impact by a lot.
| flyingfences wrote:
| How is the full-disk encryption implemented? Not by the
| disk, I hope.
| anthk wrote:
| In OpenBSD, for example, in software.
| 3np wrote:
| Naturally. LUKS or ZFS native encryption, for example.
| mywittyname wrote:
| This is pretty nifty, but I have to imagine that it is also
| detectable if you look for it. The drive can't
| differentiate between being read for execution and being
| read for analysis. So if an executable has been modified
| from the expected value, presumably a bit-by-bit or
| checksum comparison would reveal the change.
|
| Such a program could be injected into the firmware of the
| machine, so it will never be read from disk, and it is
| unlikely need updating. One could also produce a second,
| clean room, program which does the same thing. This could
| serve as a back up in case a buffer overflow or similar
| exploit is found and leveraged in the first validation
| program.
|
| Additionally, without the ability to self-update its
| signature database, version updates would render this hack
| ineffective.
| aaronmdjones wrote:
| > And are modern NVMe drives isolated? Is your system
| secure if you have a malicious PCIe device attached?
|
| Only if it's sitting behind an IOMMU. This is rarely the
| case; although it is starting to improve.
| dmos62 wrote:
| Could a rogue SSD move things around in your filesystem? If
| so, couldn't it install a rootkit?
|
| Either way, it's not just about backdoors. A blob is like a
| car that you cannot perform maintenance on. You want to be
| able to fix bugs, and also inspect it to check if there
| aren't any. Maybe customize it.
| marcodiego wrote:
| > other blob-y, closed hardware like SSDs, network cards,
| radios.
|
| Actually the ryf certification allows this kind of firmware if
| they are written in ROM; in such cases, they are considered
| part of the hardware. I understand the complaints about this
| stance but I know no other similar certification and I think
| that having non-replaceable firmware forces the vendors to
| include the minimum of logic inside it and be more careful, so
| I'm not entirely against it.
|
| Ideally the source code of the firmware should be available. I
| try to vote with my wallet for that and encourage people to do
| the same.
| blibble wrote:
| > Actually the ryf certification allows this kind of firmware
| if they are written in ROM
|
| I never really understood this logic... it's still closed-
| source software, it just happens to be unmodifable?
|
| and the CPU is also closed-source software, just "compiled"
| into gates (synthesised)
| dragontamer wrote:
| I wasn't aware of this "Ministry of Freedom" before today
| (despite knowing about Libreboot). But "Ministry of Freedom"
| works because these older laptops have been reverse engineered
| to the point where we can be confident in how their firmware
| works... and replace it with something open-source.
|
| There are companies who continue to strive to build open-source
| hardware: such as the Talos II workstation, the System76
| laptops, and Pinephone.
|
| Of these: the Talos II stuff with POWER9 CPUs seems the "most
| open source" out of all solutions. Its a bit of a subjective
| measure for sure. However, Talos II is rather expensive.
|
| I think these older Thinkpad Txxx laptops with libreboot
| definitely work as a more entry-level introduction to fully
| free software from the boot-process up. Its clearly a cheaper
| methodology than Talos II (or System76). So that's probably a
| good thing that they serve different market niches.
| jhoechtl wrote:
| There will never be such a legislation as long NSA, FBI, CIA,
| <insert any intelligence agency here> have an interest for a
| back-door which they will ever have.
|
| A computer in malicious hands is a weapon as much as movable
| types and the photo-copier are/were.
| steviedotboston wrote:
| RISC architecture is gonna change everything
| [deleted]
___________________________________________________________________
(page generated 2021-09-09 23:01 UTC)