[HN Gopher] Ministry of Freedom - GNU+Linux laptops with Librebo... ___________________________________________________________________ Ministry of Freedom - GNU+Linux laptops with Libreboot preinstalled Author : crazypython Score : 174 points Date : 2021-09-09 13:37 UTC (9 hours ago) (HTM) web link (minifree.org) (TXT) w3m dump (minifree.org) | NexRebular wrote: | How's the *BSD support on these ones? | david_draco wrote: | "Technically, Intel ME is still operational on this laptop. | However, malicious features such as Intel AMT are removed using | me_cleaner. For all intents and purposes, this laptop is very | similar freedom-wise to a Libreboot laptop, but it is absolutely | true that a Libreboot system is superior in terms of software | freedom. However, if you're willing to slightly compromise | (neutered Intel ME, after running me_cleaner, is fairly benign | and does barely anything), these laptops offer a huge performance | improvement over Libreboot thinkpads. | | Minifree runs me_cleaner which modifies the Intel ME up to the | point where it is only active during the boot process, but | otherwise disabled during normal operation. Only basic hardware | initialization is still performed, but otherwise the Intel ME | becomes benign from a security perspective, providing only basic | power management. Coreboot is handling the vast majority of the | hardware initialization and is 100% Free Software on this laptop. | | Proprietary features such as AMT are no longer present or | accessible after me_cleaner is used. The me_cleaner program | removes all networking from the Intel ME, thus removing any | security risks associated with Intel ME." | spijdar wrote: | Yeah, there's something a bit ironic about a store with the | tagline "GNU+Linux laptops with Libreboot preinstalled." | putting a laptop without libreboot at the front. I understand | _why_ , but at the same time, it feels ever so slightly | disingenuous, since you can install coreboot/run me_cleaner on | a pretty wide range of computers (e.g. Purism's laptops), while | libreboot can only run on a handful of late 2000s laptops. | leahlibre wrote: | Coreboot is actually 100% free software on Intel sandybridge | and Ivybridge laptops, such as the X230. | | The Intel ME still performs minor power management functions | and minimal init functions via the BUP (BringUp) module. | | For all intents and purposes, osboot-preinstalled X230 is 99% | as free as a Libreboot system, and I would argue that it is | equally secure. | | However, the Libreboot X200 is also sold on the website, and | Libreboot is fully endorsed by the Free Software Foundation. | rnhmjoj wrote: | Unless new progress has been made that I'm not aware of, | you need at least another blob beside the ME firmware | (me.bin) to build a full coreboot image on the X230: | there's the "Intel flash descriptor" (ifd.bin). I'm not | sure if that contains executable code or it can be | generated similarly to the gbe.bin (ethernet controlled | config). | leahlibre wrote: | yeah but that's not software. It's configuration data, in | a binary format that's well-documented. There is also a | tool for managing it in coreboot, called ifdtool. | | There is also the GbE NVM (non-volatile memory) region, | which configures the onboard ethernet chipset. | | These configure the hardware, and the format is fully | documented by datasheets. | rnhmjoj wrote: | Thanks for the explanation. Do you know if it would be | possible to fully create an ifd.bin knowing the specs of | the mainboard? Basically the opposite of `ifdtool | --dump`. I'm surprised because it seems to contain some | pretty secretive options like the HAP bit. | leahlibre wrote: | Yeah it's possible to know the format by reading the | Intel datasheets (sandybridge/ivybridge ones). Certain | parts are "reserved" but have been reverse engineered | like you see in ifdtool. | | In Libreboot there is a tool that I wrote called ich9gen, | which can entirely generate ich9 ifd+gbe from scratch. | This does not exist yet for sandy/ivy i think, but yes | there is that --dump option in ifdtool. | | By the way: | | bincfg is a nice tool in coreboot, and you can write a | spec file for that, based on intel datasheet, to generate | gbe/ifd images. I actually have this on my todo list, as | I've been studying it. The datasheets are very confusing | especially for the Gbe NVM region, making it look like | it's not even documented, but it is, poorly. | rnhmjoj wrote: | > I actually have this on my todo list, as I've been | studying it. The datasheets are very confusing especially | for the Gbe NVM region, making it look like it's not even | documented, but it is, poorly. | | That's very good news. I thank you for all the work | you've done on this. | pessimizer wrote: | What's "disingenuous" about completely explaining the | compromise being made, and what you get in return for that | compromise? | spijdar wrote: | It's not false advertising, there are no lies or outright | deception. However, it feels disingenuous to me because | there are lots of laptops out there that can either have | coreboot flashed or you can run me_cleaner on, possibly | laptops that people already own. | | The store's branding overall and presentation leans hard on | being 100% totally free, and once you deviate from that | "absolutely totally free of proprietary" status your market | options open up dramatically. | | This is still a valuable service to some people. I didn't | mean to come off so negative, but I also feel people who | read the page wouldn't realize they have other market | options that are "just as free" as the X230. The benefit of | buying from this storefront is supporting Libreboot | development and Leah Rowe. | leahlibre wrote: | However, those other companies that advertise neutered ME | are shipping newer Intel platforms where actual x86 | hardware initialization is handled by binary blobs (e.g. | Intel FSP). | | Sandybridge and Ivybridge platforms (e.g. X220/X230) in | coreboot are all free software for the x86 part, and | that's the majority of it. It's only the ME that isn't. | With me_cleaner used, it's very close to Libreboot. | | X230 used to be worse in coreboot; for instance, it | previously had non-free raminit. Nowadays, it's all GPL | code. | fsflover wrote: | Indeed, perhaps they should divide their store into two | sections, devices really respecting freedom and devices | with compromises. | aidenn0 wrote: | The body not matching the headline is always a bit | annoying. Think of all of those cable advertisements with | an asterisk next to the primary claim. | fsflover wrote: | This is about Libre X230 laptop, whereas, e.g., their Libreboot | T400 does not have any ME at all and is endorsed by the FSF as | "Respects Your Freedom". | prewett wrote: | If they are going to invoke 1984, it seems like Minifree would be | a Windows laptop with WSL installed or something else that has | the appearance of freedom while being completely the opposite. | NikolaeVarius wrote: | I find the name awkward since the "joke" is that the ministry | explicitly did the opposite of what the name suggested | luke2m wrote: | Man, why do you need to go back to 2008-2013 to get real freedom? | Unfortunately, I have to be pragmatic and use a modern machine. | [deleted] | dannyw wrote: | Because after a certain year chipmakers started building | silicon level backdoors; probably under pressure by the NSA. | luke2m wrote: | I understand that, just wish it wasn't true. | [deleted] | matheusmoreira wrote: | We won't ever be free until we can compete with chipmakers | ourselves. We can make free software at home but making | computer hardware requires billions. Maybe one day it will be | possible to manufacture chips at home. | 2OEH8eoCRo0 wrote: | > probably under pressure by the NSA. | | Probably? Do you have a source for that claim? Show me | evidence that the NSA pressured for silicon level back doors. | | Why would the government backdoor or cripple the security of | their own machines? | vorpalhex wrote: | https://www.schneier.com/blog/archives/2021/09/more- | detail-o... | NackerHughes wrote: | Moore's law has pretty much flattened out since around the | early 2010s. Most new laptops for sale these days are Core i5 | ~2.5 GHz with 4-8 GB RAM and 'HD' integrated graphics just like | they were 10 years ago. | manquer wrote: | Intel has flattened out is probably more accurate. | | Processor speed improvements have indeed not kept pace in | desktop / high TDP offerings. | | A _lot_ has however happened in the lower power chips used in | laptops /mobiles in the last 10 years. | | Apple silicon or most ARM type SoC chips of today are so much | much better than anything from late 2010s in performance at | that power draw. | | This has also coincided with decreasing desktop demand as | more people use phones or laptops as their primary or only | device. | | I don't have enough know-how to state with certainty that it | is the just the market movement with more R&D money in lower | power processors or if there are hard tech limits but | certainly is a factor | luke2m wrote: | https://www.cpubenchmark.net/compare/Intel- | Core2-Duo-P8400-v... | | My $600 laptop's cpu performance is about double that of the | x200. I'm not sure about transistor number, but the | performance increase is huge. I upgraded from a Thinkpad T410 | this year, using a T60 until 2019. I can't go back. | fsflover wrote: | Then consider this: https://puri.sm/products/librem-14. The | Intel ME is disabled there, Coreboot is installed. | luke2m wrote: | Would also like to consider this, but I can't spend almost | $2k on a reasonably specced laptop. | ozcanberkciftci wrote: | also you can consider system76 devices,afaik they have | intel me disabled and they come with open source coreboot | marcodiego wrote: | I understand your position. If enough people think different | from you, we will still be able to buy devices with "real | freedom". If too many people agree with you, we run the risk of | having zero devices that respects our freedom. | | Right now, if you want a ryf-certified device, you have to | choose a very old device (x86) or pay a lot of money for a very | powerful one (POWER9). If enough people join the cause, we may, | in the future, get affordable freedom respecting devices. | hammyhavoc wrote: | RISC-V. That is all. | type0 wrote: | the base is open hardware, but it still can have non free | additions | cultofmetatron wrote: | I'm pinning my hope on the frame.work laptop. | neilv wrote: | These prices seem quite reasonable for sourcing a good vintage | ThinkPad model (and spec variant) and flashing with Libreboot | successfully. | | If people want to source and flash on their own, it's definitely | doable, but IME (as primarily a software person) the difficulty | ranges from mild headache to a major one, based on which ThinkPad | model and phase of moon. :) https://www.neilvandyke.org/coreboot/ | awestroke wrote: | What's the deal with GNU plus? I don't care if my coreutils are | from GNU, I only care about running a Linux kernel | teddyh wrote: | See also h-node: https://h-node.org/hardware/catalogue/en | johnklos wrote: | This is interesting, but I'd love more details. How is | proprietary firmware stripped from the SSDs, for instance? How's | the firmware vetted for wifi interfaces? | | We really need more options for free and open hardware. | fsflover wrote: | The SSD firmware is not stripped, but it also does not have any | access to the Internet or RAM. AFAIK they use WiFi adapters | that use free firmware and drivers. | e12e wrote: | > The SSD... does not have any access to the Internet or RAM. | | Not DMA or equivalent bus access? | candiddevmike wrote: | On the topic of laptops, what brand has the best quality besides | Apple? Or does the price for "quality" equal a MacBook? | reginold wrote: | System76 is the best Linux-only vendor: https://system76.com | officeplant wrote: | The only problem recently is they keep running out of stock | on the cheaper spec'd versions of laptops so everything was | $1200+ when I last checked. | reginold wrote: | Indeed! They are selling like hotcakes. You can sign up for | notifications for when a model comes back into stock. But | this doesn't extend to individual specs (i.e. if the i5 | spec is sold out on the Pangolin model) | https://system76.com/laptops/pang11/configure | hammyhavoc wrote: | Aren't they rebranded Clevo? | jeppesen-io wrote: | Huge fan of my LG Gram 17"; Good batt life, big screen with the | weight of a MacBook Pro 13 | | Only downside is the built-in spekers do not work in Linux, so | I have to use headphones on zoom | apetresc wrote: | Dell XPS seems to occupy the best sweet spot for HN types at | the moment. | seltzered_ wrote: | I'm using an HP Elite x2 G4 (now G8) Tablet running Ubuntu | and have been pretty happy with it - my goals were more about | ergonomics (using on a stand detached with nuphy keyboard + | apple trackpad.) Basically like having a Microsoft Surface | but with a larger 13" screen and better repairability (ssd is | removable, spare wwan slot if you go without LTE) | | Biggest weird thing I had to do was tune the speakers with | PulseEffects. Think only the fingerprint reader isn't | supported. | vorpalhex wrote: | The XPS 13 is my macbook replacement and so far happy with | it. Got everything working under ElementaryOS with minimal | fuss. | toastal wrote: | IMO, post like 2016, Apple had no such monopoly on 'premium' | laptops in any capacity. There were better trackpads and | keyboards in some, better screens in others, more compute in | some, more ability to expand and repair in some, options for | touchscreens, etc. ...and most laptops were cheaper with | flagships from any brand checking a majority of those boxes. | Some laptops are even more expensive going well beyond MacBook | capabilities if you needed the most color-accurate screens or | the most CPU cores or the biggest GPU. | | Pick any major brand and they probably have something great. | | The only things you really don't get in alternatives is a) the | Mac OS and software software & b) better resale value because | Apple sells lifestyle products. | fouc wrote: | I guess I've always looked at weight & battery life first, | trackpad / keyboard & general build quality second, and then | actual specs/performance third. As far as I can tell, | Macbooks have always been the best choice for that. | Especially once retina displays came out. And even now with | the crazy performance of M1 Macbooks, that's gonna be hard to | beat. | | weight, battery life, retina display (or 4.5K/5K display), | great trackpad, snappy | nbzso wrote: | Agree. They are working hard to kill all the good stuff in | macOS and if they have a way to close it, as iOS and replace | it with iPadOS with some xcode implementation, it is over. | Better to invest in multi-platform software and run VMs. | Luckily for me I have seen the writings on the wall and | switched this year. On a harware level, instead of giving | Apple ton of money I now run in the office custom pcs with | water-cooling and laptops are Thinkpad X1 Carbons. | csmattryder wrote: | I'll be the guy to recommend/shill Lenovo's Thinkpad range, | I've been using my T480s for three years now, struggle with a | reason to change to anything else. | | The trackpad _isn 't_ as good, goes without saying as Apple | have a faustian deal on their trackpad tech, but apparently | some folks have replaced the T480's trackpad with the glass one | from the the X1 [1] with great results - something I'm thinking | of once my T480s goes out of warranty. | | [1] | https://old.reddit.com/r/thinkpad/comments/fo6hrc/i_replaced... | jjuel wrote: | I am a person who did that swap on my T480s with the glass | trackpad. It is glorious. Easy to do and cannot recommend | enough. Also very much satisfied with the T480s and I am a | notorious laptop hopper. Although the System76's with | Coreboot are starting to creep into my mind, but I know the | quality will not be near that of the Lenovo. | yepthatsreality wrote: | The Framework laptops are intriguing but only offer 13" version | currently. [0] | | [0] http://frame.work | thom wrote: | The X200 was more or less the last laptop to ship with a | Trackpoint but no touchpad, and as such is a gloriously home-row | friendly machine. | falcrist wrote: | I'm tempted to pick one up just because I already use Colemak. | | I'd be really tempted to try to change the keyboard firmware to | behave more like my Pok3r keyboard (particularly replacing | capslock with a function key and making fn+IJKL act as arrow | keys). | | That sounds like heaven! | hyperstar wrote: | > Did you know that most modern Intel and AMD computers come with | backdoors implanted by the NSA and other agencies? You do now, | and it isn't pretty. | | The mere possibility that this is true should be enough for us to | seek alternatives, but is there any evidence that it is actually | the case? My impression was that the Intel Management Engine was | a stupid idea but not intended to undermine security. | TobTobXX wrote: | There's this great talk from a CCC about reverse engeneering | the PSP: Uncover, Understand, Own - Regaining Control Over Your | AMD CPU | | https://www.youtube.com/watch?v=bKH5nGLgi08 | | At 47:10, they mention that they haven't found anything evil. | Ofc, this isn't hard proof, but if I trust anyone's answer, | then it's theirs. (Btw, watch the whole talk, it's nothing | short of incredible.) | azalemeth wrote: | I wish I knew what the intel ME and AMD's PSP _actually did_ for | 'normal' users. The only time I've ever encountered IME has been | in the context of out-of-band server management where it "makes | sense" and I totally get it. But I _don 't_ get it on consumer | computers. It's got to _cost_ something at some level -- there | must be a reason why it 's worth the chip space. What is it? | zozbot234 wrote: | They do basic bring up and power management. They're the part | of the chip that deals with properly bootstrapping the "main" | cores, tweaking voltages and spinning up the fans when the | computer gets hot. All of these things are really best done | with the kind of micro-controller like logic that's part of | IME, the main CPU is way too complex to deal with this stuff on | its own. | fouric wrote: | It might not actually provide any benefit at all - it's | entirely possible that ME/PSP are simply included because it's | slightly easier/cheaper for Intel/AMD to design and ship a | single unit than two separate units, or a single software | configuration on that silicon instead of two different | configurations - just like how they'll fab a single piece of | silicon and then selectively disable pieces of some chips and | sell those as lower-performance parts. | | Obviously, that doesn't make any sense to a consumer - but | that's the logic that the manufactures might be following. | shikoba wrote: | https://en.wikipedia.org/wiki/Intel_Management_Engine#Assert... | | Look at the last paragraph. Intel usually document everything, | but that thing they refuse... | MerelyMortal wrote: | Intel's quote saying that _they_ do not do that, nor do | _they_ have access, could be true. However their statements | allow for the possibility that someone else designs | backdoors, puts them in, and can use them. | | > "Intel does not and will not design backdoors for access | into its products." | | > "Intel does not put back doors in its products nor do our | products give Intel control or access to computing systems | without the explicit permission of the end user." | | It would be much easier to say, "there are no backdoors", but | they don't. | zelphirkalt wrote: | I've been using an X200 with Trisquel and Guix package manager on | it for a while now. While I have another non-free machine, which | is quite powerful, everytime I code on my X200 it is a joy to | work with. Very satisfied with it, but I think it is a matter of | expectation management. You will not be able to play modern games | or display some 4K videos on it (I guess). I do not need those, | when I want to be productive and not get distracted from coding. | dmitryminkovsky wrote: | Is there a typo here or am I misunderstanding something: | | > Do you know have rights? Most computers nowadays will never spy | on you and restrict your activities, but not ours! You have 100% | control over your Libreboot system, free from surveillance. | | It should be: - never spy + spy | | right? | boomboomsubban wrote: | The line doesn't contain "never" now so I'd guess it was a | typo. | option_greek wrote: | There is a awkward typo on the site: Most computers nowadays will | never spy on you and restrict your activities, but not ours! | atatatat wrote: | The mental gymnastics involved in selling privacy theater are | exhausting. | marcodiego wrote: | The girl who runs minifree has had many financial troubles while | trying to keep it. | | I strongly recommend people buying products from people who are | willing to make sacrifices to offer a product that respects your | freedom. | | If we do not support people like her, we assume the future risk | of having zero costumer really owned devices. | | Whenever you plan to buy a device and care about not being spied | and having control over your owned device, please consider | supporting vendors listed here: https://ryf.fsf.org/ | hammyhavoc wrote: | How does buying used laptops and installing software on them to | then sell to yet another party stop manufacturers preventing | this in the future? Why can't people just buy the used laptop | made by the big manufacturer and install it themselves? Why | trust more third-parties than you absolutely have to? | Wronnay wrote: | It seems like the founder also develops libreboot, so by | buying a laptop from her you ensure that libreboot keep | around. | LukeShu wrote: | Well, the founder is also the Libreboot founder and lead. The | Libreboot releases are signed with her GPG key, she isn't | exactly a third party. | | So, as a sibling comment points out, buying from her helps | ensure Libreboot's continued existence. | | Additionally, in the past (I'm not sure what the financial | situation is today), buying from her has also also gone to | actually hiring developers to work on Libreboot and port it | to more hardware. | | _> Why can 't people just buy the used laptop made by the | big manufacturer and install it themselves?_ | | They can. The founder actually encourages this! At | conferences she's run workshops to help people install it | themselves. | hammyhavoc wrote: | This should be pointed out left, right and center. Does she | have a monthly subscription like a Patreon to support her | work? If not, there needs to be one. The work is ultimately | more important than the computers sold, and I'm sure plenty | who installed it themselves would directly fund her. | kelnos wrote: | It appears that she does: | https://www.patreon.com/libreleah | Hackbraten wrote: | Flashing custom firmware may be difficult or risky for people | with little experience. I can see why one would outsource | that service to a vendor. | leahlibre wrote: | My finances are really good these days. I had temporary | difficulties in early 2020, as did many people at the start of | the covid pandemic, but those are long behind me now. The | company has existed since 2014. | | The company is doing extremely well these days. I'm very | grateful for everyone's support! | | PS: | | New Libreboot release soon. | | The current Libreboot 20210522 testing release (from May 2021) | is more or less complete, and the most major issue (the reset | bug) is now fixed in libreboot Git. | | I'm polishing the current Git and aiming for a new stable | release. | [deleted] | marcodiego wrote: | Hi Leah! | | I think the RockPro64 [1] as well as the rockpi4 can be run | without any binary blobs. Why I don't see any vendor | considering ryf-certifiying devices based on them? | | [1] https://stikonas.eu/wordpress/2019/09/15/blobless-boot- | with-... | [deleted] | leahlibre wrote: | The FSF must decide whether to endorse a product, and it | must be requested by the supplier. So if a product could be | endorsed, but isn't, it's either being reviewed or has not | been submitted by the vendor. | | In fact, I'm interested in their product commercially for | Minifree, and also interested in terms of Libreboot. You | can replace the default uboot firmware with coreboot, which | offers many more features and there's where my company | could really offer some nice custom services. | | It has been on TODO for Libreboot since May 2021: | https://libreboot.org/tasks/#investigate-u-boot | | It is mentioned here, in the context of u-boot | specifically, but I'm aware that coreboot also supports it. | marcodiego wrote: | I acquired a Rockpi4 in the hope to use it blob-free. But | I'd love to see vendors trying to ryf-certify it. Do you | (or any other vendor) have plans to sell or certify it? | leahlibre wrote: | It's on my TODO. | marcodiego wrote: | Looking forward to it. Getting an rk3399 device ryf- | certified would be great. They have accelerated 3d | graphics and video codecs that are (AFAIK) fully | supported by fully free software. It would be, although | not very powerful, the most modern affordable ryf- | certified device available. I really hope you do it. | | Also in your list of tasks you list ROCKPro64. Although I | really like pine64 steps, I think the best rk3399 device | for such a task is the Rock Pi 4 Model A Plus, it's got a | faster processor, no wifi and the usb-c port is used for | power only: no need to care about blobs for eDP! So, if | you are thinking about a board to support, I'd suggest | you to think about the Rock Pi 4 Model A Plus. | kop316 wrote: | > New Libreboot release soon. | | > The current Libreboot 20210522 testing release (from May | 2021) is more or less complete, and the most major issue (the | reset bug) is now fixed in libreboot Git. | | That's really exciting news! Is there any documentation on | how to upgrade libreboot? | leahlibre wrote: | https://libreboot.org/docs/install/ | dmos62 wrote: | I'm hopeful that open processors like RISC will be a big step in | solving this. But, then there will still be all that other | blob-y, closed hardware like SSDs, network cards, radios. In my | humble opinion, there's something wrong with everyone having to | use hardware (and software to a slightly lesser extent) that's | not auditable and not patchable (by you). There should be a | legislative framework for consumer protection. | jorvi wrote: | I've never seen a big problem with things like SSDs or sensors | and likewise parts having their own blobs. Sure, it'd be nice | if you can poke around in them, but they don't have DMA and | they have no way to communicate with the outside world. | | It's as if you put a untrustworthy guy on a really far away | island and occasionally go to him and ask him what the | temperature is. He has no way to observe what is happening on | the mainland, and even if he did he has no way to talk to | anyone about it. | josephg wrote: | Hmm, I'm not sure I agree. Malicious firmware blobs in your | disk controller could do all sorts of damage, like silently | replacing parts of executable files with whatever they like. | Someone made a proof of concept of this a few years ago - | where they managed to replace some of the controller firmware | in a hard disk. Their modified drive would then silently | replace a certain executable with something else. And on that | drive, the attack was persistent. | | And are modern NVMe drives isolated? Is your system secure if | you have a malicious PCIe device attached? (Even if disk | controllers are isolated, are graphics cards? Couldn't my | NVMe drive just claim to be a GPU and DMA all it likes?) | 3np wrote: | Full-disk- or file-system-level encryption on everything | reduces the impact by a lot. | flyingfences wrote: | How is the full-disk encryption implemented? Not by the | disk, I hope. | anthk wrote: | In OpenBSD, for example, in software. | 3np wrote: | Naturally. LUKS or ZFS native encryption, for example. | mywittyname wrote: | This is pretty nifty, but I have to imagine that it is also | detectable if you look for it. The drive can't | differentiate between being read for execution and being | read for analysis. So if an executable has been modified | from the expected value, presumably a bit-by-bit or | checksum comparison would reveal the change. | | Such a program could be injected into the firmware of the | machine, so it will never be read from disk, and it is | unlikely need updating. One could also produce a second, | clean room, program which does the same thing. This could | serve as a back up in case a buffer overflow or similar | exploit is found and leveraged in the first validation | program. | | Additionally, without the ability to self-update its | signature database, version updates would render this hack | ineffective. | aaronmdjones wrote: | > And are modern NVMe drives isolated? Is your system | secure if you have a malicious PCIe device attached? | | Only if it's sitting behind an IOMMU. This is rarely the | case; although it is starting to improve. | dmos62 wrote: | Could a rogue SSD move things around in your filesystem? If | so, couldn't it install a rootkit? | | Either way, it's not just about backdoors. A blob is like a | car that you cannot perform maintenance on. You want to be | able to fix bugs, and also inspect it to check if there | aren't any. Maybe customize it. | marcodiego wrote: | > other blob-y, closed hardware like SSDs, network cards, | radios. | | Actually the ryf certification allows this kind of firmware if | they are written in ROM; in such cases, they are considered | part of the hardware. I understand the complaints about this | stance but I know no other similar certification and I think | that having non-replaceable firmware forces the vendors to | include the minimum of logic inside it and be more careful, so | I'm not entirely against it. | | Ideally the source code of the firmware should be available. I | try to vote with my wallet for that and encourage people to do | the same. | blibble wrote: | > Actually the ryf certification allows this kind of firmware | if they are written in ROM | | I never really understood this logic... it's still closed- | source software, it just happens to be unmodifable? | | and the CPU is also closed-source software, just "compiled" | into gates (synthesised) | dragontamer wrote: | I wasn't aware of this "Ministry of Freedom" before today | (despite knowing about Libreboot). But "Ministry of Freedom" | works because these older laptops have been reverse engineered | to the point where we can be confident in how their firmware | works... and replace it with something open-source. | | There are companies who continue to strive to build open-source | hardware: such as the Talos II workstation, the System76 | laptops, and Pinephone. | | Of these: the Talos II stuff with POWER9 CPUs seems the "most | open source" out of all solutions. Its a bit of a subjective | measure for sure. However, Talos II is rather expensive. | | I think these older Thinkpad Txxx laptops with libreboot | definitely work as a more entry-level introduction to fully | free software from the boot-process up. Its clearly a cheaper | methodology than Talos II (or System76). So that's probably a | good thing that they serve different market niches. | jhoechtl wrote: | There will never be such a legislation as long NSA, FBI, CIA, | <insert any intelligence agency here> have an interest for a | back-door which they will ever have. | | A computer in malicious hands is a weapon as much as movable | types and the photo-copier are/were. | steviedotboston wrote: | RISC architecture is gonna change everything | [deleted] ___________________________________________________________________ (page generated 2021-09-09 23:01 UTC)