Coreboot (OSS bios firmware)

Share interesting information or links related to portable apps here.
Post Reply
Message
Author
User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Coreboot (OSS bios firmware)

#1 Post by Midas »

For the more privacy minded, coreboot really is the sole critical path left to regain sovereignty over our BIOS based computing devices, IMHO.

The issues it deals with aren't new (e.g., see viewtopic.php?t=22213) and with practical oligopoly power in the hands of main CPU makers (AMD isn't exempt here, if you research further), it isn't going away anytime soon...
https://www.coreboot.org/ wrote:Coreboot is an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems. As an Open Source project it provides auditability and maximum control over technology.
To find supported hardware, look to the "Status" section of coreboot's wiki:


In related info, find for yourself how hard it is for an expert hardware engineer to come up with ways to circumvent the gaping security risk that Intel IME really represents -- as the EFF had already warned us (www.eff.org/deeplinks/2017/05/intels-ma ... disable-it):

Deep dive into Intel Management Engine disablement
puri.sm/posts/deep-dive-into-intel-me-disablement/
https://puri.sm/learn/intel-me/ wrote:The Intel Management Engine is a separate independent processor core that is actually embedded inside the Multichip Package on Intel CPUs. It operates all-by-itself and separate from the main processor, the BIOS, and the Operating system, but it does interact with the BIOS and OS kernel. It is a black box of mystery code at the lowest level, in ring -2, with complete control over every part of the system.
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/ wrote:The Management Engine, part of Intel AMT, is a separate CPU that can run and control a computer even when powered off.
FYI, this IME runs a full OS (Minix) -- including a full Java-based virtual machine... (en.wikipedia.org/wiki/Intel_Active_Management_Technology)

EDIT: see this also https://www.notebookcheck.net/245922.0.html

For another tutorial on the intricacies and hardships of disabling this pest, see:


TP109
Posts: 571
Joined: Sat Apr 08, 2006 7:12 pm
Location: Midwestern US

Re: Coreboot (OSS bios firmware)

#2 Post by TP109 »

I somehow overlooked this security issue and didn't know much about it before now. Good info and links. Thanks for posting.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#3 Post by Midas »

Further (bad) news regarding IME's security implications at www.theregister.co.uk /2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#4 Post by Midas »

Related news from the portable hardware front:

Purism Librem 13 v2 privacy-focused Linux laptop
betanews.com /2017/10/29/purism-librem-13-v2-privacy-review/
So yes, I do highly recommend the Librem 13. After all, regardless of whether you use the default Pure OS or a different distro, such as Ubuntu, your money is still supporting the Linux community and sending a message that you value privacy. Best of all, you are getting very solid hardware that should delight you for many years.


User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#6 Post by Midas »

lintalist wrote:System76 is also making progress
blog.system76.com /post/168050597573/system76-me-firmware-updates-plan
Nice. 8)

Here's something from there supporting my concern...
http://blog.system76.com/post/168050597573/ wrote:Proprietary code always makes life harder and Intel's Management Engine (ME) firmware is a particularly challenging chunk of secretive software. Thanks to issues identified by external security researchers, Intel initiated an audit of its ME firmware and discovered multiple critical vulnerabilities as described in SA-00086. Separately, researchers at Positive Technologies discovered an undocumented High Assurance Platform (HAP) settings in Intel ME firmware. HAP was developed by the NSA for secure computing.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#7 Post by Midas »

Only marginally related, but utterly interesting nonetheless: highly specific tech and marketing analysis article on how Intel lost the mobile market around 2008 -- and might be going the way of IBM someday... :shock:

"Perhaps it is simpler to say that Intel… was disrupted"
https://medium.com/p/594f806cfc21
The 'moment' when Intel gave up on mobile was when it turned the investment that wasn’t quite yielding success in phones into a new 'low cost PC' c. 2008.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#8 Post by Midas »

Just seen this:
An open source Linux consulting company called 3mdeb has successfully loaded an open source BIOS, called Coreboot, and a firmware distribution framework of its own creation, called Dasharo, onto a modern Intel Alder Lake Z690 motherboard from MSI. It's done so in hope of offering even greater control over the fundamental PC software to the end user with the open source BIOS software.
A few key benefits of Coreboot: it is "unbrickable", meaning updating the firmware should no longer put your PC in any danger; it's secure with a minimal Trusted Computing Base; it's designed to boot super quickly, in under a second; and you can load up your own boot splash screen jpeg. That last one is of the utmost importance. One of the largest users of Coreboot today, which you might recognise, is Google for its Chromebook devices.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#9 Post by Midas »

Another tidbit illustrating how deeply embedded Intel IME and AMT have become in modern OSes (and their vulnerabilities as well, although one expects most would have been mitigated by now...) is this 5 year old tutorial that details using some arcane CLI tool with several required steps -- and which still ends with this caveat:
But the Intel ME co-processor is still running.§

§) Unless your OEM provides a way to deactivate its hardware, like I expect Lenovo to have properly done with the corresponding BIOS option... :|

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Coreboot (OSS bios firmware)

#10 Post by Andrew Lee »

You might find this interesting too: Who is Thinking About Open-Source Firmware?
Secrets that move from software to firmware are still secrets, and even those among us who are the most staunch proponents of open source have closed hardware and firmware paths in our computers. Take the Intel Management Engine, a small computer inside your computer that’s running all the time — even while the computer is “off”. You’d like to audit the code for that? Sorry. And it’s not like it hasn’t had its fair share of security relevant bugs.

And the rabbit hole goes deeper, of course. No modern X86 chips actually run the X86 machine language instructions — instead they have a microcode interpreter that reads the machine language and interprets it to what the chip really speaks. This is tremendously handy because it means that chip vendors can work around silicon bugs by simple pushing out a firmware update. But this also means that your CPU is running a secret firmware layer at core. This layer is of course not without bugs, some of which can have security relevant implications.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#11 Post by Midas »

Andrew Lee wrote: You might find this interesting too...
Yes, I did, thank you. 8)

It also made me smirk (from the comments):
RW ver 0.0.1 says: (May 14, 2022 at 5:54 pm)

When you think about it, a lawyer is a biological expert knowledge system which you instruct to solve a problem in the legal sphere, and it translates to and from legalese to English to let you know how it’s going and developments in the progress towards a solution. You set them off in a kind of battlebots arena known as a courtroom and if your bot wins it’s all good, if it doesn’t it costs you a lot and it’s back to the drawing board.

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Coreboot (OSS bios firmware)

#12 Post by Midas »

A rather interesting development of coreboot is the so-called chrultrabook:
A chrultrabook is a modified Chromebook designed to run Windows, Linux, or even macOS by utilizing MrChromebox coreboot firmware. The purpose of this site is to provide comprehensive and user-friendly documentation on hardware, firmware, and operating systems.

There's a list of supported devices to start with:
Instructions for Windows set up are at chrultrabook.github.io/docs/docs/installing-windows.html.

Post Reply