Coreboot has great documentation and community. I once "corebooted" my X60s with a picture of my family and contact details in case the laptop is lost. The laptop was never lost, but my wife loved the picture of the _very_ early boot stage.
It's a great project from user's perspective: healthy community, very interesting, quick-reward project to play with.
If you have a spare compatible thinkpad, I highly encourage you to try it out. :-) IIRC, there is a patch from me in coreboot -- it was so easy to prepare and submit one.
I'm posting this from an X60 that runs gNewSense. I removed the wifi card to reduce the heat on the palm rest and to increase the friction to spending time on the Web instead of writing. I use a netgear USB wifi adaptor for when I want to use a connection.
and wondering how hard it would be to put coreboot on this. I'm also wondering about suspend, the BIOS settings (ability to switch a core off and change power profiles &c). It would also be really cool to have a QR code display when the laptop boots.
It's a shame that Coreboot is being actively killed by Intel and others.
For example the new Thinkpads (and other laptops/desktops) with the Broadwell U/Y series have "Intel Boot Guard" which cryptographically prevents a replacement BIOS from being flashed onto the hardware [1]
I truly wonder what is the long term strategic benefit from doing this ? Isnt the only way to compete against Apple is to open up more ?
Number of bad guys who want to flash malware into your BIOS [1] >> number of freedom fighters who want to flash Coreboot.
IMO the solution is economic. If a PC vendor wanted to ship Coreboot I'm sure they would find a way to do it. But people buying Windows PCs and installing Linux are keeping the "native" Linux PC market unsustainably small.
It'd add to the design, QA and manufacturing costs while only increasing the sales by a tiny amount. Given the miniscule margins of PC manufacturers, any increase in the cost would be a hard sell. An increase in the manufacturing cost of say $0.1 might seem totally insignificant when a laptop sells for $500. But when the profit margin on the laptop is $10, that extra widget just cut the profits down by 1%.
There are already these kind of switches - for example the Chromebook's Coreboot flashing procedure details [1] how to set the jumpers to enable coreboot flashing
This already exists for desktops (frequently a jumper to enable/disable BIOS flashing). For laptops this is bad by nature of their portability; they're too easy to tamper with.
isnt the link about Hacking Team using a UEFI exploit, an argument FOR having an opensource boot system that can be fixed/patched by the community.
I mean Intel is one of the biggest contributors to Linux - it cannot be blind to adopting an opensource alternative to insecure BIOS.
touche!
but there's a new Microsoft in town! I hardly think after being the biggest contributor to OpenBSD [1], they would build a underhanded way of trying to kill Linux.
I'm trying to understand if there is an attack vector that is prevented by not allowing coreboot.
It does increase security, since for instance in spite of its complexity Secure Boot has proven to be reasonably secure, and thus it is simpler to attack the firmware.
However I agree with Garrett and disagree with aaronem: just as shown by Secure Boot on x86, you can have a reasonable choice between security and user's choice i.e. you can give freedom and security. A similar mechanism, in which a user could enroll its keys and install its signed coreboot payload, is possible. The same applies to TPM.
Given that Intel had 55 bilions in revenues last year, I see no reason to cut them any slack (same goes for Apple, Qualcomm, etc).
As far as the "new Microsoft" goes, the policy on Windows phone is the same on Windows 10 as it was on Windows RT and Windows 8: Secure Boot on ARM is locked down in such a way that the user cannot add its own keys, or send a binary to Microsoft to have its signed for 99$ (i.e. the result is functionally equivalent to Apple policy with ios). If you sell devices on which the users can't even decide which kernel to boot, you probably don't have a problem with devices in which the users can't decide which firmware to use.
It's a lot easier to escalate a binary drop into a persistent threat if it can reflash the BIOS with compromised firmware. Requiring firmware be signed prevents this, at the cost of also preventing the use of coreboot, libreboot et al.
In theory, it should be possible to support user flashing of unsigned firmware, perhaps in some sort of OS-less boot mode that malware couldn't use. But offering that capability without it being a backdoor is costly and effortful enough that I don't really blame motherboard manufacturers for declining to do so on behalf of a rather niche use case.
I use Libreboot (de-blobbed coreboot) every day, and I love it. My thinkpad x200 boots to graphical desktop login screen in seconds, and is super easy to reconfigure via Kconfig
They even provide 'libpayload' for building your own boot payloads. Totally awesome.
I have an old X60s which I discovered only a few days ago is compatible and indeed well-supported by coreboot/libreboot. I intend to put it on there soon. You can pick up old X60s's on ebay for not very much money ($100 or so).
> I really want to try out coreboot (and also BITS, but that's easier).
Feel free to contact me if you have any questions about BITS. (Or if you have fun playing with it.) It's a lot of fun to work on, and it's a lot of fun to talk with people who use it.
> What's the cheapest non-QEMU way to play with coreboot?
A Chromebook. You can replace the read-write BIOS safely, as the system is always completely recoverable via the read-only BIOS. If you want to be able to replace the read-only BIOS as well (by turning the write-protect screw), get a Servo debug board, and read the online instructions for adding a Servo debug port to your Chromebook board. (Those boards typically have the debug header, just not the connector.)
It's a great project from user's perspective: healthy community, very interesting, quick-reward project to play with.
If you have a spare compatible thinkpad, I highly encourage you to try it out. :-) IIRC, there is a patch from me in coreboot -- it was so easy to prepare and submit one.