On Mon, 24 Jun 2019 08:17:14 -0700 ron minnich rminnich@gmail.com wrote:
We're reviewing the STM code, of course. If you're going to worry about something, worry about FSP 2.0 still being closed source. FSP is not optional and we have no idea of all the things it does/can do.
Not only that.
For people that don't run any nonfree code somewhere else, the main thing to worry in that context should rather be all the nonfree software that is used during boot (FSP, Management Engine OS, PSP, SMU, etc), or at the lowest levels, and the CPU microcode.
On the hardware supported by Libreboot, it's possible to get rid of most of the issues as they make sure that what they ship is fully free software.
However, even with Libreboot, some very minor issues, compared to the rest, still need to be solved: - The Management Engine has a ROM that might still do unknown things once the computer is booted. For the computers with a GM45 chipset. - The Thinkpads have nonfree code on the embedded controller, this could be abused as a keylogger or could inject commands. This looks less a concern as it would need to be triggered in some way. - All x86 computers have a microcode, and so it may contain a similar backdoor than the one shown in the "Reverse Engineering x86 Processor Microcode". The microcode updates may also contain a backdoor so that won't solve the issue either.
The ARM laptops supported by Libreboot are not affected. The supported AMD computers could also be not affected if/when their microcode are fully understood and that there are free software microcode patches to fix the most problematic issues.
There is also some minor packaging work to be done on ARM, for instance there is no tor-browser release for ARM GNU/Linux yet, but I heard that some people are working on that.
However for people that also run other nonfree software, including JavaScript in web pages, there is way too much things to care about to make sure that this software cannot somehow gain more privileges.
This could still be improved by whitelisting some known free JavaScript programs (LibreJS does some of that), and/or making the websites work without Javascript. This could be worked on in the popular free and open source software web frameworks, and in the programs that block Javascript (like noscript, libreJs, etc).
There is probably a long way to go for that, even if some minor improvements could have major usability improvements at the beginning.
Denis.