Hi Nico,
Although it can't be denied that I'm a bit biased here (since I own that G505S), I'm less critical towards G505S blobs partially because some of these blobs are indeed completely optional (e.g. xHCI - never used it; microcode - is optional if you don't need a stable low level Xen HVM virtualization) while others have been studied very well - to a point where the almost working opensource replacements of them have been created. For example, AtomBIOS - https://github.com/alterapraxisptyltd/openatom , also it could be disassembled quite well with AtomDis - https://github.com/mikebdp2/AtomDis - reducing any security concerns regarding this blob to a minimum.
Also there aren't any blobs which are locked down and could not be replaced completely, so currently that seems to be the most powerful laptop which has some chance to be FSF RYF'ed eventually. Meanwhile, as far as I know its impossible to completely replace ME, only to trim its' firmware as much as possible and hope for the best that it doesn't have some undocumented "backdoor restore" mechanism that could restore the original uncut blob under some conditions. Undoubtedly, Intel ME is a backdoor, e.g. because it contains some antitheft features which could be used to control your computer remotely: shut it down, wipe or retrieve data from it, etc
Mike On Tue, Aug 28, 2018 at 11:20 AM Nico Huber nico.h@gmx.de wrote:
Hi Mike,
please don't spread FUD on this list.
On 28.08.2018 09:54, Mike Banon wrote:
And even if there weren't any problem with Intel Boot Guard, its not that easy to add a support for new board (impossible to do it over weekends, especially for the newcomers).
The T450s would probably benefit a lot from the existing support for ThinkPads. But Broadwell really isn't a weekend port (Sandy or Ivy Bridge would be for a ThinkPad) because we have few Broadwell ports and an ugly blob situation.
Anyway, chances are close to 100% that the T450s has BootGuard in verification mode.
If I were you I would have sold these T450S and bought some machine already supported by coreboot. It could be one of those Intel Thinkpads (although you'll have to spend time cleaning Intel ME)
You don't *have to* spend time cleaning the ME, you *can* spend time with it. It is actually unknown if that lowers or highers security, so there is really no reason to advice to do it (unless you need more flash space for fancy stuff).
or maybe Lenovo G505S quadcore AMD laptop which doesn't have any Intel ME / AMD PSP backdoors in its' CPU at all - so no need to clean anything.
The G505s requires a lot of other blobs, IIRC: xHCI (optional), AtomBIOS for GFX (which even runs in the OS on the host CPU), maybe more I don't remember. I don't see how that is better (you seemed to want to sell that by only stating absence of blobs, ignoring those it has instead).
Nico