Re: [coreboot] [liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption
----- Forwarded message from Blibbet blibbet@gmail.com -----
Date: Thu, 19 Sep 2013 11:01:43 -0700 From: Blibbet blibbet@gmail.com To: liberationtech liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:16.0) Gecko/20121005 Thunderbird/16.0 Reply-To: liberationtech liberationtech@lists.stanford.edu
I don't think so -- unless you have a laptop flashed with a free software BIOS / boot firmware that you can inspect and modify. There are a handful of dated possibilities out there like that (Thinkpad x60 models that support coreboot, Lemote Yeelongs), but not the vast majority of laptops. The situation with laptops actually seems pretty analogous to the worst category of smartphones (those where the baseband firmware shares the main CPU and RAM).
Unfortunately, Coreboot is still not mainstream, netiher is Lemote.
UEFI is the current mainstream system firmware, for Intel systems, and ramping up quickly for ARM (though not yet on Android-based devices yet, AFAIK).
Intel's Tunnel Mountain UEFI dev platform lets you flash your own UEFI-based firmware, and mainly targets firmware IHVs. http://www.tunnelmountain.net/ http://uefidk.intel.com/develop/workstation-development-kit
The Intel Atom-based MinnowBoard is a new UEFI dev platform, and it's Linux-based, and targets hackers; it uses Intel's definition of "Open Hardware", mainly meaning no NDAs involved. It is much cheaper and smaller than the above box. http://minnowboard.org/ http://uefidk.intel.com/content/minnowboard-uefi-firmware
Both of these boxes let you reflash your system firmware with your custom build of BSD-licensed TianoCore UEFI.
For Linaro's Linux/ARM device targets, Linaro also has a fork of Tianocore, and ships their own images. You can use the Linaro targets and modify this forked Tianocore firmware, as well, but it requires a bit more ARM-centric eLinux skills. https://wiki.linaro.org/ARM/UEFI
<soapbox>
There is a large OEM/ODM/IBV/IHV/ISV ecosystem that currently runs the hardware, and it is UEFI-centric. IMO, focusing only on fringe Lemote/Coreboot technology is not a good bet.
Personally, I wish EFF/FSF and other open/free tech groups would form a Linaro-like firmware group and produce their own UEFI firmware image, as an option for OEMs.
There needs to be some Free Boot alternative to Secure Boot, with certs from EFF/FSF/etc and the open source distro vendors, not just OEMs/MSFT in the firmware, and it needs to target booting from a handful of main open source distros, not just 1 commercial OS. Else, UEFI will turn Personal Computers into Windows PCs, ending the era of General Purpose computing.
</soapbox>
Am 2013-09-20 11:51, schrieb Eugen Leitl:
The Intel Atom-based MinnowBoard is a new UEFI dev platform, and it's Linux-based, and targets hackers; it uses Intel's definition of "Open Hardware", mainly meaning no NDAs involved. It is much cheaper and smaller than the above box. http://minnowboard.org/ http://uefidk.intel.com/content/minnowboard-uefi-firmware
To wit, its download page is guarded by a long, non-free EULA: http://uefidk.intel.com/content/minnowboard-uefi-firmware-eula Some of the components also seem to be binary-only.
Both of these boxes let you reflash your system firmware with your custom build of BSD-licensed TianoCore UEFI.
BSD-licensed TianoCore + heaps of binary modules that are currently only available under NDA. They'd also require some additional code (probably binary only?) to make Tiano resembling something like a complete and secure implementation.
<soapbox> There is a large OEM/ODM/IBV/IHV/ISV ecosystem that currently runs the hardware, and it is UEFI-centric. IMO, focusing only on fringe Lemote/Coreboot technology is not a good bet.
coreboot is your only bet on x86 if you aim for open source firmware. It can be combined with TianoCore to provide the UEFI APIs to the user (read: Operating System), but TianoCore alone won't do since it lacks hardware initialization drivers (that coreboot provides).
Personally, I wish EFF/FSF and other open/free tech groups would form a Linaro-like firmware group and produce their own UEFI firmware image, as an option for OEMs.
Personally, I wish people wouldn't wish for someone else to start groups, but do it themselves for a change.
However that brings the risk of seeing that things aren't quite as simple and might ultimately fail. Of course, soapboxes and arm chairs are much more comfortable and comparably risk-free.
There needs to be some Free Boot alternative to Secure Boot, with certs from EFF/FSF/etc and the open source distro vendors, not just OEMs/MSFT in the firmware, and it needs to target booting from a handful of main open source distros, not just 1 commercial OS. Else, UEFI will turn Personal Computers into Windows PCs, ending the era of General Purpose computing.
"main open source distros" is not enough since it creates a gatekeeper model. "Secure Boot" (which is really a Verified Boot) without physical user override doesn't cut it.
ChromeBooks, using coreboot, provide a mostly* Open Source Verified Boot model with physical user override (with two override modes: safe via dev mode switch, and complete via jumper).
* (blame Intel)
tl;dr: Comparing coreboot, Lemote, UEFI and Tianocore isn't as easy as people seem to believe.
Regards, Patrick
Both of these boxes let you reflash your system firmware with your
custom build of BSD-licensed TianoCore UEFI.
BSD-licensed TianoCore + heaps of binary modules that are currently only available under NDA. They'd also require some additional code (probably binary only?) to make Tiano resembling something like a complete and secure implementation.
And as far as FOSS firmware development goes, Gizmo Board ( http://www.gizmosphere.org/why-gizmo/gizmoboard/) is far superior and actually ships with fully functioning open source firmware derived from coreboot. No blobs, no restrictive licensing.
<soapbox> > There is a large OEM/ODM/IBV/IHV/ISV ecosystem that currently runs the > hardware, and it is UEFI-centric. IMO, focusing only on fringe > Lemote/Coreboot technology is not a good bet. > coreboot is your only bet on x86 if you aim for open source firmware. It can be combined with TianoCore to provide the UEFI APIs to the user (read: Operating System), but TianoCore alone won't do since it lacks hardware initialization drivers (that coreboot provides).
Indeed. TianoCore is not a full firmware implementation -- It usually sits atop a layer cake of non-free / binary components that do the actual work of initializing the hardware.
As Patrick points out, Coreboot running with TianoCore on top as a payload can accomplish what you seem to be asking for. There has been substantial work done here already, so if you *really* need UEFI services you can work on polishing it up: http://www.phoronix.com/scan.php?page=news_item&px=MTI4ODU
-
David Hendricks -
Eugen Leitl -
Patrick Georgi