On Mon, 24 Jun 2019 08:17:14 -0700
ron minnich <rminnich(a)gmail.com> wrote:
We're reviewing the STM code, of course. If
you're going to worry
about something, worry about FSP 2.0 still being closed source. FSP is
not optional and we have no idea of all the things it does/can do.
Not only that.
For people that don't run any nonfree code somewhere else, the main
thing to worry in that context should rather be all the nonfree
software that is used during boot (FSP, Management Engine OS, PSP, SMU,
etc), or at the lowest levels, and the CPU microcode.
On the hardware supported by Libreboot, it's possible to get rid of
most of the issues as they make sure that what they ship is fully free
However, even with Libreboot, some very minor issues, compared to the
rest, still need to be solved:
- The Management Engine has a ROM that might still do unknown things
once the computer is booted. For the computers with a GM45 chipset.
- The Thinkpads have nonfree code on the embedded controller, this
could be abused as a keylogger or could inject commands. This looks
less a concern as it would need to be triggered in some way.
- All x86 computers have a microcode, and so it may contain a similar
backdoor than the one shown in the "Reverse Engineering x86 Processor
Microcode". The microcode updates may also contain a backdoor so
that won't solve the issue either.
The ARM laptops supported by Libreboot are not affected.
The supported AMD computers could also be not affected if/when their
microcode are fully understood and that there are free software
microcode patches to fix the most problematic issues.
There is also some minor packaging work to be done on ARM,
for instance there is no tor-browser release for ARM GNU/Linux yet, but
I heard that some people are working on that.
However for people that also run other nonfree software, including
make sure that this software cannot somehow gain more privileges.
programs (LibreJS does some of that), and/or making the websites work
and open source software web frameworks, and in the programs that block
There is probably a long way to go for that, even if some minor
improvements could have major usability improvements at the beginning.