On 12/17/2017 05:06 PM, Dame Más wrote:
Hi, The Coreboot BIOS of Purism 13 is open?
No it isn't, while they do use coreboot the silicon init process is entirely blobbed.
Technical merits - is it better than an off the shelf dell laptop? Of course, but not better enough to justify even a $30 premium let alone the thousands they are charging for a whitebox re-brand. It removes the brander (ex: dell) from the firmware trust equation but intel still remains and so does ME.
If I was you I would purchase a different coreboot compatible laptop then compile and install coreboot while running me_cleaner yourself - this will provide a better result for a lot less money as these following laptops feature open source silicon init and in the case of the intel models are pre-skylake so more of ME can be "cleaned".
One of these laptops is $200 max for one in good condition, vs thousands for a Purism 13 - with the cash you save you can also buy a KCMA-D8 gaming computer for libre gaming in a VM or otherwise.
My laptop recs: Lenovo G505S (best choice) - no ME/PSP + open source silicon init
Lenovo T420 (performance) - ME cleanable + open source silicon init - Can play new games via an ExpressCard EGPU Lenovo X230 (mobility) - ME cleanable + open source silicon init The T420 supports the better ivy bridge CPU's via coreboot, installing coreboot also removes the silly thinkpad wi-fi whitelist. If you get the X230 you may wish to install the better x220 keyboard mod.
I still don't understand as to why purism didn't simply use the AMD FT3 like the G505S, when they released their first laptop it was brand new and very fast...now it is not as fast as skylake but still more than good enough to be useful and definitely better than "free someday in the future" wintel.
I don't include the novena on this list due to it not having an IOMMU, although it does have open source firmware.
My desktop rec: KCMA-D8 (entirely libre, no ME/PSP, can play the latest games at high settings in a VM with a 4386 CPU and a VM attached graphics card)
Where can I download the source code to understand how it is disabled intel ME? Thank you
They use a software called me_cleaner (not made by them) to "clean" the ME blob, it is available in the coreboot tree and the v4.6 tarball and can be ran on almost any laptop that doesn't have the boot guard anti-feature[1] no matter if it supports coreboot or not.
It is impossible to disable ME/PSP[2], Intel/AMD intentionally made them integral to the boot process they even bring up the main CPU - even google was not able to convince them to open source ME and/or and provide a method to truly disable it.
On purisms laptops the ME kernel is still running and it still inits the main CPU pre-BIOS, if it was disabled one could not only remove the full ME blob from the firmware but also physically disconnect the ME core - neither of which one can do on any modern intel platform.
There are many companies that sell legitimately owner controlled hardware so it can be done just not with brand new x86-64 - let us hope purism uses the proceeds from their not-really-libre laptops to produce something worthwhile.
[1] An anti-feature is something that negatively benefits you, in this case "boot guard" takes away the ability to modify your firmware making a modern intel platform controlled 100% by intel and 0% by you vs an intel system from 10 years ago that was 100% you, an IBM POWER 9 system (ex: TALOS 2) which is 100% owner controlled by you or an AMD system pre-PSP (around pre-2013) which is 100% you.
[2] AMD has PSP on their new stuff which is equivilant to ME and just as terrible
hi there! :)
im just learning these, ive got no personal experience just some knowledge about stuffs around these areas, so i can be wrong. first ive found a pic about an intel folk who talks about the intel me and its evilness so ive started to dig deeper, then ive found RMS's homepage, who wrote about libreboot (iirc), continued the learning there and arrived here...
sooo my understanding says that libreboot is a deblobbed coreboot, and you say that those machines you mentioned above are 100% owner cotrolled, however i only know lenovo t400 is good for libreboot from that list. is this about a misinterpretation of your words, or what? my best image about this is that coreboot is owner controlled but not deblobbed, however the possibility is fully opened - is this right? if yes, then what parts are not deblobbed and how serious they can be? so what could i win/lose by letting go the idea of aiming a libreboot machine and choose a coreboot machine instead? (that i dont know when i will have enough money for that purpose)
an another question is that ive read about the background of the whole hacking game maybe here maybe elsewhere but most likely from mixed origins... :D so my understanding says that there is a bunch of encryption keys that are unremovable (except by intel) maybe based on something like in that case (complete overwrite of everything included on the ic that contains the intel me) there is something else that will miss the original keys. (id appreciate a cleaner vision about this part, for better understanding, but its not the main question) so this encryption key is only validating something like headers or entrance points to the parts of the intel me but not the contents/body of them. the best that core-/libreboot can achieve is to override the body parts and we can say then the whole became whitebox and well known, or there is a next level after the achieved access to entirely remove it?
i dont even know how flashing going on in practise nor in theory, just trying to figure out things around... does it work like total copy/write access with the chance of wrecking things around on the other hand, or its controlling/limiting its own access, and then one should come over it somehow? where me_cleaner works 100% replacing could be achieved, just none implemented core-/libreboot yet for the other machines in th range of a specific range of intel me version?
and as these are the most mystical parts in my understanding i cant thanks enough if you or anyone around can make these clean for me! however i hope that one day ill be able to join you under this bright flag of freedom and give more help than spreading the verb around :)
so many thanks for any kinda help and all the bests for everyone around here!
On Sun, Dec 17, 2017 at 6:58 PM, Taiidan@gmx.com Taiidan@gmx.com wrote:
On 12/17/2017 05:06 PM, Dame Más wrote:
Hi,
The Coreboot BIOS of Purism 13 is open?
No it isn't, while they do use coreboot the silicon init process is entirely blobbed.
Technical merits - is it better than an off the shelf dell laptop? Of course, but not better enough to justify even a $30 premium let alone the thousands they are charging for a whitebox re-brand. It removes the brander (ex: dell) from the firmware trust equation but intel still remains and so does ME.
That's a pretty absurd exaggeration. Purism laptops certainly sell at a premium relative to a Dell (eg) with similar CPU/RAM/SSD, but they don't sell anywhere near the same volume, so their costs are higher. They also feature hardware kill switches for wifi/BT and mic/webcam, ship with a blob-free Debian-based distro, and use coreboot with a disable/neutered ME. Whether or not you consider those qualities, and supporting a startup working towards increasing owner control on modern hardware, to justify the price premium is certainly a valid point of discussion.
If I was you I would purchase a different coreboot compatible laptop then compile and install coreboot while running me_cleaner yourself - this will provide a better result for a lot less money as these following laptops feature open source silicon init and in the case of the intel models are pre-skylake so more of ME can be "cleaned".
One of these laptops is $200 max for one in good condition, vs thousands for a Purism 13 - with the cash you save you can also buy a KCMA-D8 gaming computer for libre gaming in a VM or otherwise.
"better" certainly depends on how one ranks the various qualities of a given device. If owner-controller trumps all other considerations, then certainly there are "better" options, but you're not going to find anything for $200 that is anywhere close in terms of weight, battery life, screen quality, or using a modern SoC -- that's the tradeoff, and again something that's worth discussion, but framing it in the context of paying "thousands" for a Purism device vs $200 for something of equal/better capability is dishonest and does a disservice to the entire community IMO.
-
Matt DeVillier -
szbnwer@gmail.com -
Taiidan@gmx.com