Hi Coreboot,
We are from a computer store and we sell computers and laptops with Linux or Windows or dual boot. For Linux we are many asked for laptops with coreboot, probably due to the presence of intel ME spyware in the laptops. So, we are now investigating whether there is a possibility to offer the laptops with coreboot. Normally we buy our laptops at a distributor, we have also asked the distributor to have coreboot they don't know anything about bios/eufi or coreboot. They only deliver the laptops with the bios/eufi that the manufacturer made it, we can always ask for a bios update but not for other bios systems like coreboot. We don't have any contact with the manufacturer or have any contact data. I know there are laptops of this brand that have coreboot on it, but to buy directly ar the manufacturer we don't sell enough (i think we must sell 10.000 laptops in a quarter or more).
My questions:
- We i have installed coreboot, can i also boot Windows 10 or boot in dual-boot (Windows and Linux)? - The installation of coreboot is very unclair. I have looking to google but i don't realy know how can install it. - Can i install coreboot like we normally flash a bios? (startup with a efi boot stick and run a batch file, or startup in the bios and do a bios update directly from the bios with a usb stick with the flash file) - Or do i need a eeprom programmer or something like that? - Must itake out the motherboard completely of the laptop?
To work with coreboot it's very important to have a very fast procedure to install it in mass production. We cannot spell a few hours on each laptop. It must be a flash file for a model laptop and a other flash file for a other model laptop. So we can install coreboot on the best selling models. Startup from a usb-stick, do a flash update wait 5 or 10 minutes and reboot, ... done.
When it's possible in the procudure like above can i get some help to make the first coreboot flash.
With Kind Regards, Gert
Dear Gert,
Am 28.03.21 um 09:26 schrieb Gert Vanhaerents:
Hi Coreboot,
Welcome to coreboot.
(Please note, coreboot is spelled all lowercase.)
We are from a computer store and we sell computers and laptops with Linux or Windows or dual boot. For Linux we are many asked for laptops with coreboot, probably due to the presence of intel ME spyware in the laptops.
Please note, that coreboot has nothing to do with the Intel Management Engine as it’s a separate “chip” running it’s own firmware [1].
So, we are now investigating whether there is a possibility to offer the laptops with coreboot. Normally we buy our laptops at a distributor, we have also asked the distributor to have coreboot they don't know anything about bios/eufi or coreboot. They only deliver the laptops with the bios/eufi that the manufacturer made it, we can always ask for a bios update but not for other bios systems like coreboot. We don't have any contact with the manufacturer or have any contact data. I know there are laptops of this brand that have coreboot on it, but to buy directly ar the manufacturer we don't sell enough (i think we must sell 10.000 laptops in a quarter or more).
My questions:
- We i have installed coreboot, can i also boot Windows 10 or boot in
dual-boot (Windows and Linux)?
Yes, you can do that, but it often depends on the mainboard.
- The installation of coreboot is very unclair. I have looking to google
but i don't realy know how can install it.
There are several ways. Often, the tool flashrom is used, and then you can decide if you program the chip externally or internally. If internal flashing is supported, depends on the device.
- Can i install coreboot like we normally flash a bios? (startup with a
efi boot stick and run a batch file, or startup in the bios and do a bios update directly from the bios with a usb stick with the flash file)
That depends on the device. If the internal flashing method is supported, you’d likely start a GNU/Linux live system, and run flashrom from there.
- Or do i need a eeprom programmer or something like that? > - Must itake out the motherboard completely of the laptop?
Both items seems to belong together, as you have to attach the external programmer to the chip somehow. It depends on the device and where the flash ROM chip is located.
To work with coreboot it's very important to have a very fast procedure to install it in mass production. We cannot spell a few hours on each laptop. It must be a flash file for a model laptop and a other flash file for a other model laptop. So we can install coreboot on the best selling models. Startup from a usb-stick, do a flash update wait 5 or 10 minutes and reboot, ... done.
When it's possible in the procudure like above can i get some help to make the first coreboot flash.
Everything you asked for is possible, but depends on your device. First of all, a coreboot port needs to exist for your device.
As you are running a business and making a profit and you didn’t share any device details, I recommend to contract a consulting firm [2] to analyze the situation.
Kind regards,
Paul
PS: No offense, but it’d be great, if you used a spell checker before sending an email to a mailing list.
[1]: https://www.coreboot.org/Binary_situation [2]: https://coreboot.org/consulting.html
Hi,
Thanks for your answer and sorry about the spelling mistakes, i am not so good in English.
Technical details of some laptops: Normally we work with Clevo laptops, for example with the type NS50MU i see on the site of system76 they works also with this type: https://system76.com/laptops/darter
I see on the system76 also this pages: https://github.com/system76/firmware-open https://github.com/system76/ec
Now i have a Clevo NS50MU how can i install coreboot? Can i use the same coreboot like on this system76 website?
A other model that we use is Clevo NL51CU or Clevo NJ70CU
"Please note, that coreboot has nothing to do with the Intel Management Engine as it’s a separate “chip” running it’s own firmware [1]. "
Can I completely disable that Intel ME software via coreboot?
With kind regards, Gert
Dear Gert,
Am 28.03.21 um 09:26 schrieb Gert Vanhaerents:
Hi Coreboot,
Welcome to coreboot.
(Please note, coreboot is spelled all lowercase.)
We are from a computer store and we sell computers and laptops with Linux or Windows or dual boot. For Linux we are many asked for laptops with coreboot, probably due to the presence of intel ME spyware in the laptops.
Please note, that coreboot has nothing to do with the Intel Management Engine as it’s a separate “chip” running it’s own firmware [1].
So, we are now investigating whether there is a possibility to offer the laptops with coreboot. Normally we buy our laptops at a distributor, we have also asked the distributor to have coreboot they don't know anything about bios/eufi or coreboot. They only deliver the laptops with the bios/eufi that the manufacturer made it, we can always ask for a bios update but not for other bios systems like coreboot. We don't have any contact with the manufacturer or have any contact data. I know there are laptops of this brand that have coreboot on it, but to buy directly ar the manufacturer we don't sell enough (i think we must sell 10.000 laptops in a quarter or more).
My questions:
- We i have installed coreboot, can i also boot Windows 10 or boot in
dual-boot (Windows and Linux)?
Yes, you can do that, but it often depends on the mainboard.
- The installation of coreboot is very unclair. I have looking to
google but i don't realy know how can install it.
There are several ways. Often, the tool flashrom is used, and then you can decide if you program the chip externally or internally. If internal flashing is supported, depends on the device.
- Can i install coreboot like we normally flash a bios? (startup with
a efi boot stick and run a batch file, or startup in the bios and do a bios update directly from the bios with a usb stick with the flash file)
That depends on the device. If the internal flashing method is supported, you’d likely start a GNU/Linux live system, and run flashrom from there.
- Or do i need a eeprom programmer or something like that? > - Must
itake out the motherboard completely of the laptop?
Both items seems to belong together, as you have to attach the external programmer to the chip somehow. It depends on the device and where the flash ROM chip is located.
To work with coreboot it's very important to have a very fast procedure to install it in mass production. We cannot spell a few hours on each laptop. It must be a flash file for a model laptop and a other flash file for a other model laptop. So we can install coreboot on the best selling models. Startup from a usb-stick, do a flash update wait 5 or 10 minutes and reboot, ... done.
When it's possible in the procudure like above can i get some help to make the first coreboot flash.
Everything you asked for is possible, but depends on your device. First of all, a coreboot port needs to exist for your device.
As you are running a business and making a profit and you didn’t share any device details, I recommend to contract a consulting firm [2] to analyze the situation.
Kind regards,
Paul
PS: No offense, but it’d be great, if you used a spell checker before sending an email to a mailing list.
On 28.03.21 09:24, Gert Vanhaerents wrote:
"Please note, that coreboot has nothing to do with the Intel Management Engine as it’s a separate “chip” running it’s own firmware [1]. "
Can I completely disable that Intel ME software via coreboot?
No. At various levels. But you can probably use similar tools, e.g. flashrom to *reduce* its firmware. What I'm going to suggest later should be independent of the host firmware (e.g. BIOS, UEFI or coreboot).
First thing to understand is that the Intel ME is no spyware and nothing evil per se. Somehow bad, though: its firmware is not open-source and it's a security risk.
The "Binary situation" page Paul linked is a bit outdated (about 7 years, I guess). It mentions a Panic level of 9,000+ for the ME. One has to know that the authors of this page would probably never consider running Windows. For comparison, I guess that would be Panic level 100,000.
FWIW, people mostly call it spyware or backdoor because they bought a computer, didn't read the manual, and were later taken by surprise when they learned what their computer can do. There are scary things, that's true, but they are usually advertised (e.g. Remote Management, Anti-Theft, these things are sold, not hidden).
Modern computers are full of tiny, programmable processors. The ME is just one of them, albeit a very powerful one. What draws attention to the ME are two things, IMO:
* A huge part of its firmware usually resides in the BIOS flash. * The firmware optionally has networking capabilities.
The ME (processor) starts executing code from a ROM embedded in the chipset. The last time one could completely disable this was over a decade ago (Intel 4 series chipsets, before the Core i* processors).
Today, the ROM code and some hundred kilobytes of firmware in flash are essential for the computer to work. However, Intel refuses to provide a firmware package that does just this essential part and nothing else. It existed before, though, for the first generation of Core i chipsets. They call it an "ignition" firmware. If you'd ask Intel for it, they would tell you that nobody else wants it, so they won't provide it. It's not true. They tell that to everyone about everything that isn't on their own agenda. Pressure was high enough to make them release an ignition firmware for a server plat- form lately, though.
If you have any contact to Intel, ask them for ignition firmware! At the very least they'd see another one asking.
What can be done about it:
* If you have an NDA with Intel, you can use their tools to disable unwanted features of the ME firmware. Also, there are usually two variants of the firmware: "consumer" and "corporate". On the Clevo devices I would expect the former.
* There is something for newer chipsets introduced for Chromebooks, an ME "lite SKU". This may be similar to an ignition firmware, I don't know yet. Ask Intel about it :)
* For some chipsets there is a configuration bit, sometimes called AltMeDisable or HAP, to disable non essential parts of the firmware (even if they are present in flash). FWIW, people have made positive experience with this (i.e. systems are still stable enough to sell them). But don't blame me if something goes wrong ;)
* There is a tool `me_cleaner` that may be able to reduce the firmware but it sometimes compromises stability.
For the sake of completeness, here are some points that I know people (not me) might miss after "cleaning" the ME:
* Integrated (firmware) TPM * PAVP (Intel's DRM tech to stream high-resolution, protected video)
In any case, to alter the ME firmware in flash, you need write access, and -- same as with the BIOS -- it depends on the current configuration of the machine if you can do that without an external flash programmer.
Nico
Nico Huber wrote:
First thing to understand is that the Intel ME is no spyware and nothing evil per se.
..
FWIW, people mostly call it spyware or backdoor because they bought a computer, didn't read the manual, and were later taken by surprise when they learned what their computer can do. There are scary things, that's true, but they are usually advertised (e.g. Remote Management, Anti-Theft, these things are sold, not hidden).
I'd like to remind everyone of what I call "the ME book":
Platform Embedded Security Technology Revealed ISBN: 9781430265719 http://www.apress.com/9781430265719
The book is essentially a collection of ME whitepapers to make Intel's customers feel good about Intel platforms.
It provides fairly good insight into the ME, functionally and conceptually, and while it doesn't include a detailed roadmap the book still shows a general direction for the ME into the future. Perhaps most importantly, the book makes very clear who Intel's customer is, or isn't, like in my favorite quote from page 165 at the start of the "Trust Computing" chapter:
"The owner of a platform is not always the one to protect."
I celebrate this honesty. This helps clarify that Intel platforms are not meant to be controlled by, and to protect, their owners.
Which may also explain why some Intel platforms capabilities have never been communicated to prospective platform owners in a very clear and understandable way. I think people quite justifiably feel betrayed by the many layers of marketing BS about vPro and AMT.
Intel platforms clearly optimize for an interest other than that of platform owners. Intel may not actively hinder accidental alignment of those different interests, but it's clear that these are products not made for you, the owner, you're just the sucker paying for them.
I can completely understand that people disagree.
//Peter
Hello Gert,
it's very nice to hear that your customers ask for coreboot :) \o/
I'll start with the annoying part, hopefully bringing more cheerful news later:
coreboot is not a ready-to-install firmware. coreboot is used by ODMs and OEMs like System76 or sometimes enthusiasts to build their very own firmware. Imagine you'd ask a Linux kernel developer how to install Linux. They'd probably start by telling you that there are many diffe- rent Linux distributions, many different ways to do things and many things to consider. Or they might just point you towards Ubuntu. But alas there is no such convenient solution for firmware. For firmware every device is different, every device needs a bit of special care.
So coreboot is like a kernel of the firmware that needs to be adapted to every device. The good news for your Clevo devices is that this part is (almost) already done by System76 (assuming they use identical hard- ware). However, System76 also uses their own EC firmware which coreboot needs to be compatible to. And its interface is unlikely to be compa- tible with Clevo's EC firmware. So either you'd have to install their EC firmware too, or their coreboot ports need to be adapted to Clevo's EC firmware. I have no idea how much trouble it is to replace the EC firmware. If you need coreboot code adapted, you can seek professional help like Paul suggested.
If I say coreboot is like a kernel, you probably already wonder what else you need. coreboot only knows a single storage medium: the flash chip that contains coreboot itself (i.e. the BIOS flash). Thus, it can't load your OS from a hard disk. Instead, coreboot loads another program from the flash chip, which we call the coreboot "payload".
There are many different payload options. Beside loading the OS (or its boot loader), the payload also provides the look & feel of the firmware. Just to mention the most prominent ones:
* SeaBIOS: Provides a PC BIOS implementation. What many people would call a legacy BIOS boot today. * TianoCore: Provides an UEFI implementation. (What I would call legacy today. ^^) * Linux: You can use a Linux kernel + initramfs as a payload. Yes, one can implement the look & feel of their firmware in a Linux user-space program. There are many different imple- mentations yet, if you are interested, just ask :) * GRUB: The GRUB bootloader can act as a coreboot payload directly.
Back to your Clevo devices, obviously you can just copy System76' choice of payload. I assume (not sure though) they use TianoCore. But I can't tell if that is what your customers expect.
Now, hopefully I still have some time to answer some of your specific questions :)
On 28.03.21 09:26, Gert Vanhaerents wrote:
- We i have installed coreboot, can i also boot Windows 10 or boot in
dual-boot (Windows and Linux)?
It's generally possible, with some limitations, though. For Windows, you'll most likely need either SeaBIOS or TianoCore. Windows always needs some jumpstart help by the firmware. There is some effort to implement UEFI services for Linux payloads, but I don't know its status.
- The installation of coreboot is very unclair. I have looking to google
but i don't realy know how can install it.
That's because every device is different. For a start you can install flashrom (for new hardware you might have to build it from source [1]) on Linux and run this to gather some information about the device:
$ sudo flashrom -p internal -o logfile.txt
With some luck we might be able to tell by the log how hard it is to get coreboot on the machine.
- Can i install coreboot like we normally flash a bios? (startup with a
efi boot stick and run a batch file, or startup in the bios and do a bios update directly from the bios with a usb stick with the flash file)
This depends on the expectations of the original firmware. For instance will it accept a random firmware? will it even accept something that is not signed by the manufacturer?
- Or do i need a eeprom programmer or something like that?
- Must itake out the motherboard completely of the laptop?
To work with coreboot it's very important to have a very fast procedure to install it in mass production. We cannot spell a few hours on each laptop. It must be a flash file for a model laptop and a other flash file for a other model laptop. So we can install coreboot on the best selling models. Startup from a usb-stick, do a flash update wait 5 or 10 minutes and reboot, ... done.
When it's possible in the procudure like above can i get some help to make the first coreboot flash.
Yes, of course. But a word of warning: even if flashing from the running system is possible, we recommend to do the first experiments with an external flash programmer. Just so you can recover if something goes wrong and the machine doesn't boot anymore. For urgent help, and in general, you can join us on IRC (freenode.net) #coreboot and #flashrom.
Nico
[1] https://flashrom.org/Download With the prerequisites installed, run: $ git clone https://review.coreboot.org/flashrom.git && cd flashrom && make To run the flashrom binary from the current direcory, prepend it with `./`, i.e. $ sudo ./flashrom ... Oh, if it complains about /dev/mem access failing, try $ sudo modprobe -r lpc_ich
- Must itake out the motherboard completely of the laptop?
NS50MU doesn't need to be removed from the chassis. If you look at System76 tech docs [1], the flash chip (U12) is located above the left RAM slot.
Back to your Clevo devices, obviously you can just copy System76' choice of payload. I assume (not sure though) they use TianoCore. But I can't tell if that is what your customers expect.
We use our own fork of TianoCore, but I've tested other boards that I have at least boot using the payload provided by coreboot.
The good news for your Clevo devices is that this part is (almost) already done by System76 (assuming they use identical hardware).
The darp7 is based on NS50MU, so any potential differences would hopefully be limited to factory options Clevo provides.
*But* this is a TGL board, and we have several patches applied in addition to the mainboard code to make it work (e.g., CB:50597 and CB:50598, among other without upstream MRs yet). And I don't have any boards with me to test with.
However, System76 also uses their own EC firmware which coreboot needs to be compatible to. And its interface is unlikely to be compa- tible with Clevo's EC firmware.
Yep. There were a few boards where coreboot + ITE's EC firmware worked, but many won't boot due to missing communication between the BIOS and EC. The EC RAM space was compatible with ITE's firmware, but going forward that won't necessarily be true (CB:49129).
I have no idea how much trouble it is to replace the EC firmware.
Not much trouble once you have the hardware. We use a Mega2560 to flash the EC over the keyboard port [2], which has worked for all our boards so far.
[1]: https://tech-docs.system76.com/models/darp7/internal-overview.html [2]: https://github.com/system76/ec/blob/master/doc/flashing.md#external-programm...
-- Tim Crawford System76 Kernel Engineer tcrawford@system76.com
-
Gert Vanhaerents -
Nico Huber -
Paul Menzel -
Peter Stuge -
Tim Crawford