[coreboot] Coreboot Purism BIOS is free? open?

Mon Dec 18 01:58:56 CET 2017

On 12/17/2017 05:06 PM, Dame Más wrote:

> Hi,
> The Coreboot BIOS of Purism 13 is open?
No it isn't, while they do use coreboot the silicon init process is 
entirely blobbed.

Technical merits - is it better than an off the shelf dell laptop? Of 
course, but not better enough to justify even a $30 premium let alone 
the thousands they are charging for a whitebox re-brand.
It removes the brander (ex: dell) from the firmware trust equation but 
intel still remains and so does ME.

If I was you I would purchase a different coreboot compatible laptop 
then compile and install coreboot while running me_cleaner yourself - 
this will provide a better result for a lot less money as these 
following laptops feature open source silicon init and in the case of 
the intel models are pre-skylake so more of ME can be "cleaned".

One of these laptops is $200 max for one in good condition, vs thousands 
for a Purism 13 - with the cash you save you can also buy a KCMA-D8 
gaming computer for libre gaming in a VM or otherwise.

My laptop recs:
Lenovo G505S (best choice) - no ME/PSP + open source silicon init

Lenovo T420 (performance) - ME cleanable + open source silicon init - 
Can play new games via an ExpressCard EGPU
Lenovo X230 (mobility) - ME cleanable + open source silicon init
The T420 supports the better ivy bridge CPU's via coreboot, installing 
coreboot also removes the silly thinkpad wi-fi whitelist.
If you get the X230 you may wish to install the better x220 keyboard mod.

I still don't understand as to why purism didn't simply use the AMD FT3 
like the G505S, when they released their first laptop it was brand new 
and very fast...now it is not as fast as skylake but still more than 
good enough to be useful and definitely better than "free someday in the 
future" wintel.

I don't include the novena on this list due to it not having an IOMMU, 
although it does have open source firmware.

My desktop rec:
KCMA-D8 (entirely libre, no ME/PSP, can play the latest games at high 
settings in a VM with a 4386 CPU and a VM attached graphics card)
> Where can I download the source code to understand how it is disabled intel
> ME?
> Thank you
They use a software called me_cleaner (not made by them) to "clean" the 
ME blob, it is available in the coreboot tree and the v4.6 tarball and 
can be ran on almost any laptop that doesn't have the boot guard 
anti-feature[1] no matter if it supports coreboot or not.

It is impossible to disable ME/PSP[2], Intel/AMD intentionally made them 
integral to the boot process they even bring up the main CPU - even 
google was not able to convince them to open source ME and/or and 
provide a method to truly disable it.

On purisms laptops the ME kernel is still running and it still inits the 
main CPU pre-BIOS, if it was disabled one could not only remove the full 
ME blob from the firmware but also physically disconnect the ME core - 
neither of which one can do on any modern intel platform.

There are many companies that sell legitimately owner controlled 
hardware so it can be done just not with brand new x86-64 - let us hope 
purism uses the proceeds from their not-really-libre laptops to produce 
something worthwhile.

[1] An anti-feature is something that negatively benefits you, in this 
case "boot guard" takes away the ability to modify your firmware making 
a modern intel platform controlled 100% by intel and 0% by you vs an 
intel system from 10 years ago that was 100% you, an IBM POWER 9 system 
(ex: TALOS 2) which is 100% owner controlled by you or an AMD system 
pre-PSP (around pre-2013) which is 100% you.

[2] AMD has PSP on their new stuff which is equivilant to ME and just as 
terrible