[coreboot] Coreboot Purism BIOS is free? open?

Taiidan at gmx.com Taiidan at gmx.com
Mon Dec 18 04:37:37 CET 2017 

On 12/17/2017 09:01 PM, szbnwer at gmail.com wrote:

> hi there! :)
Hi :D
> sooo my understanding says that libreboot is a deblobbed coreboot,
Yes -plus the different politics.
> you say that those machines you mentioned above are 100% owner
> cotrolled, however i only know lenovo t400 is good for libreboot from
> that list. is this about a misinterpretation of your words, or what?
Yeah it is :[

I included the T420/X230 as they have a few features the G505S lacks 
that he might need - while they are still more free than a purism they 
have ME so they aren't owner controlled.
I wouldn't consider the T400 owner controlled either although it is 
closer than the T420 etc, while it boots without an ME kernel I still 
dislike the present of ME and the non-free EC controller (someone is 
working on a free software replacement for the G505S EC)

All of these below devices have libre firmware besides the G505S which 
currently requires a blob for video and power management, but it is 
still owner controlled due to the absence of hardware code signing 
enforcement.

Owner controlled devices:
Laptops:
Lenovo G505S - average laptop performance
Novena - ARM - slow :[

Workstations/Servers:
KCMA-D8 - medium
KGPE-D16 - high-medium

Ultra High Performance Servers/Workstations:
TALOS 2 (POWER9) - uber fast and a much better price than intel/amd's 
new high end server stuff.
TYAN Palmetto (POWER 8) - fast
IBM Firestone (POWER 8) - very fast

POWER 9 is true computing excellence - owner controlled from top to 
bottom and performance significantly better than x86-64.
> my best image about this is that coreboot is owner controlled but not
> deblobbed, however the possibility is fully opened - is this right? if
> yes, then what parts are not deblobbed and how serious they can be? so
> what could i win/lose by letting go the idea of aiming a libreboot
> machine and choose a coreboot machine instead? (that i dont know when
> i will have enough money for that purpose)
Some coreboot boards are owner controlled some aren't, and there are 
varying amounts of blobs.
If one builds for instance the KCMA-D8 with coreboot you have the same 
result as libre-boot as it doesn't need firmware-blobs to run unless you 
use a 43xx CPU which needs a microcode update for security reasons.

You can get a Lenovo G505S for $200, or you can build a KCMA-D8 libre 
gaming PC for $500-1000
> an another question is that ive read about the background of the whole
> hacking game maybe here maybe elsewhere but most likely from mixed
> origins... :D so my understanding says that there is a bunch of
> encryption keys that are unremovable (except by intel) maybe based on
> something like in that case (complete overwrite of everything included
> on the ic that contains the intel me) there is something else that
> will miss the original keys. (id appreciate a cleaner vision about
> this part, for better understanding, but its not the main question) so
> this encryption key is only validating something like headers or
> entrance points to the parts of the intel me but not the contents/body
> of them. the best that core-/libreboot can achieve is to override the
> body parts and we can say then the whole became whitebox and well
> known, or there is a next level after the achieved access to entirely
> remove it?
ME brings up the main CPU on a modern intel platform, no ME no computer.
The ME core validates the ME kernel and on newer systems parts of the ME 
software, ME cleaner removes the parts that aren't validated.

It is de-facto impossible to remove/disable ME for a variety of reasons 
and any effort to do so is wasted and better spent on archs's that can 
have owner controlled devices such as POWER and ARM.
> i dont even know how flashing going on in practise nor in theory, just
> trying to figure out things around... does it work like total
> copy/write access with the chance of wrecking things around on the
> other hand, or its controlling/limiting its own access, and then one
> should come over it somehow? where me_cleaner works 100% replacing
> could be achieved, just none implemented core-/libreboot yet for the
> other machines in th range of a specific range of intel me version?
I am not really sure what you mean due to the language barrier.
> so many thanks for any kinda help and all the bests for everyone around here!
Yeah feel free to ask any questions :]

More information about the coreboot mailing list