[coreboot] Remote security exploit in all 2008+ Intel platforms

Nico Huber nico.h at gmx.de
Wed May 3 21:45:30 CEST 2017 

On 03.05.2017 01:39, Youness Alaoui wrote:
> to answer Nico's other post:
> I'm quite surprised and disappointed by your answer. You have every right
> to say that you are disappointed or distrusting Purism due to past actions,
> but I find it harsh for you to be repeatedly saying "fraud" and "scammed"
> when that is not the case at all. I think Ron has responded quite well to
> that and said exactly what I wanted to say, there is a difference between
> being naive and underestimating the task, vs actively "trying to scam
> people". If they were scamming people, they wouldn't have shipped any
> product and they wouldn't have reimbursed those who changed their mind or
> were unsatisfied with what they got, and actually, I wouldn't even have
> been contracted in the first place.

Finally! I was hoping for some statement like this. I didn't know about
any reimbursement taking place. See, what was publicly visible was some
drawing of customers away from free firmware supporting vendors. Amend-
ments were not publicly visible, FWIW. OTOH, the way you wrote it im-
plies that only those who complained got a refund, or was the reimburse-
ment an explicit offer?

> Attributing to malice what was the result of honest mistakes, while you
> know how complex this is both on the software and hardware side, is why
> your tone was disappointing. Careless name-calling leads to people getting
> hurt and flame wars and all that.

Carelessly promising free software (that is impossible to deliver) with
the name of free projects on it... I think that was a huge offense to
many developers. Don't you think that hurt people too? So don't tell me
I started this.

> I would just like to answer you with a few more items that I believe are
> true (I may be mistaken myself as I'm still quite new to Purism):
> 
>    - Everything that was promised is still on the roadmap and a
>    work-in-progress (as far as I know), so it's more of an issue of missing
>    the deadlines/estimates rather than not wanting to deliver anything that
>    was promised. The "Vision" of the company in an initial crowdfunding
>    campaign does not mean "this is an immediately attainable milestone".

We all knew it wasn't attainable in the first place. Also the original
promises implied that no money would flow into proprietary software. How
can that still be on the roadmap for machines sold years ago?

>    - The priority was to actually have a working product before working on
>    its coreboot port (wouldn't you agree that makes more sense?) There were a

That makes a lot sense and I guess nobody would complain if it had been
advertised as selling a Linux machine to get things started.

>    ton of issues to solve with production/delivery to begin with, and Purism
>    is understaffed (most are volunteers as far as I know, and people with the
>    skills to do a coreboot port are quite rare, as you know... and some that
>    Purism hired before went dark). It would have been useless to focus all
>    efforts on coreboot for a hardware product in the making. Purism brought me
>    on and I had no knowledge of coreboot... let that sink in for a minute:
>    people able and willing to do that work are so rare that they had to train
>    one from scratch!

They never asked publicly in the coreboot community for help. Let that
sink. Who says I wouldn't have taken the job?

>    - The reason there is no coreboot port for the original Broadwell-based
>    Librem 15 yet is because the most logical approach was to finalize the
>    initial work that had been done on the Librem 13 as per Ron's suggestion
>    (making the learning curve a bit less steep by not having to start from
>    scratch), and then to prioritize work towards the upcoming hardware so
>    Purism can attempt to have it ready in time for it to be factory-preloaded
>    instead of causing additional trouble for future users. The original Librem
>    15 is still going to be ported, but I can't do everything at the same time,
>    so things have to be prioritized. After the initial learning curve, I am
>    now jumping into the deep end of the coreboot pool by porting a new board
>    from scratch, so that's definitely an interesting challenge.

I'd be glad to help you with that.

>    - The reason we want to prioritize the ME vs. the FSP, is because a lot
>    more people were interested in getting rid of the ME, so it is a higher
>    priority, but the FSP is also going to be reversed eventually and coreboot
>    deblobbed entirely.

Who are these "lot more people"? Customers? Why not tell them (what I
believe is true): Trimming the ME firmware is pointless as long as you
don't control the host firmware. I really think you should focus on the
x86 processor first. It's obvious that it can run with completely free
software (in its ISA) and it's clear what the firmware has to do. Also
there are people in the community that have experience with it and can
help if you get stuck.

>    - Purism is trying to do the right thing and trying to defend privacy
>    and security the best way it can (it even became a Social Purpose
>    Corporation to protect that goal)... but instead of saying "You are
>    mistaken on this and that, let me enlighten you and help you", you are
>    instead bashing and trying to drive it into the ground because, for some
>    reason unknown to me, you feel personally slighted by Purism's legitimate
>    mistakes? How is that going to help protect people as a whole? It takes
>    time to do things right, and being stuck in the past does not help things
>    move forward. Give it a chance!

I give it a chance. But I really don't understand how people can down-
play what Purism did. It would have been legitimate mistakes if they'd
stopped making empty promises after they were told that they scam
people. But it took way over a year (just looking at archive.org) to
stop it. How can that have been a reputable business? (I don't say they
aren't now; just want them to admit their past.)

>    - What did you see on the website making wrong claims? Let me know and I
>    will pass on the message to get it fixed. The info on it is a *lot* more
>    accurate than it was a few months ago, and pretty much any coreboot/ME
>    claim has clear "work-in-progress" disclaimers along with it (without
>    writing a huge wall of text on every page). Give me specifics and I'll
>    forward the information to be corrected. I know there is a best effort to
>    rectify mistakes and make things clear and unambiguous, if something
>    remains unclear it's certainly just an oversight, not malice.

Yes, the parts about coreboot really changed. I guess it wasn't easy to
write about coreboot without words like "open" or "free" :-/

What irritated me the most yesterday was the talking about freedom and
chips. The Product page says

 "Only by selecting each and every chip in our Librem laptops can
  we guarantee your privacy, security and freedom are protected."

Given the choice of SoC Purism made, I think it should read more like

  By selecting an Intel SoC we trade your privacy, security and freedom
  for overall performance.

I know there are worth chips but the Intel SoCs are not even a com-
promise between privacy/security/freedom and performance they are
just the opposite of what the page promises. So why talk about chip
selection at all if you have to fool people about it?

Nico

More information about the coreboot mailing list