[coreboot] Remote security exploit in all 2008+ Intel platforms

Thu May 11 19:18:09 CEST 2017

> The text on those pages does say that the BIOS is "not yet freed" and
that it depends on the FSP, and the comparison tables
> do specifically say that the BIOS is not yet free (it says "almost"
because Todd thought it was almost done, but due to the
> issues with coreboot contributors I mentioned above, it didn't happen,
and that's an unforeseen hurdle, since there apparently
> was good progress on the port by that time).

OK, Youness, let me put things in perspective.

Regarding your statement above: All BIOSes released at least from last 5
years ago till now are UEFI compliant. With CSM (Compatibility Support
Mode) ON, if anyone does NOT understand UEFI, (s)he can accomplish legacy.

Todd is NOT a technical person, it is very obvious. He does not understand
what all of these statements mean. FSP is essential part of BIOS, which
covers SEC and most of PEI phases. Everything else is released as Tiano
Core, Open Source project. The MOST important part of BIOS (no matter if
the BIOS is UEFI compliant or not), is actually FSP part, which INTEL will
NEVER release as Open Source. Unless some higher marketing/sales forces
will push INTEL to start failing in profits... And I expect this to happen.

Then you can expect unexpected! ;-)

Zoran Stojsavljevic
_______

On Thu, May 11, 2017 at 3:56 AM, Youness Alaoui <
kakaroto at kakaroto.homelinux.net> wrote:

> Thanks Peter, well said! I enjoyed that little graphic too :)
> @Taiidan, I hadn't thought of PAVP, but the idea is to remove/neutralize
> the ME entirely, not to intercept its messages.  If we take control of the
> ME, we'll probably just call 'halt' to make sure that core is disabled. I
> don't see how that affects the DMCA.
> Either way, the DMCA exception is still there for our purposes, even if
> that wasn't what we were doing.
> As for your FX-2 idea, I already explained my thoughts on that.
>
> @Nico, Thanks for a civil and interesting response, I'll reply inline to
> your comments below, but a disclaimer, the things I'm saying below are my
> own opinions and interpretations on things, and a lot of it is based on
> things I've heard. The accuracy of what I heard, which is often a second
> hand account of events, may not be 100%, so keep that in mind.
>
> On Wed, May 3, 2017 at 3:45 PM, Nico Huber <nico.h at gmx.de> wrote:
>
>> On 03.05.2017 01:39, Youness Alaoui wrote:
>> > to answer Nico's other post:
>> > I'm quite surprised and disappointed by your answer. You have every
>> right
>> > to say that you are disappointed or distrusting Purism due to past
>> actions,
>> > but I find it harsh for you to be repeatedly saying "fraud" and
>> "scammed"
>> > when that is not the case at all. I think Ron has responded quite well
>> to
>> > that and said exactly what I wanted to say, there is a difference
>> between
>> > being naive and underestimating the task, vs actively "trying to scam
>> > people". If they were scamming people, they wouldn't have shipped any
>> > product and they wouldn't have reimbursed those who changed their mind
>> or
>> > were unsatisfied with what they got, and actually, I wouldn't even have
>> > been contracted in the first place.
>>
>> Finally! I was hoping for some statement like this. I didn't know about
>> any reimbursement taking place. See, what was publicly visible was some
>> drawing of customers away from free firmware supporting vendors. Amend-
>> ments were not publicly visible, FWIW. OTOH, the way you wrote it im-
>> plies that only those who complained got a refund, or was the reimburse-
>> ment an explicit offer?
>>
>
> Yes, there were reimbursements. How the reimbursements have taken place, I
> don't know, but I know that some got refunds, some got upgrades,
> downgrades, sidegrades, etc.. depending on what the customer wanted. I know
> that Purism has been struggling for a bit (one of the reasons most of the
> employees are volunteers) as it was lacking funds (hence the recent
> kickfurther for the v2 stock). Customers who had the highest requirements
> and expectations for the touchpad requested reimbursements and got them.
> The original campaign promised a great touchpad experience, unfortunately
> the touchpads of the first batches of laptops (before the one currently
> being made) did have limitations. While those touchpads do work, they're
> not the ultimate user experience, and Purism hasn't had the time and
> resources to work on fixing that driver (I was originally going to
> reverse engineer the BYD driver, but instead I was thrown into working on
> coreboot).
> I don't have any other details on how it happened, it it was an explicit
> offer, if there are conditions, etc.. If you're curious, you can drop in
> #purism and ask your questions, I'm sure there are people more
> knowledgeable than me that can answer you.
>
>
>> > Attributing to malice what was the result of honest mistakes, while you
>> > know how complex this is both on the software and hardware side, is why
>> > your tone was disappointing. Careless name-calling leads to people
>> getting
>> > hurt and flame wars and all that.
>>
>> Carelessly promising free software (that is impossible to deliver) with
>> the name of free projects on it... I think that was a huge offense to
>> many developers. Don't you think that hurt people too? So don't tell me
>> I started this.
>>
>>
>
> I never said you started anything, and yes, using some FOSS project's
> reputation to boost your own by association when there really wasn't any
> contribution is cause for anger and disappointment, I never said otherwise
> either. The only thing that I said is that there's a difference between
> being naive and making unintentional mistakes versus being a scammer and
> intentionally misleading people. Eventually people have to forgive past
> mistakes, especially if they were unintentional and efforts are made to
> move things in the right direction (which it is now afaik). I agree with
> you though that past mistakes have to be owned up by those who made them,
> and apologies should be made. You (and everyone else) doesn't owe Purism
> anything, so you don't have to accept their excuses either, but it's just
> better when everyone is on good terms I think.
> Like I told you in my first email, you have every right to be disappointed
> and mistrusting of Purism due to their past mistakes, that is not up for
> debate.
>
>
>> > I would just like to answer you with a few more items that I believe are
>> > true (I may be mistaken myself as I'm still quite new to Purism):
>> >
>> >    - Everything that was promised is still on the roadmap and a
>> >    work-in-progress (as far as I know), so it's more of an issue of
>> missing
>> >    the deadlines/estimates rather than not wanting to deliver anything
>> that
>> >    was promised. The "Vision" of the company in an initial crowdfunding
>> >    campaign does not mean "this is an immediately attainable milestone".
>>
>> We all knew it wasn't attainable in the first place. Also the original
>> promises implied that no money would flow into proprietary software. How
>> can that still be on the roadmap for machines sold years ago?
>>
>
> I don't know anything about that to be honest. If you're referring to the
> royalty fee for AMI BIOS, then yeah, I'm pretty sure they did get their
> royalty paid since it came preloaded with it (it's probably just cents
> anyways), but if it was instead in reference to paying for a windows
> license that you don't need, then I'm pretty sure that nobody paid for
> that. Was it an explicit promise or an implied promise ? And was that
> promise maybe misunderstood (a promise meant to the general population who
> thinks about windows licenses, but you misinterpreted it as bios royalty,
> since that's what you are more interested in) ? Sometimes it's easy to have
> expectations tailored to your own thoughts/needs and end up disappointed
> because the person on the other end didn't have the same expectations as
> you.
> I've been looking everywhere and I can't find a single reference to
> anything like that, whether expressed or implied about any kind of money
> flow.
> https://www.crowdsupply.com/purism/librem-13
> https://www.crowdsupply.com/purism/librem-15
>
>
>>
>> >    - The priority was to actually have a working product before working
>> on
>> >    its coreboot port (wouldn't you agree that makes more sense?) There
>> were a
>>
>> That makes a lot sense and I guess nobody would complain if it had been
>> advertised as selling a Linux machine to get things started.
>>
>
> Well, it's not just a linux machine,  it's a linux machine that is focused
> on security on privacy. I'll come to that later below, but to answer just
> that, I think that the error here is that Todd was overoptimistic,
> overenthusiastic, and he missed his deadlines. Again, it's a matter of
> malice vs mistake. It wasn't advertised as a linux machine because it was
> never meant to be just that. There was a lot of attempt at getting it
> ported to coreboot from the start but things didn't go as well as
> anticipated, so he had to either compromise, or go bankrupt and truly
> scam/break his promise by not shipping anything to anyone. I'm sure it
> would have been advertised differently if he could have anticipated how
> things were going to happen.
>
>
>
>> >    ton of issues to solve with production/delivery to begin with, and
>> Purism
>> >    is understaffed (most are volunteers as far as I know, and people
>> with the
>> >    skills to do a coreboot port are quite rare, as you know... and some
>> that
>> >    Purism hired before went dark). It would have been useless to focus
>> all
>> >    efforts on coreboot for a hardware product in the making. Purism
>> brought me
>> >    on and I had no knowledge of coreboot... let that sink in for a
>> minute:
>> >    people able and willing to do that work are so rare that they had to
>> train
>> >    one from scratch!
>>
>> They never asked publicly in the coreboot community for help. Let that
>> sink. Who says I wouldn't have taken the job?
>>
>
> I'll disagree with this one here. Todd actually asked for the coreboot
> community for help in August 2014, before the crowdfunding campaign. Here's
> the archive thread: https://mail.coreboot.org/pipermail/coreboot/2014-Au
> gust/078511.html
> The link to that was in the timeline page I linked before which explains a
> lot of it : https://puri.sm/coreboot/timeline/
> You can read through it if you want, but a quick read through tells me
> that Todd sought help, was then told that reverse engineering is possible
> to get it blob free, and that it would just take time, and that both intel
> and AMD were going to have the same kind of binary issues. Someone
> suggested ARM but Todd said that it was too late to change the
> architecture. I think that a lot of the statements he originally made were
> also due to discussions with Intel which looked promising and he thought
> that having an ME-less design was on the board.
>
> What happened after that is that he had hired a coreboot developer who
> then went dark (stopped answering all emails, phone calls, disappeared off
> the face of the earth, etc.. ), then (from what I heard, second-hand
> account again) he hired one or two other coreboot contributors to do the
> port, who ended up dropping the project and got hired by [some big
> corportation]. Then Todd sat down with some other coreboot developers who
> said they couldn't be contracted to work on this because of their
> non-compete agreement with Google (or exclusivity clause or something), so
> Todd donated a bunch of laptops to them to at least help kickstart things.
> Duncan Laurie's initial Librem 13 port came out from that. At that point,
> Todd had a lot of other issues to handle (production issues, had to change
> factories, suppliers, original motherboard design was not shared by the
> previous MB supplier, so he had to work on a new hardware, and negotiate
> for a new MB to be designed), all while he had no stock, so no sales, no
> income, and it takes a lot of money to pay for the MB design, for
> prototypes, and to be back on track again, so the entire coreboot side of
> things had to be put on ice for the time being.
>
> When I was asked to work on coreboot, I was told that I was the perfect
> person for the job (even though I had no prior experience in this) because
> I was independent from the coreboot community, I'm a contractor with no
> one-contract exclusivity plans and no plans of getting a job anywhere, and
> because there was this odd phenomenon where Google was hiring anyone that
> Todd has his sights on (the community is rather small after all). I think
> that was also one of the reasons why I believe he had stopped reaching out
> to the coreboot community for help.
>
>
>
>
>>
>> >    - The reason there is no coreboot port for the original
>> Broadwell-based
>> >    Librem 15 yet is because the most logical approach was to finalize
>> the
>> >    initial work that had been done on the Librem 13 as per Ron's
>> suggestion
>> >    (making the learning curve a bit less steep by not having to start
>> from
>> >    scratch), and then to prioritize work towards the upcoming hardware
>> so
>> >    Purism can attempt to have it ready in time for it to be
>> factory-preloaded
>> >    instead of causing additional trouble for future users. The original
>> Librem
>> >    15 is still going to be ported, but I can't do everything at the
>> same time,
>> >    so things have to be prioritized. After the initial learning curve,
>> I am
>> >    now jumping into the deep end of the coreboot pool by porting a new
>> board
>> >    from scratch, so that's definitely an interesting challenge.
>>
>> I'd be glad to help you with that.
>>
>
> Yes, I know! :)
> You seem to have extreme disappointment or distrust in Purism, but you've
> been nothing but helpful since the start, and I appreciate it. Thanks :)
>
>
>>
>> >    - The reason we want to prioritize the ME vs. the FSP, is because a
>> lot
>> >    more people were interested in getting rid of the ME, so it is a
>> higher
>> >    priority, but the FSP is also going to be reversed eventually and
>> coreboot
>> >    deblobbed entirely.
>>
>> Who are these "lot more people"? Customers? Why not tell them (what I
>> believe is true): Trimming the ME firmware is pointless as long as you
>> don't control the host firmware. I really think you should focus on the
>> x86 processor first. It's obvious that it can run with completely free
>> software (in its ISA) and it's clear what the firmware has to do. Also
>> there are people in the community that have experience with it and can
>> help if you get stuck.
>>
>
> Honestly, I don't know, but that was the impression I got. Purism had done
> a petition for an ME-less design (https://puri.sm/posts/intel-m
> e-less-petition-goal-met-early/) and it was apparently quite successful,
> so there is definitely interest in getting rid of the ME.
>
> I think though that this issue of "ME or FSP first" is completely
> pointless because that's not an issue of empty promises or dishonesty, it
> is an issue of diverging opinion. While you believe that getting rid of the
> FSP is more important, I think that Todd believes the ME is the most
> dangerous item to get rid of first, maybe you can have a chat about this
> subject (we'll both be at the coreboot conference, so we might meet you
> there if you are attending), and maybe one of you will convince the other
> (or not, and that's ok too).
> The way I see it though is that the ME is more dangerous because it runs
> in parallel to you, it's constantly running, even when the PC is powered
> off and it seems to exist mainly for allowing remote attackers (Intel) to
> control the machine, but we really have no idea at all what it does. The
> FSP (from what I understand of it) however, only runs once, it is not
> persistent and we know what it does (initialize specific hardware
> components). Even if the FSP puts some hidden hooks that keep it
> persistent, it would only put it on the same threat level as the ME, not
> above. Even the coreboot wiki puts the ME at a higher panic level than the
> MRC (which I assume the FSP is equivalent to, but I guess it does a bit
> more than the MRC): https://www.coreboot.org/Binary_situation
>
>
>
>> >    - Purism is trying to do the right thing and trying to defend privacy
>> >    and security the best way it can (it even became a Social Purpose
>> >    Corporation to protect that goal)... but instead of saying "You are
>> >    mistaken on this and that, let me enlighten you and help you", you
>> are
>> >    instead bashing and trying to drive it into the ground because, for
>> some
>> >    reason unknown to me, you feel personally slighted by Purism's
>> legitimate
>> >    mistakes? How is that going to help protect people as a whole? It
>> takes
>> >    time to do things right, and being stuck in the past does not help
>> things
>> >    move forward. Give it a chance!
>>
>> I give it a chance. But I really don't understand how people can down-
>> play what Purism did. It would have been legitimate mistakes if they'd
>> stopped making empty promises after they were told that they scam
>> people. But it took way over a year (just looking at archive.org) to
>> stop it. How can that have been a reputable business? (I don't say they
>> aren't now; just want them to admit their past.)
>>
>>
> I think they admit the past mistakes, I don't think that's an issue, you
> just don't see articles written about that. As for how long it took to
> change the website, I would attribute it to "trying to put down the flames
> in the kitchen is more important than answering the phone right now". There
> might also have been some remaining hope maybe that it could still be done.
> Also, I don't think anyone was in charge of that until Jeff Fortin was
> hired to take care of the website, and fix/update the content, etc... So I
> think that it wasn't "making promises knowing they weren't true" but rather
> "there is no one to take care of taking down the old promises that we
> realized were overoptimistic".
>
>
>> >    - What did you see on the website making wrong claims? Let me know
>> and I
>> >    will pass on the message to get it fixed. The info on it is a *lot*
>> more
>> >    accurate than it was a few months ago, and pretty much any
>> coreboot/ME
>> >    claim has clear "work-in-progress" disclaimers along with it (without
>> >    writing a huge wall of text on every page). Give me specifics and
>> I'll
>> >    forward the information to be corrected. I know there is a best
>> effort to
>> >    rectify mistakes and make things clear and unambiguous, if something
>> >    remains unclear it's certainly just an oversight, not malice.
>>
>> Yes, the parts about coreboot really changed. I guess it wasn't easy to
>> write about coreboot without words like "open" or "free" :-/
>>
>> What irritated me the most yesterday was the talking about freedom and
>> chips. The Product page says
>>
>>  "Only by selecting each and every chip in our Librem laptops can
>>   we guarantee your privacy, security and freedom are protected."
>>
>> Given the choice of SoC Purism made, I think it should read more like
>>
>>   By selecting an Intel SoC we trade your privacy, security and freedom
>>   for overall performance.
>>
>> I know there are worth chips but the Intel SoCs are not even a com-
>> promise between privacy/security/freedom and performance they are
>> just the opposite of what the page promises. So why talk about chip
>> selection at all if you have to fool people about it?
>>
>
> I said above that I would talk 'later' about why it's not just a Linux
> machine, but it's a Linux machine with security/privacy in mind, and I
> think this is the perfect place to answer that.
>
> I think the issue here is that you come with a lot of technical background
> tinting your vision, forgetting that not everybody thinks and sees things
> the same way as you. What I mean by that, is that the text that you've read
> was not written specifically for the "hardcore coreboot/hardware
> developer", it's rather meant for the average Linux enthusiast and
> journalists or users interested in security and privacy. That sentence that
> irritated you so much is absolutely true when you put yourself into the
> shoes of the audience it was imagined for:
>
>> "Only by selecting each and every chip in our Librem laptops can we
>> guarantee your privacy, security and freedom are protected."
>
>
> That sentence is true, it's not a lie: Purism *does* have control over the
> choice of every chip in the laptop, it is not a simple reseller of
> white-label laptops like so many others. Purism can decide exactly what
> features and components to put in, like for example, a TPM (making Trammel
> Hudson/Heads happy), or a different ethernet adapter (even though the SoC
> comes with one already, but disabling the integrated Intel ethernet/wifi is
> one of the puzzle pieces allowing to disable AMT). They also decided to use
> the "ene KB3930QF-A1" as EC, which is a well documented one (is it one of
> the only ECs with a full public datasheet?). The Atheros wifi module also
> doesn't require a binary firmware (we are lacking the firmware to make
> Bluetooth work though, which is why Bluetooth was never advertised as a
> feature... there's an open position for someone to reverse/implement the BT
> firmware), etc. There are probably plenty of chips and controllers that
> require a blob to work with Linux, and that sentence is meant to say "We
> make sure to select a good combination of chips that are well supported in
> Linux and do not require a binary firmware to function". I think the
> touchpad controller was a complete miss (it works for basic usecases but
> it's not very well supported in Linux), but the new laptop models come with
> Elantech touchpads that are very well supported in Linux and were chosen
> specifically for that.
>
> Anyways, all that to say: the sentence holds true, you only consider it a
> lie because you focus on the one chip (the CPU) where there is not that
> much choice available, you see the modern Intel CPU and instantly think
> "You're fooling people by telling them that there are no binary blobs in
> the CPU" when the sentence only means, essentially, "we control the chips
> used in the motherboard and choose the best options available". Best option
> does not necessarily mean utopian option.
>
> Someone else might see it as "We control the motherboard and trust this
> particular company, so we're confident there isn't a spy chip in the
> motherboard handing control of your machine over to the nation state"
> (which might be what the original intent of that sentence actually is,
> especially considering there's a warrant canary in place:
> https://puri.sm/warrant-canary/).
>
> I once saw a discussion about how the CIA was planting spy chips on
> motherboards, and Snowden saying that when a laptop/smart TV/whatever is
> being shipped to a "region of interest", the CIA would open the packages
> and install hardware spyware on the motherboards of all the laptops/tvs in
> destination to that region, and there was internal discussion in Purism on
> how to prevent that, such as tamper-evident packaging, providing signed
> pictures of the motherboard before shipment, stuff like that.
>
> I believe that's what makes Purism a "security and privacy focused"
> company. No "Linux-compatible laptop" reseller goes (and can go) to such
> lengths to ensure the security and privacy of their users with brand new
> hardware. If the supplier of <insert random Linux laptop reseller company>
> decided to add a spy chip in their motherboards, they wouldn't know and
> they would have no power over it.
>
> Now, is the current situation perfect? Obviously not, since we still have
> the FSP and ME binaries to get rid of, and who knows what else, but it a
> *lot* more than anyone else is doing as far as I know. And I am talking of
> course of brand new and modern/powerful computers, I am not talking about
> older refurbished laptops or obscure or underpowered hardware. I think the
> advantage of Purism is that it's trying hard to give users what they want
> (so they don't have to compromise on the hardware) and work towards
> achieving the long-term goal, rather than having to take whatever scraps
> are available and compromise on everything else and then just stagnate,
> cross their fingers and hope that Intel/AMD suddenly have a change of heart
> and quickly release a new CPU variant without the recent restrictions
> (ME/FSP/etc.)
>
> So yeah, basically, all I wanted to say is that, the contents that
> irritated you probably only felt irritating because you interpret
> differently from how it was intended to be read. And I also think that you
> (and many others) unfortunately had some high expectations that were not
> actually ever promised. So when those expectations were not met, you were
> disappointed, but you couldn't have realized that those expectations were
> yours only, and never were mentioned or promised by the original campaign.
>
>
>
> I took a while to write this response to you because I wanted to do
> research on the original crowdfunding campaign (which I had never seen
> until this week) and search for any of these "broken promises" that seem to
> get so many people riled up. I realized that the only broken promise was
> that it would ship with coreboot from day one, obviously that objective was
> not met (but coreboot work was never dropped, just delayed), due to the
> various reasons I explained above. Every other criticism I heard however
> (that Purism promised zero binary blobs, no ME and no FSP, or a promise
> that "nowhere at any point in time anybody in the supply chain would get a
> cent related to proprietary software, not even American Megatrends or
> Intel", etc.) was not accurate criticism, I didn't find any such promises
> being made anywhere in those campaigns:
>
> https://www.crowdsupply.com/purism/librem-15
> https://www.crowdsupply.com/purism/librem-13
>
> Personally, as I read the texts and listened to the video of those
> campaigns, I heard two things that made me initially cringe:
> - "meticulously designed chip by chip to work with free and open source
> software"
> - "no binary blob"
>
> But then realized the "chip by chip" thing does not apply to the CPU
> because that was not the point of the Librem, it's not meant to be an ARM
> laptop or an old laptop, it's meant to be a high end laptop and Intel is
> the only choice for that (or was, back in 2014... not sure if it changed
> since). If you search for "chip by chip" in that page though, you'll see
> the explanation for that sentence from the video, and the chips that are
> mentioned are: Audio, Camera, Hubs, Video, Graphics, USB, Network,
> Wireless. The CPU is not shown in that graphic. The text there also
> explains what it means, and it is referring to chips that send information
> without your knowledge.
>
> As for the second sentence where criticism occurs, "no binary blob": I had
> to listen to the video twice before I realized that the whole sentence is
> actually "no binary blob GNU/Linux based operating system". The whole
> "binary blob free" promise of the original campaign was always about the
> kernel not requiring any binary blobs tainting it. Pretty much every other
> recent laptop would use a tainted kernel otherwise the laptop wouldn't work
> correctly, but the Librem doesn't need any binary blobs in the kernel for
> it to function fully. That's what the whole "no binary blobs" deal meant,
> and it goes along with the "every chip is selected to be privacy-respecting
> and firmware-free".
>
> Of course, since I've been so caught up on coreboot and ME-reversing and
> all that, the first two times I listened to the video and heard "no binary
> blobs", I immediately associated it with the ME and FSP, and I missed the
> rest of the sentence. I suspect this tinted interpretation occurred to most
> members of the coreboot community.
>
> Now the question that remains is about the BIOS and coreboot. The text on
> those pages does say that the BIOS is "not yet freed" and that it depends
> on the FSP, and the comparison tables do specifically say that the BIOS is
> not yet free (it says "almost" because Todd thought it was almost done, but
> due to the issues with coreboot contributors I mentioned above, it didn't
> happen, and that's an unforeseen hurdle, since there apparently was good
> progress on the port by that time).
>
> If you read the FAQ however, it states that the librem will come with
> coreboot and that's the delayed (but not broken) promise, but again it also
> specifically says:
>
>> "While the BIOS is not yet free, the Librem 15 will be the first laptop
>> ever manufactured to ship a modern Intel CPU fused to run unsigned BIOS
>> code, allowing for a future where free software can replace the
>> proprietary, digitally signed BIOS binaries. This marks one of the largest
>> hurdles to a laptop that runs 100% free software and firmware".
>
>
> That's all true and it does say that the advantage here is the unfused
> CPU, and that the BIOS not being free yet is "one of" the largest hurdles
> for 100% free software and firmware.
>
> It also says :
>
>>  "In addition to enabling as above the development of free BIOS firmware,
>> we are also working with Intel to allow us to scrub, release, and maintain
>> the source for the FSP, but haven’t finalized that yet. We are devoted to
>> freeing this binary."
>
>
> ...which also indicates that there was work in progress to free the binary
> through a deal with Intel, which didn't pan out so far, but to be fair it
> was specifically saying that this was not a done deal.
>
> Also note that "coreboot" is actually mentioned by name only once in the
> campaign and that was in the FAQ. So it's not like "it comes with coreboot"
> was a big selling point or the project's name was used/abused to boost
> sales or reputation. It was used legitimately because work was ongoing on
> the coreboot port and that was mostly in the technical news updates.
>
> I even found in one of the crowdfunding updates, one of the update states
> at the end:
>
>>  "We will be intensifying our product & service development pace, and we
>> are still working on everything else part of our mission (including the
>> Intel ME issue, achieving FSF endorsement of our software and working
>> toward FSF RYF certification of our hardware in the long term)"
>
>
> So it does say that RYF is a long term goal towards which we're working,
> not an immediate pre-shipping goal.
>
> As for the thing about funds not going to any proprietary software (ie
> ensuring that no royalties would be paid to anything non-free anywhere in
> the hardware supply chain), I couldn't find anything that even hints at it,
> so I'm not sure how or why you thought that was a promise, so if you can
> find something about that, let me know!
>
> Whew, this was a long email. I hope it helped put things in perspective,
> thanks for reading.
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170511/746b5474/attachment.html>