[coreboot] T450S + Coreboot

Mike Banon mikebdp2 at gmail.com
Tue Aug 28 16:56:04 CEST 2018

Hi Nico,

Although it can't be denied that I'm a bit biased here (since I own
that G505S), I'm less critical towards G505S blobs partially because
some of these blobs are indeed completely optional (e.g. xHCI - never
used it; microcode - is optional if you don't need a stable low level
Xen HVM virtualization) while others have been studied very well - to
a point where the almost working opensource replacements of them have
been created. For example, AtomBIOS -
https://github.com/alterapraxisptyltd/openatom , also it could be
disassembled quite well with AtomDis -
https://github.com/mikebdp2/AtomDis - reducing any security concerns
regarding this blob to a minimum.

Also there aren't any blobs which are locked down and could not be
replaced completely, so currently that seems to be the most powerful
laptop which has some chance to be FSF RYF'ed eventually. Meanwhile,
as far as I know its impossible to completely replace ME, only to trim
its' firmware as much as possible and hope for the best that it
doesn't have some undocumented "backdoor restore" mechanism that could
restore the original uncut blob under some conditions. Undoubtedly,
Intel ME is a backdoor, e.g. because it contains some antitheft
features which could be used to control your computer remotely: shut
it down, wipe or retrieve data from it, etc

On Tue, Aug 28, 2018 at 11:20 AM Nico Huber <nico.h at gmx.de> wrote:
> Hi Mike,
> please don't spread FUD on this list.
> On 28.08.2018 09:54, Mike Banon wrote:
> > And even if there weren't any problem with Intel Boot Guard, its not
> > that easy to add a support for new board (impossible to do it over
> > weekends, especially for the newcomers).
> The T450s would probably benefit a lot from the existing support for
> ThinkPads. But Broadwell really isn't a weekend port (Sandy or Ivy
> Bridge would be for a ThinkPad) because we have few Broadwell ports
> and an ugly blob situation.
> Anyway, chances are close to 100% that the T450s has BootGuard in
> verification mode.
> > If I were you I would have
> > sold these T450S and bought some machine already supported by
> > coreboot. It could be one of those Intel Thinkpads (although you'll
> > have to spend time cleaning Intel ME)
> You don't *have to* spend time cleaning the ME, you *can* spend time
> with it. It is actually unknown if that lowers or highers security,
> so there is really no reason to advice to do it (unless you need more
> flash space for fancy stuff).
> > or maybe Lenovo G505S quadcore
> > AMD laptop which doesn't have any Intel ME / AMD PSP backdoors in its'
> > CPU at all - so no need to clean anything.
> The G505s requires a lot of other blobs, IIRC: xHCI (optional), AtomBIOS
> for GFX (which even runs in the OS on the host CPU), maybe more I don't
> remember. I don't see how that is better (you seemed to want to sell
> that by only stating absence of blobs, ignoring those it has instead).
> Nico

More information about the coreboot mailing list