Re: [coreboot] Coreboot Purism BIOS is free? open?

[Todd Weaver]

On Sun, 2017-12-24 at 01:30 -0500, Youness Alaoui wrote:
> I think people buying a TALOS 2 and people buying a Librem are two
> very distinct types of people. I very much doubt that someone has
> ever had to decide between buying a Librem and a TALOS.

I think this is correct as well.

> > > > > A good summary is that we want to "bring
> > > > > blob-free to the hardware that people want", rather than
> > > > > "bring
> > > > > blob-free hardware to the people who want it".
> > This is great; and I may quote you on that :)
> 
> Yeah, Todd, you can quote me. I also really liked that when I thought
> of it :p

Funny, it also helps define the different approaches succinctly.

> And thanks for answering Nico's questions and correcting my
> statements. I didn't even know an i.mx8 librem 13/15 had already been
> thought of, that's pretty cool if it's in the plans!

It is early yet, but on the Librem 5 hardware side (not coreboot
related), it has been discussed as the follow-on to phone mobo design.

Todd.

signature.asc
Description: This is a digitally signed message part
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Alberto Bursi]

Meh, Intel ME is necessary for x86 platform initalization. Without ME 
the PC does not start at all.

Anyway, the ME is used to provide third parties control and "security" 
over the user's system by cutting out the middleman (board firmware). 
Due to technical reasons they added all this functionality in a single 
place, because it would be silly to have 3 different hardware backdoors 
when you can just have one doing 3 different things.

On consumer PCs it provides DRM, and on office PCs it provides limited 
(but quite useful) remote management, plus more (it can execute a 
customer's dedicated java applications on its own integrated JVM, for 
example).

For example I've seen some Dell PCs that had integrated some kind of 
third party anti-theft functionality inside their UEFI firmware, where 
you would license a third party software and then connect your PC's UEFI 
firmware to their servers or something, so when it is stolen it can 
still be tracked whenever it connects to the internet again.
Don't know if this feature is using the Intel ME, but it is an example 
of feature the OEM might want to add to their products.

Intel themselves also added random stuff to the ME (like advanced fan 
speed control), just because they had a relatively powerful processor in 
there, so why not add more features to it. see here 
https://en.wikipedia.org/wiki/Intel_Management_Engine#Modules

Does the industry ask for this? Maybe. What is sure is that Intel thinks 
that this backdoor thingy offers features their customers want or might 
find interesting to add features to their products. These features 
should be the ones sought after by end users.

And "Customers" in this case is companies designing PCs and embedded 
systems with Intel products. Not people, end users. End users buy 
motherboards or PCs from Intel's customers.

Note that ARM provides TrustZone, which is something like Intel ME, but 
is a generic feature, the OEM can do whatever it wants with it, even 
disable and not use it at all.
AMD mindlessly followed Intel's footsteps by integrating ARM cores 
running the TrustZone feature, and calling this Platform Security Processor.

So it's not just Intel that thinks his customers might want more control 
over the products they sell to the end user. Maybe they are all 
misguided. Maybe not.

Remember, it does not matter what is actually real, but what company 
managers think is real.

There is many people that still thinks that "secret" is "safe", and that 
does not understand that software will have bugs, that it's only a 
matter of time before it becomes vulnerable.

For example, HDCP (HDMI cable antipiracy feature) is still in use even 
if it was (and is) regularly busted by 30$ devices. Not even for 
pirating, usually it is busted because it is causing compatibility 
issues in devices.

The people in charge of government agencies in the US know better, at 
least. They asked for a ME feature to disable it in the hardware with 
High Assurance Platform certification.
And due to Intel being cheap, this switch is available in all MEs after 
version 11, Intel didn't make a custom ME only for the US government. 
Currently it requires using external tools to edit the setting on the 
motherboard's flash chip (or being an OEM), same as the older method of 
nuking modules manually.


I hope I helped you understand the most likely reasons why ME exists.

-Alberto

On 12/24/2017 08:46 PM, eche...@free.fr wrote:
>   By the way you said : "ODMs/OEMs are the real customers of Intel/AMD" and 
> "Intel/AMD serve them law" (which law???)
>   I have a scoop : a friend of mine happened to work in the marketing 
> department of a (very large) OEM, and speaking about ME he told me that Intel 
> OBLIGED them to adopt and integrate the ME! (in the beging the OEM guys were 
> reluctant..)
>   Of course this is only "street whispering" (and I will not force you to buy 
> this..) but, but, as we say in Romanian "there is no smoke without fire..." 
> ;-)
> Just my 2 satoshis..
>Florentin
>
> - Mail d'origine -----
> De: eche...@free.fr
> À: coreboot@coreboot.org
> Envoyé: Sun, 24 Dec 2017 20:31:53 +0100 (CET)
> Objet: Re : Re: [coreboot] Coreboot Purism BIOS is free? open?
>
>   No you didn't answer my question Peter, sorry!..
>   I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely 
> corporate/financial point of view..). (By the way I have no "legitimacy" 
> myself to put this question of "legitimacy" to begin with..)
>   I simply don't understand (and this is why I pollute the coreboot ML with 
> this blah-blah..) why ALL (I insist on capital letters _ALL_) the systems 
> (consumer/office even .. industrial..) have to have this kind of .. 
> "technology" activated ALL the time (at least from the Intel/AMD 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[echelon]

As a businessman what do you answer when in commercial meeting with Intel they 
tell you:
"Okaye man, you got the HAP bit and obviously your users are happy with that.. 
Your products are great and are selling like no tomorrow and no user ever come 
back complaining that the ME "isn't completely disabled". Aren't they?.. So why 
are you pissing us again with your unreasonable requests about the ME? You know 
very well that this question is not negotiable for us. What about giving you a 
price break for the next batch of Intel components you want to buy and be done 
with that?.."

- Mail d'origine -
De: Todd Weaver <t...@puri.sm>
À: taii...@gmx.com, Youness Alaoui <kakar...@kakaroto.homelinux.net>, Timothy 
Pearson <tpear...@raptorengineering.com>
Cc: Dame Más <damemasporfa...@gmail.com>, coreboot <coreboot@coreboot.org>
Envoyé: Sun, 24 Dec 2017 21:42:43 +0100 (CET)
Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?

On Sat, 2017-12-23 at 23:32 -0500, taii...@gmx.com wrote:
> You will never have that type of leverage, if google can't pull it
> off then no one can.

There are a lot of assumptions you are making.

First off, having leverage doesn't only mean with Intel, it also means
with competitors or alternatives; we are fighting for user freedom and
ethical computing. Having leverage is better than no leverage.

Second, I'm not convinced Google's goals were exactly that, so saying
"If Google can't pull it off then no one can." is a defeatist attitude.
You may as well say "nobody has done it, so nobody can." There are a
lot of avenues to take, and giving up before attempting is of no
interest to me.

> Even the NSA only got HAP, not a CPU without ME all together and the
> US government probably spends hundreds of millions with intel every
> year.

Sure, but that may have been what they asked for. Projecting the NSA's
request to be what you would have asked for is a huge assumption.
"Which makes an 'ass' out of 'u' and 'mption'." :)

> x86-64 will always have ME/PSP and it simply can't be disabled,

It can be disabled, but I suppose you are meaning that it can be re-
enabled again via software update; but we have plans (and will be
releasing) the ability to measure the ME region (via TPM) to flag any
re-enablement attempts. Disable ME, measure it is tampered with, notify
tampering (via coreboot+TPM+Heads).

NOTE: This is not "removal" which is the process of never initializing
the ME, which is the end goal for user freedom. This term is how we
distinguish between the progress being made, as we clearly posted
previously.

> pretending otherwise is doing a disservice to many who look to the
> big shots for advice and pipe dreams like that being spread to the
> masses are the main reason I dislike purism so much.

Our approach is to grow, gain leverage, and influence positive change.
Everything we do is about creating ethical computing; and we will
continue to do so. You are more than welcome to dislike our path or
approach, even though it sounds like we share the same end-goal.


> People will think "well gee why buy an actually-libre-right-now TALOS
> 2 when I can simply wait a few years when the eggheads have cracked
> ME and I can keep getting cheap soul-less computers" as tim said the
> discovery of HAP etc probably set back libre computing a decade.

This is projecting an individual opinion onto others, our users are not
buying Librem laptops over Talos 2, they're drastically different
products, prices, and capabilities.

Todd.

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Todd Weaver]

On Sat, 2017-12-23 at 23:32 -0500, taii...@gmx.com wrote:
> You will never have that type of leverage, if google can't pull it
> off then no one can.

There are a lot of assumptions you are making.

First off, having leverage doesn't only mean with Intel, it also means
with competitors or alternatives; we are fighting for user freedom and
ethical computing. Having leverage is better than no leverage.

Second, I'm not convinced Google's goals were exactly that, so saying
"If Google can't pull it off then no one can." is a defeatist attitude.
You may as well say "nobody has done it, so nobody can." There are a
lot of avenues to take, and giving up before attempting is of no
interest to me.

> Even the NSA only got HAP, not a CPU without ME all together and the
> US government probably spends hundreds of millions with intel every
> year.

Sure, but that may have been what they asked for. Projecting the NSA's
request to be what you would have asked for is a huge assumption.
"Which makes an 'ass' out of 'u' and 'mption'." :)

> x86-64 will always have ME/PSP and it simply can't be disabled,

It can be disabled, but I suppose you are meaning that it can be re-
enabled again via software update; but we have plans (and will be
releasing) the ability to measure the ME region (via TPM) to flag any
re-enablement attempts. Disable ME, measure it is tampered with, notify
tampering (via coreboot+TPM+Heads).

NOTE: This is not "removal" which is the process of never initializing
the ME, which is the end goal for user freedom. This term is how we
distinguish between the progress being made, as we clearly posted
previously.

> pretending otherwise is doing a disservice to many who look to the
> big shots for advice and pipe dreams like that being spread to the
> masses are the main reason I dislike purism so much.

Our approach is to grow, gain leverage, and influence positive change.
Everything we do is about creating ethical computing; and we will
continue to do so. You are more than welcome to dislike our path or
approach, even though it sounds like we share the same end-goal.


> People will think "well gee why buy an actually-libre-right-now TALOS
> 2 when I can simply wait a few years when the eggheads have cracked
> ME and I can keep getting cheap soul-less computers" as tim said the
> discovery of HAP etc probably set back libre computing a decade.

This is projecting an individual opinion onto others, our users are not
buying Librem laptops over Talos 2, they're drastically different
products, prices, and capabilities.

Todd.

signature.asc
Description: This is a digitally signed message part
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Peter Stuge]

eche...@free.fr wrote:
> No you didn't answer my question Peter, sorry!..

Sorry - I misunderstood.


> I simply don't understand (and this is why I pollute the coreboot
> ML with this blah-blah..) why ALL (I insist on capital letters
> _ALL_) the systems (consumer/office even ..  industrial..) have to
> have this kind of ..  "technology" activated ALL the time (at least
> from the Intel/AMD point of view)??

Only they know, and neither have a reason to publicize it.

I guess it is simply because it's much more complex to have two
products which are almost the same, than to have just one.


> (And for the fact that consumer devices outnumber
> office/industrial/governmental devices, I will belive you when I
> see REAL statistics, sorry!..)

I'm really sorry if it seemed like I was stating a fact - I was
merely guessing!


//Peter

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[echelon]

 By the way you said : "ODMs/OEMs are the real customers of Intel/AMD" and 
"Intel/AMD serve them law" (which law???)
 I have a scoop : a friend of mine happened to work in the marketing department 
of a (very large) OEM, and speaking about ME he told me that Intel OBLIGED them 
to adopt and integrate the ME! (in the beging the OEM guys were reluctant..)
 Of course this is only "street whispering" (and I will not force you to buy 
this..) but, but, as we say in Romanian "there is no smoke without fire..." ;-)
Just my 2 satoshis..
  Florentin

- Mail d'origine -
De: eche...@free.fr
À: coreboot@coreboot.org
Envoyé: Sun, 24 Dec 2017 20:31:53 +0100 (CET)
Objet: Re : Re: [coreboot] Coreboot Purism BIOS is free? open?

 No you didn't answer my question Peter, sorry!..
 I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely 
corporate/financial point of view..). (By the way I have no "legitimacy" myself 
to put this question of "legitimacy" to begin with..)
 I simply don't understand (and this is why I pollute the coreboot ML with this 
blah-blah..) why ALL (I insist on capital letters _ALL_) the systems 
(consumer/office even .. industrial..) have to have this kind of .. 
"technology" activated ALL the time (at least from the Intel/AMD point of 
view)??
 For me this is simply irrational!.. Period!..
(And for the fact that consumer devices outnumber 
office/industrial/governmental devices, I will belive you when I see REAL 
statistics, sorry!..)
  Florentin

- Mail d'origine -
De: Peter Stuge <pe...@stuge.se>
À: coreboot@coreboot.org
Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET)
Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?

eche...@free.fr wrote:
> (can we anymore speak about "owner"?..)

We can and we must, if we want to own anything at all.

Don't get tricked into merely consuming services and products;
take ownership and shape your reality.


eche...@free.fr wrote:
> But what has Netflix (or Sony, or the entertainment industry in
> general...) to LEGALLY gain by strongarming Intel/AMD to keep
> ME/PSP activated on all x86 platforms (not only consumer ones!..)?

Philipp Stanner wrote:
> I don't get it, too.  ME has nothing to do with what you can do
> with your machine and what it can perform.
> 
> Even if 90% of users use their machine for multimedia purposes...

Follow the money. What drives Intel sales? We can't know. Who are the
strongest partners officially? That would be Microsoft (with Windows)
and ODMs/OEMs. Intel serves them, by law.

I guess that consumer devices significantly outnumber office devices. 
That's where the content industry comes into play.


MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver
security.

Content industry wants PAVP, so that hardware owners can not legally
access unecrypted versions of the content.

ME is Intel's answer to both those requirements and a few more, as
described pretty clearly in the PSTR[1] book.

And the DMCA and EUCD legal foundations align (un?)surprisingly well
with the technical implementation details.


//Peter

[1] http://www.apress.com/9781430265719

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot



-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[echelon]

 No you didn't answer my question Peter, sorry!..
 I am NOT questioning the "legitimacy" of ME/PSP (be it from a purely 
corporate/financial point of view..). (By the way I have no "legitimacy" myself 
to put this question of "legitimacy" to begin with..)
 I simply don't understand (and this is why I pollute the coreboot ML with this 
blah-blah..) why ALL (I insist on capital letters _ALL_) the systems 
(consumer/office even .. industrial..) have to have this kind of .. 
"technology" activated ALL the time (at least from the Intel/AMD point of 
view)??
 For me this is simply irrational!.. Period!..
(And for the fact that consumer devices outnumber 
office/industrial/governmental devices, I will belive you when I see REAL 
statistics, sorry!..)
  Florentin

- Mail d'origine -
De: Peter Stuge <pe...@stuge.se>
À: coreboot@coreboot.org
Envoyé: Sun, 24 Dec 2017 18:29:48 +0100 (CET)
Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?

eche...@free.fr wrote:
> (can we anymore speak about "owner"?..)

We can and we must, if we want to own anything at all.

Don't get tricked into merely consuming services and products;
take ownership and shape your reality.


eche...@free.fr wrote:
> But what has Netflix (or Sony, or the entertainment industry in
> general...) to LEGALLY gain by strongarming Intel/AMD to keep
> ME/PSP activated on all x86 platforms (not only consumer ones!..)?

Philipp Stanner wrote:
> I don't get it, too.  ME has nothing to do with what you can do
> with your machine and what it can perform.
> 
> Even if 90% of users use their machine for multimedia purposes...

Follow the money. What drives Intel sales? We can't know. Who are the
strongest partners officially? That would be Microsoft (with Windows)
and ODMs/OEMs. Intel serves them, by law.

I guess that consumer devices significantly outnumber office devices. 
That's where the content industry comes into play.


MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver
security.

Content industry wants PAVP, so that hardware owners can not legally
access unecrypted versions of the content.

ME is Intel's answer to both those requirements and a few more, as
described pretty clearly in the PSTR[1] book.

And the DMCA and EUCD legal foundations align (un?)surprisingly well
with the technical implementation details.


//Peter

[1] http://www.apress.com/9781430265719

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Peter Stuge]

eche...@free.fr wrote:
> (can we anymore speak about "owner"?..)

We can and we must, if we want to own anything at all.

Don't get tricked into merely consuming services and products;
take ownership and shape your reality.


eche...@free.fr wrote:
> But what has Netflix (or Sony, or the entertainment industry in
> general...) to LEGALLY gain by strongarming Intel/AMD to keep
> ME/PSP activated on all x86 platforms (not only consumer ones!..)?

Philipp Stanner wrote:
> I don't get it, too.  ME has nothing to do with what you can do
> with your machine and what it can perform.
> 
> Even if 90% of users use their machine for multimedia purposes...

Follow the money. What drives Intel sales? We can't know. Who are the
strongest partners officially? That would be Microsoft (with Windows)
and ODMs/OEMs. Intel serves them, by law.

I guess that consumer devices significantly outnumber office devices. 
That's where the content industry comes into play.


MSFT wants UEFI Secure Boot, so that OEMs are not required to deliver
security.

Content industry wants PAVP, so that hardware owners can not legally
access unecrypted versions of the content.

ME is Intel's answer to both those requirements and a few more, as
described pretty clearly in the PSTR[1] book.

And the DMCA and EUCD legal foundations align (un?)surprisingly well
with the technical implementation details.


//Peter

[1] http://www.apress.com/9781430265719

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Philipp Stanner]

I don't get it, too. ME has nothing to do with what you can do with your 
machine and what it can perform.

Even if 90% of users use their machine for multimedia purposes...


Am 24. Dezember 2017 14:02:41 MEZ schrieb eche...@free.fr:
>Yes Peter
>But what has Netflix (or Sony, or the entertainment industry in
>general...) to LEGALLY gain by strongarming Intel/AMD to keep ME/PSP
>activated on all x86 platforms (not only consumer ones!..)?
>(I can see other motivations.. but I keep the hypothesis that the
>entertainment industry has only morally acceptable principles in
>dealing with the cpu manufacturers..)
>No matter if the "user" (can we anymore speak about "owner"?..) intends
>to "watch Netflix in high resolution" or not al all?
>Excuse me but I insist : REALLY for >50% of the PC users nowadays the
>primary usage of their PC is to whatch Netflix (or play (legally..)
>acquired games)?.. I'm waiting for the stats..
> Florentin
>
>
>- Mail d'origine -
>De: Peter Stuge <pe...@stuge.se>
>À: coreboot@coreboot.org
>Envoyé: Sun, 24 Dec 2017 00:00:03 +0100 (CET)
>Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?
>
>Ivan Ivanov wrote:
>> Could it be the requirement of US Government - for all the consumer
>> CPU to have backdoors ?
>
>I guess that the private sector is a much stronger force...
>
>
>Nico Huber wrote:
>> watch Netflix in high resolution
>
>
>//Peter
>
>-- 
>coreboot mailing list: coreboot@coreboot.org
>https://mail.coreboot.org/mailman/listinfo/coreboot
>
>
>-- 
>coreboot mailing list: coreboot@coreboot.org
>https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[echelon]

Yes Peter
But what has Netflix (or Sony, or the entertainment industry in general...) to 
LEGALLY gain by strongarming Intel/AMD to keep ME/PSP activated on all x86 
platforms (not only consumer ones!..)?
(I can see other motivations.. but I keep the hypothesis that the entertainment 
industry has only morally acceptable principles in dealing with the cpu 
manufacturers..)
No matter if the "user" (can we anymore speak about "owner"?..) intends to 
"watch Netflix in high resolution" or not al all?
Excuse me but I insist : REALLY for >50% of the PC users nowadays the primary 
usage of their PC is to whatch Netflix (or play (legally..) acquired games)?.. 
I'm waiting for the stats..
 Florentin


- Mail d'origine -
De: Peter Stuge <pe...@stuge.se>
À: coreboot@coreboot.org
Envoyé: Sun, 24 Dec 2017 00:00:03 +0100 (CET)
Objet: Re: [coreboot] Coreboot Purism BIOS is free? open?

Ivan Ivanov wrote:
> Could it be the requirement of US Government - for all the consumer
> CPU to have backdoors ?

I guess that the private sector is a much stronger force...


Nico Huber wrote:
> watch Netflix in high resolution


//Peter

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

On Sat, Dec 23, 2017 at 11:32 PM, taii...@gmx.com  wrote:
> On 12/23/2017 07:16 PM, Todd Weaver wrote:
>
>> Intel did not mislead, we told them, and continue to, that we _want_ an
>> ME-less design (which is their term for what we asked for). And as we
>> grow our leverage will grow, and our influence will grow. This is a
>> long-term strategy and is playing out as planned.
>>
>> They will not adjust based on small quantities, but quantity =
>> leverage, and our influence changes as volumes grow. (e.g. $ =
>> influence)
>
> You will never have that type of leverage, if google can't pull it off then
> no one can.

Yeah, I agree with you on that, I don't think any leverage could make
Intel budge on that at this point.

>
> Even the NSA only got HAP, not a CPU without ME all together and the US
> government probably spends hundreds of millions with intel every year.
>
> x86-64 will always have ME/PSP and it simply can't be disabled, pretending
> otherwise is doing a disservice to many who look to the big shots for advice
> and pipe dreams like that being spread to the masses are the main reason I
> dislike purism so much.

You know of the ROM Bypass stuff, right? The first byte of the flash
contains a JMP instruction into the ROMB partition in the flash
(that's why the IFD magic number is at offset 0x10, not 0x0), so if
you put the right flag in the flash to enable ROM Bypass, then you
could get full unsigned/unchecked code (since the code in the ROM is
what checks signatures).
Now, that actually doesn't work because it's a feature that is
disabled on production chips, only pre-production chips allow the ROM
Bypass feature. What if someone finds a way to enable that feature on
a production chip ? What if you can make your CPU think it's in
preproduction mode thanks to some microcode update for example ? Then
you can get fully user controlled ME from the very first instruction.

I'm not saying it's possible or that it will be possible, but I'm
saying that it's not a "pipe dream" like you seem to think.
Even better, forget HAP, forget ROM Bypass, how about using the
exploit that PT announced at BlackHat to get your own unsigned code to
execute on the ME. You get full user control of the ME that way, and
while we know that the HAP bit happens at the end of the BUP module's
task, it's possible the exploit happens at the start (it does happen
when it tries to read a config file, so it could be early in the BUP).
The entire code from the first instruction all the way to the time the
exploit runs, could be reverse engineered, so even if you don't
control what happens there, you could at least have the source for it
and audit it to make sure it's not doing anything you wouldn't want it
to do, then have your exploit run and execute your own user controlled
ME firmware.
It's not an as perfect solution as being able to do a ROM Bypass and
control everything from the very first JMP, but it's something doable
today, it's not even a "maybe", so again, it's not a pipe dream.

>
> People will think "well gee why buy an actually-libre-right-now TALOS 2 when
> I can simply wait a few years when the eggheads have cracked ME and I can
> keep getting cheap soul-less computers" as tim said the discovery of HAP etc
> probably set back libre computing a decade.
>
> I hope you are buying a TALOS 2.

I think people buying a TALOS 2 and people buying a Librem are two
very distinct types of people. I very much doubt that someone has ever
had to decide between buying a Librem and a TALOS. No one in need of a
computer and in need of a open hardware machine will decide to "wait a
few years" either.. when you need a new PC, you buy a new PC. If you
want a TALOS, then you buy a TALOS, if you don't want it, or you want
a laptop, or if you don't have the budget for it, then you look
elsewhere, you're not going to just read some article and decide to
wait years without a computer in the hope that what you actually want
might be released by then.



> > > > A good summary is that we want to "bring
> > > > blob-free to the hardware that people want", rather than "bring
> > > > blob-free hardware to the people who want it".

> This is great; and I may quote you on that :)

Yeah, Todd, you can quote me. I also really liked that when I thought of it :p
And thanks for answering Nico's questions and correcting my
statements. I didn't even know an i.mx8 librem 13/15 had already been
thought of, that's pretty cool if it's in the plans!

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[taii...@gmx.com]

On 12/23/2017 07:16 PM, Todd Weaver wrote:


Intel did not mislead, we told them, and continue to, that we _want_ an
ME-less design (which is their term for what we asked for). And as we
grow our leverage will grow, and our influence will grow. This is a
long-term strategy and is playing out as planned.

They will not adjust based on small quantities, but quantity =
leverage, and our influence changes as volumes grow. (e.g. $ =
influence)
You will never have that type of leverage, if google can't pull it off 
then no one can.


Even the NSA only got HAP, not a CPU without ME all together and the US 
government probably spends hundreds of millions with intel every year.


x86-64 will always have ME/PSP and it simply can't be disabled, 
pretending otherwise is doing a disservice to many who look to the big 
shots for advice and pipe dreams like that being spread to the masses 
are the main reason I dislike purism so much.


People will think "well gee why buy an actually-libre-right-now TALOS 2 
when I can simply wait a few years when the eggheads have cracked ME and 
I can keep getting cheap soul-less computers" as tim said the discovery 
of HAP etc probably set back libre computing a decade.


I hope you are buying a TALOS 2.

--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[taii...@gmx.com]

On 12/23/2017 04:08 PM, Ivan Ivanov wrote:


Sadly the ARM processor also have the ME-like backdoor (called "TrustZone).
And even MIPS is going this road soon (check out the "MIPS OmniShield" news).

Could it be the requirement of US Government - for all the consumer
CPU to have backdoors ?
My last hopes are on POWER 9 and RISC V now ; meanwhile sticking to
the AMD pre-PSP tech
I believe that "the No Such Agency did it" is too easy - I doubt they 
would be able to keep something that big under wraps for long 
considering how incompetent they are when it comes to security.


My bets are on some type of private actor who wants industrial espionage 
on steroids - blackmailing or bribing key people who work for intel/amd 
to make it seem like ME/PSP is a good idea.

Imagine all the money you could make with that kind of access!

--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Zoran Stojsavljevic]

> Intel did not mislead, we told them, and continue to, that we _want_ an
> ME-less design (which is their term for what we asked for).

This is Mission Impossible. The reasons are Technical (bringing up the
platform) and Political => Sales and Marketing
domination/implications.

> And as we grow our leverage will grow, and our influence will grow. This
> is a long-term strategy and is playing out as planned.

Actually, it is vice versa. ME gets more and more complicated, as time
progresses. Understandable why. If INTEL solves Cannon Lake woes with
10nm technology (INTEL struggles for 20 months with yields), ME will
be even more complex to support EUV lithography and its outcomes.

> Not binary-blob free. It was always known this will be a large
> investment of both time and money. But coreboot ported to hardware
> within a few months is an accurate assessment of what I heard, and that
> turned out to be much longer, not in technical nature, but finding the
> right people/developers to do it properly. Now all our (x86) products
> are running coreboot, and will continue to.

As well as FSP. It gets more complicated, although it gets more
structured. There are three parts of the FSP blob now: FSP-S, FSP-M
and FSP-P. Silicon init, MRC and early platform init. And this to
disassemble is quite possible, but then the disassembled code will be
all magic addresses and magic data (except MRC, at least for LPDDR3).

Something like: uint32 read (uint32 * addr), void write (uint32 *
addr, uint32 data), where on some magic addr 0xFF87429C magic data are
stored: 0x0030CF46, and nobody really knows what address points to
(the feature), and what the data mean (since there are fields, usually
from 5 fields +)?! And there are gazillion of such registers there,
undocumented, which are outlined in C-Specs, NOT all of them???

The only proper way how to solve this problem is to force INTEL to
publicly release C-Specs for each and every CORE and ATOM families,
which is equivalent to force NSA to release their deepest secrets to
the public.

Good Luck with all of these efforts!
Zoran Stojsavljevic

On Sun, Dec 24, 2017 at 1:16 AM, Todd Weaver  wrote:
> On Fri, 2017-12-22 at 22:06 -0500, Youness Alaoui wrote:
>> On Tue, Dec 19, 2017 at 3:54 PM, Timothy Pearson
>>  wrote:
>> >
>> > Thank you for the detailed explanation.  I guess this is an area in
>> > which experience matters; it is absolutely unacceptable (and not
>> > unexpected) that Intel misled your CEO, but this is sadly not an
>> > uncommon tactic in the industry.
>
> Intel has not misled anything. We knew the ME/FSP/vBIOS were the issues
> (from my first questions to this coreboot mailing list and the replies
> from the community), but there was no perfect alternative, so we chose
> Intel to get hardware (more) people wanted and work and invest toward
> liberating it.
>
> I can say, without much doubt, that if we chose any other platform we
> would have struggled in volume and not advanced any faster or farther
> than we have already.
>
> To liberate hardware, there are three larger paths:
> 1) use existing liberated hardware (gets older and older)
> 2) design using freed chips (low performance)
> 3) use products people want that are not yet fully liberated, invest in
> liberating.
>
> For laptops:
> #1 is already being done by many
> #2 is also being done
> #3 is the path we are doing for laptops.
>
> For a phone:
> #1 doesn't exist
> #2 is the path we are doing
> #3 others are trying
>
> We can then cross-polinate our investment efforts into the phone
> motherboard into a laptop with #2.
>
> I have a published business vision page here:
> https://puri.sm/about/business-model-and-vision/
>
>
>> > One item I would like to call out though is the following:
>> >
>> > > if old or non-x86 architectures were so appealing, you would have
>> > > seen that become the norm rather than the exception)
>
> This statement is accurate. The volume of sales would be significantly
> less if we tried non-x86. And then our growth would be smaller; and our
> investment toward freeing future hardware would not happen; and then
> there would be no advancement toward convenient ethical products, which
> is our goal.
>
>> > Trying to switch architectures may be hard, but it is only
>> > going to get harder day after day as people continue to cling to
>> > false hope that the x86 platform may ever be brought under their
>> > control.
>
> It's pretty simple. With leverage we can change businesses. This is not
> a short-term game, but a long-term... grow-gain leverage-influence
> change-repeat. And this is what we are doing at Purism, and will
> continue. We are not griping about the state of affairs, we have a plan
> to change the future, and are executing on it.
>
>
>> > I wonder, though, if given this information if possibly Raptor and
>> > Purism might have some common business ground here?  Purism has
>> > experience with laptop mechanicals and 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Todd Weaver]

On Fri, 2017-12-22 at 22:06 -0500, Youness Alaoui wrote:
> On Tue, Dec 19, 2017 at 3:54 PM, Timothy Pearson
>  wrote:
> > 
> > Thank you for the detailed explanation.  I guess this is an area in
> > which experience matters; it is absolutely unacceptable (and not
> > unexpected) that Intel misled your CEO, but this is sadly not an
> > uncommon tactic in the industry.

Intel has not misled anything. We knew the ME/FSP/vBIOS were the issues
(from my first questions to this coreboot mailing list and the replies
from the community), but there was no perfect alternative, so we chose
Intel to get hardware (more) people wanted and work and invest toward
liberating it.

I can say, without much doubt, that if we chose any other platform we
would have struggled in volume and not advanced any faster or farther
than we have already.

To liberate hardware, there are three larger paths:
1) use existing liberated hardware (gets older and older)
2) design using freed chips (low performance)
3) use products people want that are not yet fully liberated, invest in
liberating.

For laptops:
#1 is already being done by many
#2 is also being done
#3 is the path we are doing for laptops.

For a phone:
#1 doesn't exist
#2 is the path we are doing
#3 others are trying

We can then cross-polinate our investment efforts into the phone
motherboard into a laptop with #2.

I have a published business vision page here:
https://puri.sm/about/business-model-and-vision/


> > One item I would like to call out though is the following:
> > 
> > > if old or non-x86 architectures were so appealing, you would have
> > > seen that become the norm rather than the exception)

This statement is accurate. The volume of sales would be significantly
less if we tried non-x86. And then our growth would be smaller; and our
investment toward freeing future hardware would not happen; and then
there would be no advancement toward convenient ethical products, which
is our goal.

> > Trying to switch architectures may be hard, but it is only
> > going to get harder day after day as people continue to cling to
> > false hope that the x86 platform may ever be brought under their
> > control.

It's pretty simple. With leverage we can change businesses. This is not
a short-term game, but a long-term... grow-gain leverage-influence
change-repeat. And this is what we are doing at Purism, and will
continue. We are not griping about the state of affairs, we have a plan
to change the future, and are executing on it.


> > I wonder, though, if given this information if possibly Raptor and
> > Purism might have some common business ground here?  Purism has
> > experience with laptop mechanicals and related concerns, and we
> > have experience with truly blob-free, powerful hardware --
> > combining those two could yield an interesting machine...

Ping me off list to discuss. We are always looking for aligned-
partnerships or collaboration.


> > > The main question I have, and this is an honest question, is why
> > > Purism chose to use the x86 platform as a base for libre
> > > hardware, when it has been known for some time that said hardware
> > > could never be made fully blob-free?

See above, I think I laid out and answered this clearly. It's not just
technical, there is a strong business model behind our approach.

> > > There were (and are) other good ways to make a system that could
> > > be fully blob-free, for instance ARM, and given the engineering
> > > effort that is said to have been put into the Purism machines I
> > > wonder what we could have had if said effort had been put into an
> > > aarch64 system instead of an x86 system?

Sure, that would sell a small fraction of the quantity, and fail to
impact the future of computing in a way we model out.

> > > > The second reason is that Todd (CEO) was in talks with Intel
> > > > and was unfortunately lead to believe that they were open to
> > > > release an ME-less design CPU for his needs, it ended up not
> > > > being the case.

Intel did not mislead, we told them, and continue to, that we _want_ an
ME-less design (which is their term for what we asked for). And as we
grow our leverage will grow, and our influence will grow. This is a
long-term strategy and is playing out as planned.

They will not adjust based on small quantities, but quantity =
leverage, and our influence changes as volumes grow. (e.g. $ =
influence)

> > > > Todd thought that it would be possible to get a binary blob
> > > > free coreboot/CPU with a few months of work.

Not binary-blob free. It was always known this will be a large
investment of both time and money. But coreboot ported to hardware
within a few months is an accurate assessment of what I heard, and that
turned out to be much longer, not in technical nature, but finding the
right people/developers to do it properly. Now all our (x86) products
are running coreboot, and will continue to.

> > > > A good summary is that we want to "bring
> > 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Todd Weaver]

On Sat, 2017-12-23 at 11:39 +0100, Nico Huber wrote:
> If you get the i.MX8 for it (and it turns out to be as good
> documented), all you have to do is to ask for a board with the most
> powerful version that physically fits a Librem 13 [1]. Then you can
> offer trustworthy hardware vs. performance and let your customers
> chose.

"all you have to do" is simplifying the "all we have to do" a little.

But let me confirm our top-level plans as it relates...

The Librem 5 is the catalyst for us to produce a motherboard that fits
into the Librem 13/15 ... etc. So that part is spot-on.

We will then offer:
Librem 13 i7
Librem 13 i.mx8
Librem 15 i7
Librem 15 i.mx8
etc.

This will probably be able to happen in 2019. The "all we have to do"
is (not even limited to) design, prototype, test, modify, tool, fund,
fabricate, productize, develop, inventory, quality control, ship,
publish, and support.

> There are ofc alternatives to i.MX. Most use a graphics core where
> free drivers are a problem. Though, a proprietary driver in the OS is
> far less troublesome than blobs in your firmware (or the ME).

I am not convinced this is the consensus. For one critical test that
this would fail: PureOS being listed as an FSF endorsed distribution =
no proprietary drivers in the OS (plus a lot of other things, but that
is the only relevant part to the comparison).

So our approach I believe is still the best approach. Start with
hardware people want, work to free it (NOTE: This is how GNU started in
OS freedom, and I believe that was the best approach there as well).
Since we have to invest in i.mx8 for the phone, then we can cross-
polinate that investment into a lesser expensive, lesser performance,
RYF compatible laptop board that fits into our existing cases.

> Once you buy a reasonable quantity of an SoC, you can ask if they can
> make the next generation with RISC-V instead of ARM. Unlikely to get
> that soon, but way more likely than Intel changing their silicon for
> you.

Moving to RISC-V is on the "we will evaluate and would love to do it."
roadmap, and we will continue to follow the progress there to produce a
device that is RISC-V when it crosses the threshold of "stable
available product". Part of that determination is based on the talented
coreboot community, talking to Ron about this at the last coreboot
conference helped guage the tests for "when" this will be able to be
put into a product.

> 
> Nico
> 
> [1] I'm convinced that this is easily doable.

"easily doable" see above.

Todd.

signature.asc
Description: This is a digitally signed message part
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Peter Stuge]

Ivan Ivanov wrote:
> Could it be the requirement of US Government - for all the consumer
> CPU to have backdoors ?

I guess that the private sector is a much stronger force...


Nico Huber wrote:
> watch Netflix in high resolution


//Peter

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Nico Huber]

On 23.12.2017 22:08, Ivan Ivanov wrote:
> Sadly the ARM processor also have the ME-like backdoor (called "TrustZone).

Some have. Some not. Some have it and it's owner-controllable. It's not
about the ISA and some optional architectural feature, it's about the
chip you buy.

> And even MIPS is going this road soon (check out the "MIPS OmniShield" news).
> 
> Could it be the requirement of US Government - for all the consumer
> CPU to have backdoors ?
> My last hopes are on POWER 9 and RISC V now ; meanwhile sticking to
> the AMD pre-PSP tech

Forget it. RISC-V already has SMM like tech in the architecture. But
that doesn't matter as long as you can buy chip's that are owner con-
trollable. Such features make it harder to keep everything secure but
they don't force the silicon vendor to lock you out (as long as you
don't ask to be able to watch Netflix in high resolution or something
like that).

Nico

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Ivan Ivanov]

Sadly the ARM processor also have the ME-like backdoor (called "TrustZone).
And even MIPS is going this road soon (check out the "MIPS OmniShield" news).

Could it be the requirement of US Government - for all the consumer
CPU to have backdoors ?
My last hopes are on POWER 9 and RISC V now ; meanwhile sticking to
the AMD pre-PSP tech

Best regards,
Ivan Ivanov


2017-12-23 15:08 GMT+03:00 Alberto Bursi :
>
>
> On 12/23/2017 11:54 AM, Nico Huber wrote:
>> On 23.12.2017 11:39, Nico Huber wrote:
>>> [1] I'm convinced that this is easily doable. At least compared to the
>>>  effort you already put in liberating the unliberatable. If the i.MX8
>>>  turns out to be as controllable and well documented as the i.MX6,
>>>  you'd be catapulted towards the end of your freedom roadmap.
>>>
>> Now that I've looked at your roadmap again, there's a flaw at the
>> beginning: AUIU, at least Acer, Dell, HP and Lenovo sell products
>> that are on par with yours (Chromebooks). Actually you're basing
>> your firmware on their investments into it. So it seems unfair to
>> list them there. Some even sell ARM devices that are far ahead (in
>> terms of freedom and owner-controllability; not in your roadmap
>> because that has a very weird order).
>>
>> Nico
>>
>
> Meh, chromebooks aren't exactly powerful systems anyway. Also I don't
> know other ARM devices that are more free than ARM chromebooks (again
> not really powerful systems).
>
> -Alberto
> --
> coreboot mailing list: coreboot@coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Alberto Bursi]

On 12/23/2017 11:54 AM, Nico Huber wrote:
> On 23.12.2017 11:39, Nico Huber wrote:
>> [1] I'm convinced that this is easily doable. At least compared to the
>>  effort you already put in liberating the unliberatable. If the i.MX8
>>  turns out to be as controllable and well documented as the i.MX6,
>>  you'd be catapulted towards the end of your freedom roadmap.
>>
> Now that I've looked at your roadmap again, there's a flaw at the
> beginning: AUIU, at least Acer, Dell, HP and Lenovo sell products
> that are on par with yours (Chromebooks). Actually you're basing
> your firmware on their investments into it. So it seems unfair to
> list them there. Some even sell ARM devices that are far ahead (in
> terms of freedom and owner-controllability; not in your roadmap
> because that has a very weird order).
>
> Nico
>

Meh, chromebooks aren't exactly powerful systems anyway. Also I don't 
know other ARM devices that are more free than ARM chromebooks (again 
not really powerful systems).

-Alberto
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Nico Huber]

On 23.12.2017 11:39, Nico Huber wrote:
> [1] I'm convinced that this is easily doable. At least compared to the
> effort you already put in liberating the unliberatable. If the i.MX8
> turns out to be as controllable and well documented as the i.MX6,
> you'd be catapulted towards the end of your freedom roadmap.
> 

Now that I've looked at your roadmap again, there's a flaw at the
beginning: AUIU, at least Acer, Dell, HP and Lenovo sell products
that are on par with yours (Chromebooks). Actually you're basing
your firmware on their investments into it. So it seems unfair to
list them there. Some even sell ARM devices that are far ahead (in
terms of freedom and owner-controllability; not in your roadmap
because that has a very weird order).

Nico

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Nico Huber]

Hey Youness, hey Todd,

On 23.12.2017 04:06, Youness Alaoui wrote:
> I think there is a plan to move librems to non-x86 architecture
> eventually (considering that RYF is our long term plan, there is no
> choice in moving out of x86 eventually),

that would be great.

> I think the efforts on the
> risc-v front are the most promising and I think that's where the true
> competition to x86 will be, but to be honest, I don't really follow,
> understand or know much of anything that happens in the hardware space
> since I'm a software guy at heart (i.e: all I know is that x86, ARM,
> PPC and Risc-V use different instruction sets).

RISC-V is just a different ISA. Ok, it's free, but as it's BSD licen-
sed, silicon vendors can build around it whatever they want. Delivering
an owner-controllable platform is not in the scope of an ISA anyway. So
RISC-V can't magically change the game by definition.

> I hear a lot about PPC
> (with Talos for example), but I don't think PPC is as open as Risc-v
> (ISA or something). All I know about PPC really is that it was fun to
> reverse engineer during my PS3 days :)
> Anyways, as far as I know, for risc-v, it's not there yet, so we're
> waiting for that to be ready for the masses before moving to it. I
> have absolutely no idea if it's "close" or if it's really a long term
> plan for risc-v to be able to compete with x86 in terms of
> performance/power usage/features/etc...

It doesn't matter how close somebody else is. If I understand Purism
correctly, the idea is not to jump into a market of owner-controllable
devices once it exists, but to pioneer that market. The only thing that
matters is what you buy *today*. The choice of i.MX for the Librem 5 is
a move into the right direction. i.MX6 was the best thing you can get
for mobile devices, IMHO (controllable and publicly documented). If you
get the i.MX8 for it (and it turns out to be as good documented), all
you have to do is to ask for a board with the most powerful version that
physically fits a Librem 13 [1]. Then you can offer trustworthy hardware
vs. performance and let your customers chose.

There are ofc alternatives to i.MX. Most use a graphics core where free
drivers are a problem. Though, a proprietary driver in the OS is far
less troublesome than blobs in your firmware (or the ME). And you might
find something that is already available and delivers higher performance
than the announced i.MX8 versions.

Once you buy a reasonable quantity of an SoC, you can ask if they can
make the next generation with RISC-V instead of ARM. Unlikely to get
that soon, but way more likely than Intel changing their silicon for
you.

Nico

[1] I'm convinced that this is easily doable. At least compared to the
effort you already put in liberating the unliberatable. If the i.MX8
turns out to be as controllable and well documented as the i.MX6,
you'd be catapulted towards the end of your freedom roadmap.

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

On Sat, Dec 23, 2017 at 12:28 AM, Zoran Stojsavljevic
 wrote:
> Hello Youness,
>
> With all due respect, you write too long emails, trying to defend
> Purism. Lot of yours argument I do not buy.
> Some of them I do.
>
I know I write too long emails, a long time ago I stopped trying to
make them shorter, because I always fail. Some like to read them, some
won't read them, and that's ok.
I wasn't trying to defend Purism though, I was answering Taiidan's
questions. Maybe he'll accept the answers, maybe he'll disagree with
my answer, or maybe he won't bother to read the long email either.


> But, hey, this is what you/Purism have/has to offer, and this is a
> sort of fair deal. We all know what you are offering,
> in regards to x86, so let it be. Some people will buy Taiidan's facts,
> some yours, and some will stay in between.
>
Yes, there is a lot of choices for a lot of needs and the person
making the decision is the user, they decide what they want, so they
can't be wrong. I remember when Purism was even suggesting GluGlub on
the website as an alternative (a "non-competitor"). I think that was
taken down after some political conflict between Leah and us, i'm not
entirely sure though.

Have a nice weekend, happy christmas (if you care) and happy new year!

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Zoran Stojsavljevic]

Hello Youness,

With all due respect, you write too long emails, trying to defend
Purism. Lot of yours argument I do not buy.
Some of them I do.

But, hey, this is what you/Purism have/has to offer, and this is a
sort of fair deal. We all know what you are offering,
in regards to x86, so let it be. Some people will buy Taiidan's facts,
some yours, and some will stay in between.

What stays as puzzle is the Purism charge for the Coreboot with
incorporated FSP, maximum stripped ME, with
HAP mechanism set, so minimum (sort of speak) ME stays inactive in
user space (no applications running).

At the end of the day, this is the customers' choice. How well they
are educated, and what side of the story they
do prefer, for which monies. These days they have several choices, I
see at least three/four:
[1] Classical UEFI laptops/notebooks;
[2] [1] with HAP set, so invalidate/inactivate ME in user space (example: DELL);
[3] Purism prepared laptops/notebooks;
[4] [1], then swap by themselves UEFI with Coreboot + FSP + stripped
ME (HAP set)!

So, battle goes on, in sales and marketing space (what is the best
solution out of above presented).

But this is the fact of Life, last few hundred years (advertisement
and marketing)! ;-)

As Russians use to say (Russian proverb): Kazdij kulik svoe boloto hvalit!

Zoran

On Sat, Dec 23, 2017 at 5:36 AM, Youness Alaoui
 wrote:
> On Tue, Dec 19, 2017 at 8:04 PM, taii...@gmx.com  wrote:
>> On 12/18/2017 01:59 PM, Youness Alaoui wrote:
>>
>>> As for Taiidan's response, I think Matt's response to it is pretty
>>> good already, and I'm tired of seeing Taiidan jumping at the chance to
>>> talk against Purism every chance he gets
>>
>> I simply want people to have all the facts before they spend thousands on a
>> computer - as I have stated before you guys really need to change your
>> marketing as it is confusing a lot of people.
>
> First of all, I feel like this email is genuinely curious/humble
> rather than hateful as I've had the impression in the past, so thank
> you for that. That's why I decided to answer you, as I've previously
> preferred not to. This response will probably be long though, so if
> anyone reading here decides to TL;DR, that's perfectly fine by me.
> The facts are there for people and I don't think that there is
> anything wrong with the marketing. Some people might be confused but I
> think that's unavoidable, no matter what we do or how we say things or
> which things are put on the front, there will always be people who
> will be confused.
>
>>
>> I of course would be more than happy to assist with this task, please
>> remember *people are still going to purchase your products if your marketing
>> is entirely up front and honest* - will you loose a few sales? of course,
>> but it is better to do that then have unhappy customers.
>
> That's your issue here, you think that the marketing is not honest,
> but it is. It's not about losing sales or anything like that. You'd be
> surprised to know just how many "unhappy customers" there are compared
> to how many customers are actually happy about their devices. Other
> than a couple of people (like you or Nico) who have stated that they'd
> be unhappy with such a device, I haven't heard of anyone complaining.
> I think that you are simply projecting your own needs or wants to a
> much larger proportion of our customers. Would some people prefer a
> 100% open machine, yes, can they buy such a machine from somewhere
> else, yes, did they misunderstand what the librem actually was when
> they bought it, probably not.
>
>>
>> I humbly request:
>> Remove "Libre" from the product names,
>
> Now this is ridiculous (sorry) for multiple reasons. First of all, it
> would be a nightmare to suddenly change a brand's name just to satisfy
> one non-customer, and secondly, it makes no sense, the fact that the
> device is called a Librem doesn't mean that it's open source hardware!
> What's next, you will ask LibreOffice from refusing to install on any
> hardware if they detect binary blobs on it ? Or that they remove
> support for non libre document formats? Would you say that libreboot
> should not be installed on laptops for which the schematics are not
> open source ? etc..
> The laptops are the "Librem series" they are not "The Libre hardware
> series", and you need to differentiate between the two. The brand name
> is not meant to trap customers either.
>
>> Remove "every chip hand selected to respect privacy" (Intel chips do not do
>> this),
>
> This one, I kind of agree with you on it. I understand where it comes
> from, it's about the peripherals, USB chip, webcam chip, the wifi
> chip, the fact that the ethernet chip (on the previous models with
> ethernet) was added instead of using the intel integrated one, etc...
> So, yes, every chip is indeed hand selected to optimize the privacy
> and security when an alternative is available, it is not however a
> guarantee that 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

On Tue, Dec 19, 2017 at 8:04 PM, taii...@gmx.com  wrote:
> On 12/18/2017 01:59 PM, Youness Alaoui wrote:
>
>> As for Taiidan's response, I think Matt's response to it is pretty
>> good already, and I'm tired of seeing Taiidan jumping at the chance to
>> talk against Purism every chance he gets
>
> I simply want people to have all the facts before they spend thousands on a
> computer - as I have stated before you guys really need to change your
> marketing as it is confusing a lot of people.

First of all, I feel like this email is genuinely curious/humble
rather than hateful as I've had the impression in the past, so thank
you for that. That's why I decided to answer you, as I've previously
preferred not to. This response will probably be long though, so if
anyone reading here decides to TL;DR, that's perfectly fine by me.
The facts are there for people and I don't think that there is
anything wrong with the marketing. Some people might be confused but I
think that's unavoidable, no matter what we do or how we say things or
which things are put on the front, there will always be people who
will be confused.

>
> I of course would be more than happy to assist with this task, please
> remember *people are still going to purchase your products if your marketing
> is entirely up front and honest* - will you loose a few sales? of course,
> but it is better to do that then have unhappy customers.

That's your issue here, you think that the marketing is not honest,
but it is. It's not about losing sales or anything like that. You'd be
surprised to know just how many "unhappy customers" there are compared
to how many customers are actually happy about their devices. Other
than a couple of people (like you or Nico) who have stated that they'd
be unhappy with such a device, I haven't heard of anyone complaining.
I think that you are simply projecting your own needs or wants to a
much larger proportion of our customers. Would some people prefer a
100% open machine, yes, can they buy such a machine from somewhere
else, yes, did they misunderstand what the librem actually was when
they bought it, probably not.

>
> I humbly request:
> Remove "Libre" from the product names,

Now this is ridiculous (sorry) for multiple reasons. First of all, it
would be a nightmare to suddenly change a brand's name just to satisfy
one non-customer, and secondly, it makes no sense, the fact that the
device is called a Librem doesn't mean that it's open source hardware!
What's next, you will ask LibreOffice from refusing to install on any
hardware if they detect binary blobs on it ? Or that they remove
support for non libre document formats? Would you say that libreboot
should not be installed on laptops for which the schematics are not
open source ? etc..
The laptops are the "Librem series" they are not "The Libre hardware
series", and you need to differentiate between the two. The brand name
is not meant to trap customers either.

> Remove "every chip hand selected to respect privacy" (Intel chips do not do
> this),

This one, I kind of agree with you on it. I understand where it comes
from, it's about the peripherals, USB chip, webcam chip, the wifi
chip, the fact that the ethernet chip (on the previous models with
ethernet) was added instead of using the intel integrated one, etc...
So, yes, every chip is indeed hand selected to optimize the privacy
and security when an alternative is available, it is not however a
guarantee that the CPU itself is privacy-respecting. The sentence is
there to basically say "we are not a white-label reseller", but I do
agree with you that it can be (easily) interpreted to mean that the
intel CPU is privacy-respecting when it is not necessarily true.

> Clearly mention and define the difference between a coreboot device with FSP
> and one without in the product description

How and where? There is nothing clearer than the fact that coreboot
comes with binary blobs. We have written countless blog posts about
it, I regularly post progress updates, we have discussed which binary
blobs are present and what they do, we have a link somewhere to point
to the https://www.coreboot.org/Binary_situation page, it's even
actually mentioned that "we have yet to free the Intel FSP" in the
Roadmap page, this is not something that is hidden from customers by
any stretch of the imagination, and your statement makes it sound like
we're hiding this on purpose from the customers.
Would you also suggest to any manufacturer that sells laptops with
Ubuntu on them to specify that "Ubuntu is not really free software
because it has binary firmwares in it" ? No, because the important
part is that you're running Ubuntu, it doesn't matter that it has a
binary firmware file in it somewhere... this is the same thing, it
ships with coreboot, yeay, it has an open source BIOS, yeay, coreboot
is still better than the proprietary BIOS even if the memory/silicon
init is done via a binary blob from Intel.
I will however agree 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

I think there is a plan to move librems to non-x86 architecture
eventually (considering that RYF is our long term plan, there is no
choice in moving out of x86 eventually), I think the efforts on the
risc-v front are the most promising and I think that's where the true
competition to x86 will be, but to be honest, I don't really follow,
understand or know much of anything that happens in the hardware space
since I'm a software guy at heart (i.e: all I know is that x86, ARM,
PPC and Risc-V use different instruction sets). I hear a lot about PPC
(with Talos for example), but I don't think PPC is as open as Risc-v
(ISA or something). All I know about PPC really is that it was fun to
reverse engineer during my PS3 days :)
Anyways, as far as I know, for risc-v, it's not there yet, so we're
waiting for that to be ready for the masses before moving to it. I
have absolutely no idea if it's "close" or if it's really a long term
plan for risc-v to be able to compete with x86 in terms of
performance/power usage/features/etc...

Note: this is not an official statement, I never really bothered to
ask in details about such things, I simply write code and yell at it
for not working...

As for the collaboration, again, I have no idea about any of the
business/manufacturing logistics, but if you think there's something
there that can be done, I suggest you contact Todd (I added him in CC)
and you could discuss things, he'll know what to answer you!

Thanks!

On Tue, Dec 19, 2017 at 3:54 PM, Timothy Pearson
 wrote:
>
> Thank you for the detailed explanation.  I guess this is an area in
> which experience matters; it is absolutely unacceptable (and not
> unexpected) that Intel misled your CEO, but this is sadly not an
> uncommon tactic in the industry.
>
> One item I would like to call out though is the following:
>
>> if old or non-x86 architectures were so appealing, you would have seen that 
>> become the norm rather than the exception)
>
> No one is denying that the easiest course of action for everyone would
> have been for Intel or AMD to release owner-controllable CPUs.  That
> being said, individuals and organizations needing privacy and owner
> control are /not/ their target market, nor are those entities Intel (or
> AMD)'s secondary (or even tertiary) market.  Both Intel and AMD rely on
> their lock-in and close association with Windows and related software to
> provide cheap, but wholly locked down, CPUs *by design*.  You could look
> at it as the hardware vendor simply providing a leased tool on which to
> run the leased software -- in such a market, cost trumps everything,
> owner control is looked at as "enabling piracy", and as a result x86 is
> not an appropriate platform for anyone needing control or privacy.
>
> In this environment, one must make a choice between convenience (x86)
> and owner control.  As you mentioned, the only middle ground is
> relegated to ancient computers, and that is not where we place any hope
> at all.  Trying to switch architectures may be hard, but it is only
> going to get harder day after day as people continue to cling to false
> hope that the x86 platform may ever be brought under their control.  The
> simple fact is, the purchaser of an x86 machine is not Intel or AMD's
> customer, nor are the ODMs.  Their primary customers, in an odd sort of
> way, are actually the software vendors that require x86 for their
> existing applications, and they are the ones that will call the shots on
> features or antifeatures in the x86 walled garden.
>
> I wonder, though, if given this information if possibly Raptor and
> Purism might have some common business ground here?  Purism has
> experience with laptop mechanicals and related concerns, and we have
> experience with truly blob-free, powerful hardware -- combining those
> two could yield an interesting machine...
>
> On 12/19/2017 02:41 PM, Youness Alaoui wrote:
>> On Tue, Dec 19, 2017 at 2:07 PM, Timothy Pearson
>>  wrote:
>> On 12/19/2017 11:51 AM, Dame Más wrote:
> I finished the University and I have free time to do things. And this
> seems like an interesting project to which I dedicate many hours.
>
> The truth is that I read a lot these days. The work you do kakaroto is
> impressive.
> In general Purism is doing something big, and I spoke ahead of time.
>
> I saw that in the directory
> coreboot/3rdparty/blobs/mainboard/purism/
> there is no content, it is right?
>
> Thanks
>>
>> The main question I have, and this is an honest question, is why Purism
>> chose to use the x86 platform as a base for libre hardware, when it has
>> been known for some time that said hardware could never be made fully
>> blob-free?
>>
>> There were (and are) other good ways to make a system that could be
>> fully blob-free, for instance ARM, and given the engineering effort that
>> is said to have been put into the Purism machines I wonder 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[taii...@gmx.com]

On 12/18/2017 01:59 PM, Youness Alaoui wrote:


As for Taiidan's response, I think Matt's response to it is pretty
good already, and I'm tired of seeing Taiidan jumping at the chance to
talk against Purism every chance he gets
I simply want people to have all the facts before they spend thousands 
on a computer - as I have stated before you guys really need to change 
your marketing as it is confusing a lot of people.


I of course would be more than happy to assist with this task, please 
remember *people are still going to purchase your products if your 
marketing is entirely up front and honest* - will you loose a few sales? 
of course, but it is better to do that then have unhappy customers.


I humbly request:
Remove "Libre" from the product names,
Remove "every chip hand selected to respect privacy" (Intel chips do not 
do this),
Clearly mention and define the difference between a coreboot device with 
FSP and one without in the product description
Please stop the requests for the FSF to bend the RYF rules so your 
devices can be RYF certified.
Remove the "Road to RYF" page - as it is entirely impossible for a 
modern intel device to be RYF certified.


I have never met a layman who didn't think that "coreboot" means 
entirely open source hardware initiation (as it used to mean that before 
FSP) and I have conversed with a variety of people who have bought or 
are considering buying a purism or ORWL computer - they are always 
surprised and unhappy when I explain.

* You seem to think that the purism laptops are selling at a premium
because it comes with coreboot?
They are, which isn't an issue (I know how much even a FSP coreboot 
board port costs) if someone insists on brand new hardware.

* You said "they are charging for a whitebox re-brand.", that's
actually a completely false statement, the motherboard is our own and
it is designed to avoid having any firmware-based hardware so a
binary-blob-free linux distribution can run on it. It is not a
whitebox re-brand. If it was a whitebox re-brand, then yeah, we'd be
selling for a lot lower price considering we'd be able to also take
advantage of the economies of scale.
As I recall at least the earlier laptops were in fact reference designs 
complete with OEM provided windows licenses.
The blobs on a modern laptop are all peripheral related such as wi-fi 
and touchpad, if you have in fact spent money on a custom board fab I do 
not understand what made it worth it.

* You are encouraging the purchase of lenovo machines, but as far as I
know, lenovo is not actively working on reverse enginering the FSP.
Also, the only reason that Lenovo can have a libreboot running on it
is because the community did the port, not because the company itself
is working towards freeing it or investing anything to provide more
freedom to users.
Yes obviously, but people who purchase used machines are not supporting 
lenovo.


Reverse engineering FSP but always providing brand new hardware is a 
contradiction, it would take years and cost hundreds of thousands for 
every intel hardware revision. I do not understand how you will be able 
to afford this and again plead for the efforts to be re-directed to a 
high performance ARM laptop with for example an AppliedMicro CPU that 
could be owner controlled - currently all ARM laptops are very slow.

  So yeah, sure, you could say "don't pay a 30$
premium for coreboot, buy a lenovo and do the port yourself" (assuming
you know how to do the port, or you buy one that is already ported) ,
but you might as well say "don't pay a 30$ premium for coreboot, buy a
lenovo, do the port yourself, then reverse engineer the FSP yourself
while you're at it" and it would be more accurate. And that's of
course ignoring the question of the harware kill switches, the fact
that you can't compare a 200$ refurbished laptop from 6 years ago with
a higher priced laptop from today
The Lenovo G505S is from three years ago and it uses the FT3 platform, I 
still would like to know as to why you guys didn't use that as it was 
brand new when you first started selling laptops - it was just as fast 
and open source firmware could be easily made for it as it has no 
hardware code signing enforcement or ME/PSP...


It isn't as if a x86-64 board that isn't absolutely brand new is 
useless, I can play modern games on my KGPE-D16 without any issue with a 
2013 CPU (not 2008)

* We worked on disabling the ME on the purism laptops. Yes, the lion's
share of the work was done by others (Corna for me_cleaner and
Positive Technologies for the HAP bit), but not only did it require a
significant amount of work from our side as well, to test, validate
and package the ME disablement work (see above blog post link), but we
are the first manufacturer to offer it standard and without us doing
it, it could be argued whether or not this differentiation would have
convinced System76 and Dell to also pursue offering machines with the
ME disabled. So, encouraging those who are 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Dame Más]

THANKS KAKAROTO!! I alredy have fun!

If my head does not explode and my laptop does not explode, I'll write you
soon
hahahaha

2017-12-19 21:54 GMT+01:00 Timothy Pearson :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Thank you for the detailed explanation.  I guess this is an area in
> which experience matters; it is absolutely unacceptable (and not
> unexpected) that Intel misled your CEO, but this is sadly not an
> uncommon tactic in the industry.
>
> One item I would like to call out though is the following:
>
> > if old or non-x86 architectures were so appealing, you would have seen
> that become the norm rather than the exception)
>
> No one is denying that the easiest course of action for everyone would
> have been for Intel or AMD to release owner-controllable CPUs.  That
> being said, individuals and organizations needing privacy and owner
> control are /not/ their target market, nor are those entities Intel (or
> AMD)'s secondary (or even tertiary) market.  Both Intel and AMD rely on
> their lock-in and close association with Windows and related software to
> provide cheap, but wholly locked down, CPUs *by design*.  You could look
> at it as the hardware vendor simply providing a leased tool on which to
> run the leased software -- in such a market, cost trumps everything,
> owner control is looked at as "enabling piracy", and as a result x86 is
> not an appropriate platform for anyone needing control or privacy.
>
> In this environment, one must make a choice between convenience (x86)
> and owner control.  As you mentioned, the only middle ground is
> relegated to ancient computers, and that is not where we place any hope
> at all.  Trying to switch architectures may be hard, but it is only
> going to get harder day after day as people continue to cling to false
> hope that the x86 platform may ever be brought under their control.  The
> simple fact is, the purchaser of an x86 machine is not Intel or AMD's
> customer, nor are the ODMs.  Their primary customers, in an odd sort of
> way, are actually the software vendors that require x86 for their
> existing applications, and they are the ones that will call the shots on
> features or antifeatures in the x86 walled garden.
>
> I wonder, though, if given this information if possibly Raptor and
> Purism might have some common business ground here?  Purism has
> experience with laptop mechanicals and related concerns, and we have
> experience with truly blob-free, powerful hardware -- combining those
> two could yield an interesting machine...
>
> On 12/19/2017 02:41 PM, Youness Alaoui wrote:
> > On Tue, Dec 19, 2017 at 2:07 PM, Timothy Pearson
> >  wrote:
> > On 12/19/2017 11:51 AM, Dame Más wrote:
>  I finished the University and I have free time to do things. And this
>  seems like an interesting project to which I dedicate many hours.
> 
>  The truth is that I read a lot these days. The work you do kakaroto is
>  impressive.
>  In general Purism is doing something big, and I spoke ahead of time.
> 
>  I saw that in the directory
>  coreboot/3rdparty/blobs/mainboard/purism/
>  there is no content, it is right?
> 
>  Thanks
> >
> > The main question I have, and this is an honest question, is why Purism
> > chose to use the x86 platform as a base for libre hardware, when it has
> > been known for some time that said hardware could never be made fully
> > blob-free?
> >
> > There were (and are) other good ways to make a system that could be
> > fully blob-free, for instance ARM, and given the engineering effort that
> > is said to have been put into the Purism machines I wonder what we could
> > have had if said effort had been put into an aarch64 system instead of
> > an x86 system?
> >
> >> That's a very good question and you're not the first one to ask it.
> >
> >> I think it's a combination of quite a few things. First, the fact that
> >> I don't think there were any realistically powerfuly/competing
> >> ARM/PPC/risc systems available at the time (or if there were, the
> >> price would have been too high to make it a "security focused laptop
> >> for everyone"). The purpose of Purism is not to satisfy a niche
> >> market, but rather to be something everyone will want whether or not
> >> they care about the security like we do, but which would still provide
> >> them with that security that they need. I think even now, you can't
> >> have an ARM device that could compete with an i7 in terms of
> >> performance.
> >
> >> The second reason is that Todd (CEO) was in talks with Intel and was
> >> unfortunately lead to believe that they were open to release an
> >> ME-less design CPU for his needs, it ended up not being the case.
> >
> >> The last reason is because I think that through this discussion
> >> (https://mail.coreboot.org/pipermail/coreboot/2014-August/078511.html)
> >> Todd thought that it would be possible to get a 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thank you for the detailed explanation.  I guess this is an area in
which experience matters; it is absolutely unacceptable (and not
unexpected) that Intel misled your CEO, but this is sadly not an
uncommon tactic in the industry.

One item I would like to call out though is the following:

> if old or non-x86 architectures were so appealing, you would have seen that 
> become the norm rather than the exception)

No one is denying that the easiest course of action for everyone would
have been for Intel or AMD to release owner-controllable CPUs.  That
being said, individuals and organizations needing privacy and owner
control are /not/ their target market, nor are those entities Intel (or
AMD)'s secondary (or even tertiary) market.  Both Intel and AMD rely on
their lock-in and close association with Windows and related software to
provide cheap, but wholly locked down, CPUs *by design*.  You could look
at it as the hardware vendor simply providing a leased tool on which to
run the leased software -- in such a market, cost trumps everything,
owner control is looked at as "enabling piracy", and as a result x86 is
not an appropriate platform for anyone needing control or privacy.

In this environment, one must make a choice between convenience (x86)
and owner control.  As you mentioned, the only middle ground is
relegated to ancient computers, and that is not where we place any hope
at all.  Trying to switch architectures may be hard, but it is only
going to get harder day after day as people continue to cling to false
hope that the x86 platform may ever be brought under their control.  The
simple fact is, the purchaser of an x86 machine is not Intel or AMD's
customer, nor are the ODMs.  Their primary customers, in an odd sort of
way, are actually the software vendors that require x86 for their
existing applications, and they are the ones that will call the shots on
features or antifeatures in the x86 walled garden.

I wonder, though, if given this information if possibly Raptor and
Purism might have some common business ground here?  Purism has
experience with laptop mechanicals and related concerns, and we have
experience with truly blob-free, powerful hardware -- combining those
two could yield an interesting machine...

On 12/19/2017 02:41 PM, Youness Alaoui wrote:
> On Tue, Dec 19, 2017 at 2:07 PM, Timothy Pearson
>  wrote:
> On 12/19/2017 11:51 AM, Dame Más wrote:
 I finished the University and I have free time to do things. And this
 seems like an interesting project to which I dedicate many hours.

 The truth is that I read a lot these days. The work you do kakaroto is
 impressive.
 In general Purism is doing something big, and I spoke ahead of time.

 I saw that in the directory
 coreboot/3rdparty/blobs/mainboard/purism/
 there is no content, it is right?

 Thanks
> 
> The main question I have, and this is an honest question, is why Purism
> chose to use the x86 platform as a base for libre hardware, when it has
> been known for some time that said hardware could never be made fully
> blob-free?
> 
> There were (and are) other good ways to make a system that could be
> fully blob-free, for instance ARM, and given the engineering effort that
> is said to have been put into the Purism machines I wonder what we could
> have had if said effort had been put into an aarch64 system instead of
> an x86 system?
> 
>> That's a very good question and you're not the first one to ask it.
> 
>> I think it's a combination of quite a few things. First, the fact that
>> I don't think there were any realistically powerfuly/competing
>> ARM/PPC/risc systems available at the time (or if there were, the
>> price would have been too high to make it a "security focused laptop
>> for everyone"). The purpose of Purism is not to satisfy a niche
>> market, but rather to be something everyone will want whether or not
>> they care about the security like we do, but which would still provide
>> them with that security that they need. I think even now, you can't
>> have an ARM device that could compete with an i7 in terms of
>> performance.
> 
>> The second reason is that Todd (CEO) was in talks with Intel and was
>> unfortunately lead to believe that they were open to release an
>> ME-less design CPU for his needs, it ended up not being the case.
> 
>> The last reason is because I think that through this discussion
>> (https://mail.coreboot.org/pipermail/coreboot/2014-August/078511.html)
>> Todd thought that it would be possible to get a binary blob free
>> coreboot/CPU with a few months of work. He didn't realize that it was
>> a much harder thing to achieve because the FSP takes a lot of time to
>> reverse engineer (remember, he thought he would have an ME-less CPU
>> from Intel), but from what I read in one of his answers, he had
>> already decided on x86 by the time he wrote that mail to the mailing

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

On Tue, Dec 19, 2017 at 2:07 PM, Timothy Pearson
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 12/19/2017 11:51 AM, Dame Más wrote:
>> I finished the University and I have free time to do things. And this
>> seems like an interesting project to which I dedicate many hours.
>>
>> The truth is that I read a lot these days. The work you do kakaroto is
>> impressive.
>> In general Purism is doing something big, and I spoke ahead of time.
>>
>> I saw that in the directory
>> coreboot/3rdparty/blobs/mainboard/purism/
>> there is no content, it is right?
>>
>> Thanks
>
> The main question I have, and this is an honest question, is why Purism
> chose to use the x86 platform as a base for libre hardware, when it has
> been known for some time that said hardware could never be made fully
> blob-free?
>
> There were (and are) other good ways to make a system that could be
> fully blob-free, for instance ARM, and given the engineering effort that
> is said to have been put into the Purism machines I wonder what we could
> have had if said effort had been put into an aarch64 system instead of
> an x86 system?

That's a very good question and you're not the first one to ask it.

I think it's a combination of quite a few things. First, the fact that
I don't think there were any realistically powerfuly/competing
ARM/PPC/risc systems available at the time (or if there were, the
price would have been too high to make it a "security focused laptop
for everyone"). The purpose of Purism is not to satisfy a niche
market, but rather to be something everyone will want whether or not
they care about the security like we do, but which would still provide
them with that security that they need. I think even now, you can't
have an ARM device that could compete with an i7 in terms of
performance.

The second reason is that Todd (CEO) was in talks with Intel and was
unfortunately lead to believe that they were open to release an
ME-less design CPU for his needs, it ended up not being the case.

The last reason is because I think that through this discussion
(https://mail.coreboot.org/pipermail/coreboot/2014-August/078511.html)
Todd thought that it would be possible to get a binary blob free
coreboot/CPU with a few months of work. He didn't realize that it was
a much harder thing to achieve because the FSP takes a lot of time to
reverse engineer (remember, he thought he would have an ME-less CPU
from Intel), but from what I read in one of his answers, he had
already decided on x86 by the time he wrote that mail to the mailing
list, so I'm not sure if it really answers your question.

I think those that provide non-x86 (or pre-2008 x86) machines are
already there to fill the blob-free need, and it's not healthy to just
compete with them. A good summary is that we want to "bring blob-free
to the hardware that people want", rather than "bring blob-free
hardware to the people who want it".

Finally, I'll paste you one of my explanations from an email I sent
here last May, which kind of summarizes it all (from
https://mail.coreboot.org/pipermail/coreboot/2017-May/084166.html)

"[...], You ask why Purism doesn't just create laptops using FX2 or ARM or
whatever... Well, because that's not what most people want, out there. If
you want a RYF laptop using old or underpowered hardware or non-x86
architectures, that's a problem that has already been solved, there are
various resellers of such devices. The idea here is not to "Use what we can
find to make RYF" but rather "Bring RYF to the hardware that people want".
What I believe Purism is trying to do is to create a modern laptop for
*everyone* with the extra value of security and privacy, and in the process
make FLOSS appealing to mainstream instead of letting it be confined in a
niche. I think everyone will be better off with tools to protect their
privacy/security without asking them to throw the baby with the bathwater
by requiring them to use hardware that does not interest them (otherwise,
if old or non-x86 architectures were so appealing, you would have seen that
become the norm rather than the exception)."

I hope that fully answers your question.

Thanks!
Youness.


>
> - --
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJaOWOAAAoJEK+E3vEXDOFbBZEH/1loBwNG4m2ZrqmQ0qXRrYYy
> 9i+bMDTA/a85sPMWm870rJ2qG79Wy9s1w6P/qXIf3iFACDWWt5DpB6/NP6t8hjUp
> R9848GoBH2oCt0gO2Ydbt2ThGCP96q2JQoz2sz5Qo/CWXeBccTHZogA7CRc/u/zO
> Uj6qSTUUEoxt7Ul0AAoaT0UIYvJJoDjatKX61Rv96hA6RtDGib7nWZ+UwiuD3+wS
> iiYO+lkZzrhAprrLIH8Y58IMQ8RlQYRIguWQhmD5+A6I933Xyv81QTwonaDKATBC
> fwi3psMjmem4vg1pfJdBOowzMwx9ZItjjuvhPVkNfgpUP1gkZb+OQbFjounucaY=
> =iQzP
> -END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/19/2017 11:51 AM, Dame Más wrote:
> I finished the University and I have free time to do things. And this
> seems like an interesting project to which I dedicate many hours.
> 
> The truth is that I read a lot these days. The work you do kakaroto is
> impressive.
> In general Purism is doing something big, and I spoke ahead of time.
> 
> I saw that in the directory
> coreboot/3rdparty/blobs/mainboard/purism/
> there is no content, it is right?
> 
> Thanks

The main question I have, and this is an honest question, is why Purism
chose to use the x86 platform as a base for libre hardware, when it has
been known for some time that said hardware could never be made fully
blob-free?

There were (and are) other good ways to make a system that could be
fully blob-free, for instance ARM, and given the engineering effort that
is said to have been put into the Purism machines I wonder what we could
have had if said effort had been put into an aarch64 system instead of
an x86 system?

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJaOWOAAAoJEK+E3vEXDOFbBZEH/1loBwNG4m2ZrqmQ0qXRrYYy
9i+bMDTA/a85sPMWm870rJ2qG79Wy9s1w6P/qXIf3iFACDWWt5DpB6/NP6t8hjUp
R9848GoBH2oCt0gO2Ydbt2ThGCP96q2JQoz2sz5Qo/CWXeBccTHZogA7CRc/u/zO
Uj6qSTUUEoxt7Ul0AAoaT0UIYvJJoDjatKX61Rv96hA6RtDGib7nWZ+UwiuD3+wS
iiYO+lkZzrhAprrLIH8Y58IMQ8RlQYRIguWQhmD5+A6I933Xyv81QTwonaDKATBC
fwi3psMjmem4vg1pfJdBOowzMwx9ZItjjuvhPVkNfgpUP1gkZb+OQbFjounucaY=
=iQzP
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Dame Más]

I finished the University and I have free time to do things. And this seems
like an interesting project to which I dedicate many hours.

The truth is that I read a lot these days. The work you do kakaroto is
impressive.
In general Purism is doing something big, and I spoke ahead of time.

I saw that in the directory
coreboot/3rdparty/blobs/mainboard/purism/
there is no content, it is right?

Thanks

2017-12-19 14:41 GMT+01:00 Nico Huber :

> Hi,
>
> On 18.12.2017 10:07, Dame Más wrote:
>
>> Hello,
>> I understand.
>> I want implement Coreboot for current 7th and 8th generation Intel
>> computers.
>>
>
> coreboot already works on 7th gen Intel (Kaby Lake). Not sure what 8th
> gen generally refers to. Kaby Lake Refresh might work as well, and
> Cannon Lake is worked on. No sign of Coffee Lake support, afaics.
>
> Though, all these newer Intel chips are only supported with coreboot's
> open-source infrastructure around a proprietary core, namely Intel FSP
> (firmware support package). You still have much more control over the
> boot process this way. But compared to a fully open-source coreboot
> it's much harder to support a new motherboard (after my first FSP port,
> I'd calculate at least 4 times the effort). And you have to trust
> Intel, ofc.
>
> And if the Pursism BIOS was opensource, I could work with it as a base.
>> However
>> I can not find the source code to work with him.
>>
>
> Purism used a most proprietary UEFI/BIOS on their first devices. They
> ship now (some?) devices with coreboot. But that's as described above,
> build around the proprietary FSP. So there is nothing to learn from
> their code (as of yet).
>
> I like GNU/Linux and the opensource because among all we do it better, but
>> if the code is not liberated, I can not speak well of Purism.
>>
>
> They are working on it. Ask Youness if you can help him to reverse
> engineer FSP.
>
> I hope this answers your question. Sorry for all the noise here on the
> ML. Threads about "liberated" devices often get hijacked (especially if
> they are about Purism) to advocate some BS or lament about the ME
> (which is actually unrelated to coreboot).
>
> Nico
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Nico Huber]

Hi,

On 18.12.2017 10:07, Dame Más wrote:

Hello,
I understand.
I want implement Coreboot for current 7th and 8th generation Intel
computers.


coreboot already works on 7th gen Intel (Kaby Lake). Not sure what 8th
gen generally refers to. Kaby Lake Refresh might work as well, and
Cannon Lake is worked on. No sign of Coffee Lake support, afaics.

Though, all these newer Intel chips are only supported with coreboot's
open-source infrastructure around a proprietary core, namely Intel FSP
(firmware support package). You still have much more control over the
boot process this way. But compared to a fully open-source coreboot
it's much harder to support a new motherboard (after my first FSP port,
I'd calculate at least 4 times the effort). And you have to trust
Intel, ofc.


And if the Pursism BIOS was opensource, I could work with it as a base. However
I can not find the source code to work with him.


Purism used a most proprietary UEFI/BIOS on their first devices. They
ship now (some?) devices with coreboot. But that's as described above,
build around the proprietary FSP. So there is nothing to learn from
their code (as of yet).


I like GNU/Linux and the opensource because among all we do it better, but
if the code is not liberated, I can not speak well of Purism.


They are working on it. Ask Youness if you can help him to reverse
engineer FSP.

I hope this answers your question. Sorry for all the noise here on the
ML. Threads about "liberated" devices often get hijacked (especially if
they are about Purism) to advocate some BS or lament about the ME
(which is actually unrelated to coreboot).

Nico

--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Youness Alaoui]

Hi Dame,

The coreboot on Purism machines is indeed open and available, and it
is all merged into upstream coreboot, so there is no specific
repository for it other than the coreboot repository (the code is in
src/mainboard/purism/ subdirectory).
Here is the build script we use to build coreboot for our machines,
from scratch : 
https://forums.puri.sm/t/building-coreboot-from-source-official-script/1264
I haven't updated the build script in a while, so it's actually
building from here : https://code.puri.sm/kakaroto/coreboot.git but
those commits were merged upstream and the upstream coreboot
repository is all you need now.
Note that to disable the ME, we need to use the '-S -e MFS' option to
me_cleaner (the script also uses my own repository for me_cleaner, but
my patches to me_cleaner were also merged upstream, so you can just
use the upstream repository for me_cleaner. See my pull request here :
https://github.com/corna/me_cleaner/pull/70) .
You can read more about the efforts to disable the ME and the need for
the -e option by reading my blog post here :
https://puri.sm/posts/deep-dive-into-intel-me-disablement/
You said you want to implement coreboot for some 7th and 8th
generation Intel computers. Then you'd probably also be interested in
the blog posts I wrote about the porting experience. You can find all
my posts on the right sidebar of our coreboot timeline page here :
https://puri.sm/coreboot/timeline/
If you still have any questions, feel free to ask.

As for Taiidan's response, I think Matt's response to it is pretty
good already, and I'm tired of seeing Taiidan jumping at the chance to
talk against Purism every chance he gets, but I won't rant about that
today, I will only add this to the discussion :
* The original question was on whether our coreboot port was available
or not because the OP wanted to know how we disable the ME, you
completely missed the question and decided to give advice on what
device to buy instead...
* You seem to think that the purism laptops are selling at a premium
because it comes with coreboot? I'm pretty sure that the Cost/MSRP
margin is the same or lower than from other laptop manufacturers, the
"premium" you'd pay is because of the low volume of machines we are
making, Dell/Lenovo can of course sell for lower prices because they
get economy of scale, which we don't. It's not because we are
increasing our revenue and using coreboot as an excuse to do it.
* You said "they are charging for a whitebox re-brand.", that's
actually a completely false statement, the motherboard is our own and
it is designed to avoid having any firmware-based hardware so a
binary-blob-free linux distribution can run on it. It is not a
whitebox re-brand. If it was a whitebox re-brand, then yeah, we'd be
selling for a lot lower price considering we'd be able to also take
advantage of the economies of scale.
* You are encouraging the purchase of lenovo machines, but as far as I
know, lenovo is not actively working on reverse enginering the FSP.
Also, the only reason that Lenovo can have a libreboot running on it
is because the community did the port, not because the company itself
is working towards freeing it or investing anything to provide more
freedom to users. So yeah, sure, you could say "don't pay a 30$
premium for coreboot, buy a lenovo and do the port yourself" (assuming
you know how to do the port, or you buy one that is already ported) ,
but you might as well say "don't pay a 30$ premium for coreboot, buy a
lenovo, do the port yourself, then reverse engineer the FSP yourself
while you're at it" and it would be more accurate. And that's of
course ignoring the question of the harware kill switches, the fact
that you can't compare a 200$ refurbished laptop from 6 years ago with
a higher priced laptop from today, or that lenovo won't answer you if
you ask tech support questions on coreboot or linux, etc...
* We worked on disabling the ME on the purism laptops. Yes, the lion's
share of the work was done by others (Corna for me_cleaner and
Positive Technologies for the HAP bit), but not only did it require a
significant amount of work from our side as well, to test, validate
and package the ME disablement work (see above blog post link), but we
are the first manufacturer to offer it standard and without us doing
it, it could be argued whether or not this differentiation would have
convinced System76 and Dell to also pursue offering machines with the
ME disabled. So, encouraging those who are trying to pioneer the work
might actually help the entire community. Do you think it might
convince Intel to offer ME-less designs if they see half the
manufacturers starting to ship unofficially-disabled ME machines ?
Maybe, maybe not, but at least someone is trying to move things along
instead of only complaining about the status of things.

I could go on, but I think that's enough.

Hopefully, this helps clarify the situation.

Thanks,
Youness.

On Mon, Dec 18, 2017 at 4:07 AM, Dame Más 

Re: [coreboot] Coreboot Purism BIOS is free? open?

[awokd via coreboot]

On Mon, December 18, 2017 5:01 am, Matt DeVillier wrote:
> On Sun, Dec 17, 2017 at 6:58 PM, taii...@gmx.com  wrote:
>
>
>> On 12/17/2017 05:06 PM, Dame Más wrote:
>>
>>
>> Hi,
>>
>>> The Coreboot BIOS of Purism 13 is open?
>>>
>>>
>> No it isn't, while they do use coreboot the silicon init process is
>> entirely blobbed.
>>
>> Technical merits - is it better than an off the shelf dell laptop? Of
>> course, but not better enough to justify even a $30 premium let alone
>> the thousands they are charging for a whitebox re-brand. It removes the
>> brander (ex: dell) from the firmware trust equation but intel still
>> remains and so does ME.
>>
>
> That's a pretty absurd exaggeration.  Purism laptops certainly sell at a
> premium relative to a Dell (eg) with similar CPU/RAM/SSD, but they don't
> sell anywhere near the same volume, so their costs are higher.  They also
>  feature hardware kill switches for wifi/BT and mic/webcam, ship with a
> blob-free Debian-based distro, and use coreboot with a disable/neutered
> ME.  Whether or not you consider those qualities, and supporting a
> startup working towards increasing owner control on modern hardware, to
> justify the price premium is certainly a valid point of discussion.

Purism admits they aren't fully free on
https://puri.sm/learn/freedom-roadmap/. One can debate whether they are
ever going to be able to accomplish their end goal while supporting
proprietary systems like Intel ME/AMD PSP with purchases of their new CPUs
etc. They are competing for some of the same market segment of people who
don't want to get owned by the Intel ME vulnerability of the week, but
can't compete with 100% user controlled options for those who require a
fully open platform. Overall, I think they are a net positive. It's
doubtful Dell would have started offering ME cleaned laptops without
Purism's commercial lead. It would be nice if the dollars ended up going
to reward hardware manufacturers working to open the platform instead of
closing it, though. My personal purchases will be.





-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Dame Más]

Hello,
I understand.
I want implement Coreboot for current 7th and 8th generation Intel
computers.
And if the Pursism BIOS was opensource, I could work with it as a base. However
I can not find the source code to work with him.
I like GNU/Linux and the opensource because among all we do it better, but
if the code is not liberated, I can not speak well of Purism.

2017-12-18 6:01 GMT+01:00 Matt DeVillier :

> On Sun, Dec 17, 2017 at 6:58 PM, taii...@gmx.com  wrote:
>
>> On 12/17/2017 05:06 PM, Dame Más wrote:
>>
>> Hi,
>>> The Coreboot BIOS of Purism 13 is open?
>>>
>> No it isn't, while they do use coreboot the silicon init process is
>> entirely blobbed.
>>
>> Technical merits - is it better than an off the shelf dell laptop? Of
>> course, but not better enough to justify even a $30 premium let alone the
>> thousands they are charging for a whitebox re-brand.
>> It removes the brander (ex: dell) from the firmware trust equation but
>> intel still remains and so does ME.
>>
>
> That's a pretty absurd exaggeration.  Purism laptops certainly sell at a
> premium relative to a Dell (eg) with similar CPU/RAM/SSD, but they don't
> sell anywhere near the same volume, so their costs are higher.  They also
> feature hardware kill switches for wifi/BT and mic/webcam, ship with a
> blob-free Debian-based distro, and use coreboot with a disable/neutered
> ME.  Whether or not you consider those qualities, and supporting a startup
> working towards increasing owner control on modern hardware, to justify the
> price premium is certainly a valid point of discussion.
>
>
>>
>> If I was you I would purchase a different coreboot compatible laptop then
>> compile and install coreboot while running me_cleaner yourself - this will
>> provide a better result for a lot less money as these following laptops
>> feature open source silicon init and in the case of the intel models are
>> pre-skylake so more of ME can be "cleaned".
>
>
>> One of these laptops is $200 max for one in good condition, vs thousands
>> for a Purism 13 - with the cash you save you can also buy a KCMA-D8 gaming
>> computer for libre gaming in a VM or otherwise.
>
>
> "better" certainly depends on how one ranks the various qualities of a
> given device. If owner-controller trumps all other considerations,
> then certainly there are "better" options, but you're not going to find
> anything for $200 that is anywhere close in terms of weight, battery life,
> screen quality, or using a modern SoC -- that's the tradeoff, and again
> something that's worth discussion, but framing it in the context of paying
> "thousands" for a Purism device vs $200 for something of equal/better
> capability is dishonest and does a disservice to the entire community IMO.
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[Matt DeVillier]

On Sun, Dec 17, 2017 at 6:58 PM, taii...@gmx.com  wrote:

> On 12/17/2017 05:06 PM, Dame Más wrote:
>
> Hi,
>> The Coreboot BIOS of Purism 13 is open?
>>
> No it isn't, while they do use coreboot the silicon init process is
> entirely blobbed.
>
> Technical merits - is it better than an off the shelf dell laptop? Of
> course, but not better enough to justify even a $30 premium let alone the
> thousands they are charging for a whitebox re-brand.
> It removes the brander (ex: dell) from the firmware trust equation but
> intel still remains and so does ME.
>

That's a pretty absurd exaggeration.  Purism laptops certainly sell at a
premium relative to a Dell (eg) with similar CPU/RAM/SSD, but they don't
sell anywhere near the same volume, so their costs are higher.  They also
feature hardware kill switches for wifi/BT and mic/webcam, ship with a
blob-free Debian-based distro, and use coreboot with a disable/neutered
ME.  Whether or not you consider those qualities, and supporting a startup
working towards increasing owner control on modern hardware, to justify the
price premium is certainly a valid point of discussion.


>
> If I was you I would purchase a different coreboot compatible laptop then
> compile and install coreboot while running me_cleaner yourself - this will
> provide a better result for a lot less money as these following laptops
> feature open source silicon init and in the case of the intel models are
> pre-skylake so more of ME can be "cleaned".


> One of these laptops is $200 max for one in good condition, vs thousands
> for a Purism 13 - with the cash you save you can also buy a KCMA-D8 gaming
> computer for libre gaming in a VM or otherwise.


"better" certainly depends on how one ranks the various qualities of a
given device. If owner-controller trumps all other considerations,
then certainly there are "better" options, but you're not going to find
anything for $200 that is anywhere close in terms of weight, battery life,
screen quality, or using a modern SoC -- that's the tradeoff, and again
something that's worth discussion, but framing it in the context of paying
"thousands" for a Purism device vs $200 for something of equal/better
capability is dishonest and does a disservice to the entire community IMO.
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[taii...@gmx.com]

On 12/17/2017 09:01 PM, szbn...@gmail.com wrote:


hi there! :)

Hi :D

sooo my understanding says that libreboot is a deblobbed coreboot,

Yes -plus the different politics.

you say that those machines you mentioned above are 100% owner
cotrolled, however i only know lenovo t400 is good for libreboot from
that list. is this about a misinterpretation of your words, or what?

Yeah it is :[

I included the T420/X230 as they have a few features the G505S lacks 
that he might need - while they are still more free than a purism they 
have ME so they aren't owner controlled.
I wouldn't consider the T400 owner controlled either although it is 
closer than the T420 etc, while it boots without an ME kernel I still 
dislike the present of ME and the non-free EC controller (someone is 
working on a free software replacement for the G505S EC)


All of these below devices have libre firmware besides the G505S which 
currently requires a blob for video and power management, but it is 
still owner controlled due to the absence of hardware code signing 
enforcement.


Owner controlled devices:
Laptops:
Lenovo G505S - average laptop performance
Novena - ARM - slow :[

Workstations/Servers:
KCMA-D8 - medium
KGPE-D16 - high-medium

Ultra High Performance Servers/Workstations:
TALOS 2 (POWER9) - uber fast and a much better price than intel/amd's 
new high end server stuff.

TYAN Palmetto (POWER 8) - fast
IBM Firestone (POWER 8) - very fast

POWER 9 is true computing excellence - owner controlled from top to 
bottom and performance significantly better than x86-64.

my best image about this is that coreboot is owner controlled but not
deblobbed, however the possibility is fully opened - is this right? if
yes, then what parts are not deblobbed and how serious they can be? so
what could i win/lose by letting go the idea of aiming a libreboot
machine and choose a coreboot machine instead? (that i dont know when
i will have enough money for that purpose)
Some coreboot boards are owner controlled some aren't, and there are 
varying amounts of blobs.
If one builds for instance the KCMA-D8 with coreboot you have the same 
result as libre-boot as it doesn't need firmware-blobs to run unless you 
use a 43xx CPU which needs a microcode update for security reasons.


You can get a Lenovo G505S for $200, or you can build a KCMA-D8 libre 
gaming PC for $500-1000

an another question is that ive read about the background of the whole
hacking game maybe here maybe elsewhere but most likely from mixed
origins... :D so my understanding says that there is a bunch of
encryption keys that are unremovable (except by intel) maybe based on
something like in that case (complete overwrite of everything included
on the ic that contains the intel me) there is something else that
will miss the original keys. (id appreciate a cleaner vision about
this part, for better understanding, but its not the main question) so
this encryption key is only validating something like headers or
entrance points to the parts of the intel me but not the contents/body
of them. the best that core-/libreboot can achieve is to override the
body parts and we can say then the whole became whitebox and well
known, or there is a next level after the achieved access to entirely
remove it?

ME brings up the main CPU on a modern intel platform, no ME no computer.
The ME core validates the ME kernel and on newer systems parts of the ME 
software, ME cleaner removes the parts that aren't validated.


It is de-facto impossible to remove/disable ME for a variety of reasons 
and any effort to do so is wasted and better spent on archs's that can 
have owner controlled devices such as POWER and ARM.

i dont even know how flashing going on in practise nor in theory, just
trying to figure out things around... does it work like total
copy/write access with the chance of wrecking things around on the
other hand, or its controlling/limiting its own access, and then one
should come over it somehow? where me_cleaner works 100% replacing
could be achieved, just none implemented core-/libreboot yet for the
other machines in th range of a specific range of intel me version?

I am not really sure what you mean due to the language barrier.

so many thanks for any kinda help and all the bests for everyone around here!

Yeah feel free to ask any questions :]


--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[szbn...@gmail.com]

hi there! :)


im just learning these, ive got no personal experience just some
knowledge about stuffs around these areas, so i can be wrong.
first ive found a pic about an intel folk who talks about the intel me
and its evilness so ive started to dig deeper, then ive found RMS's
homepage, who wrote about libreboot (iirc), continued the learning
there and arrived here...


sooo my understanding says that libreboot is a deblobbed coreboot, and
you say that those machines you mentioned above are 100% owner
cotrolled, however i only know lenovo t400 is good for libreboot from
that list. is this about a misinterpretation of your words, or what?
my best image about this is that coreboot is owner controlled but not
deblobbed, however the possibility is fully opened - is this right? if
yes, then what parts are not deblobbed and how serious they can be? so
what could i win/lose by letting go the idea of aiming a libreboot
machine and choose a coreboot machine instead? (that i dont know when
i will have enough money for that purpose)

an another question is that ive read about the background of the whole
hacking game maybe here maybe elsewhere but most likely from mixed
origins... :D so my understanding says that there is a bunch of
encryption keys that are unremovable (except by intel) maybe based on
something like in that case (complete overwrite of everything included
on the ic that contains the intel me) there is something else that
will miss the original keys. (id appreciate a cleaner vision about
this part, for better understanding, but its not the main question) so
this encryption key is only validating something like headers or
entrance points to the parts of the intel me but not the contents/body
of them. the best that core-/libreboot can achieve is to override the
body parts and we can say then the whole became whitebox and well
known, or there is a next level after the achieved access to entirely
remove it?

i dont even know how flashing going on in practise nor in theory, just
trying to figure out things around... does it work like total
copy/write access with the chance of wrecking things around on the
other hand, or its controlling/limiting its own access, and then one
should come over it somehow? where me_cleaner works 100% replacing
could be achieved, just none implemented core-/libreboot yet for the
other machines in th range of a specific range of intel me version?


and as these are the most mystical parts in my understanding i cant
thanks enough if you or anyone around can make these clean for me!
however i hope that one day ill be able to join you under this bright
flag of freedom and give more help than spreading the verb around :)


so many thanks for any kinda help and all the bests for everyone around here!

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Coreboot Purism BIOS is free? open?

[taii...@gmx.com]

On 12/17/2017 05:06 PM, Dame Más wrote:


Hi,
The Coreboot BIOS of Purism 13 is open?
No it isn't, while they do use coreboot the silicon init process is 
entirely blobbed.


Technical merits - is it better than an off the shelf dell laptop? Of 
course, but not better enough to justify even a $30 premium let alone 
the thousands they are charging for a whitebox re-brand.
It removes the brander (ex: dell) from the firmware trust equation but 
intel still remains and so does ME.


If I was you I would purchase a different coreboot compatible laptop 
then compile and install coreboot while running me_cleaner yourself - 
this will provide a better result for a lot less money as these 
following laptops feature open source silicon init and in the case of 
the intel models are pre-skylake so more of ME can be "cleaned".


One of these laptops is $200 max for one in good condition, vs thousands 
for a Purism 13 - with the cash you save you can also buy a KCMA-D8 
gaming computer for libre gaming in a VM or otherwise.


My laptop recs:
Lenovo G505S (best choice) - no ME/PSP + open source silicon init

Lenovo T420 (performance) - ME cleanable + open source silicon init - 
Can play new games via an ExpressCard EGPU

Lenovo X230 (mobility) - ME cleanable + open source silicon init
The T420 supports the better ivy bridge CPU's via coreboot, installing 
coreboot also removes the silly thinkpad wi-fi whitelist.

If you get the X230 you may wish to install the better x220 keyboard mod.

I still don't understand as to why purism didn't simply use the AMD FT3 
like the G505S, when they released their first laptop it was brand new 
and very fast...now it is not as fast as skylake but still more than 
good enough to be useful and definitely better than "free someday in the 
future" wintel.


I don't include the novena on this list due to it not having an IOMMU, 
although it does have open source firmware.


My desktop rec:
KCMA-D8 (entirely libre, no ME/PSP, can play the latest games at high 
settings in a VM with a 4386 CPU and a VM attached graphics card)

Where can I download the source code to understand how it is disabled intel
ME?
Thank you
They use a software called me_cleaner (not made by them) to "clean" the 
ME blob, it is available in the coreboot tree and the v4.6 tarball and 
can be ran on almost any laptop that doesn't have the boot guard 
anti-feature[1] no matter if it supports coreboot or not.


It is impossible to disable ME/PSP[2], Intel/AMD intentionally made them 
integral to the boot process they even bring up the main CPU - even 
google was not able to convince them to open source ME and/or and 
provide a method to truly disable it.


On purisms laptops the ME kernel is still running and it still inits the 
main CPU pre-BIOS, if it was disabled one could not only remove the full 
ME blob from the firmware but also physically disconnect the ME core - 
neither of which one can do on any modern intel platform.


There are many companies that sell legitimately owner controlled 
hardware so it can be done just not with brand new x86-64 - let us hope 
purism uses the proceeds from their not-really-libre laptops to produce 
something worthwhile.



[1] An anti-feature is something that negatively benefits you, in this 
case "boot guard" takes away the ability to modify your firmware making 
a modern intel platform controlled 100% by intel and 0% by you vs an 
intel system from 10 years ago that was 100% you, an IBM POWER 9 system 
(ex: TALOS 2) which is 100% owner controlled by you or an AMD system 
pre-PSP (around pre-2013) which is 100% you.


[2] AMD has PSP on their new stuff which is equivilant to ME and just as 
terrible


--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

[coreboot] Coreboot Purism BIOS is free? open?

[Dame Más]

Hi,
The Coreboot BIOS of Purism 13 is open?

Where can I download the source code to understand how it is disabled intel
ME?
Thank you
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot