Chris, you're missing the point about libreboot entirely. Without it, there
would be *zero* viable options for systems that respect the users' freedom.
You're also dismissing the hard work that we put into the libreboot project,
every day. We've done more than your company has done, in the last 2 years,
compared to your company's entire ~6 years of existence.
About the "promotion of Lenovo" argument that ThinkPenguin puts out; this is
spin. We're not promoting Lenovo. We're providing free boot firmware. It
makes no difference which laptop we use.
Once again, I call slander on your comment that the libreboot project is
somehow undermining other efforts, or taking money away from them. That's not
what we do in the libreboot project. What ThinkPenguin is doing here is
spreading what's called "FUD" - fear, uncertainty, and doubt. They are doing
this, in order to confuse people and steer them away from the Libreboot
project.
There's something that the community should know about ThinkPenguin. They've
now motivated me to tell the story.
Chris,
Regarding point 1 that you made: I did indeed "play games with you" and
"refuse to cooperate", because you were actively opposing me and I thought
you were hypocrites. Here's the full story. When Gluglug started (company
that sells libreboot preinstalled laptops), libreboot was also founded. The
idea was (and still is) to provide users with computers that respected their
freedom, including at the BIOS level. ThinkPenguin was unhappy with this,
criticizing it at every turn because they felt that it was a bad idea to
"promote Lenovo" and that "x86 was a dead end". They had been trying to steer
people away from it, because they were worried about not being able to
continue selling their so-called "free" systems which actually had a non-free
BIOS. What did they then try to do? They wanted to *sell the Libreboot X200*
before Gluglug did, and get RYF before Gluglug did, to drive them out of
business. Gluglug was (and still is, now as Minifree Ltd) what funded the
Libreboot project. But worse than that, it was hypocritical of ThinkPenguin
to want to sell these laptops, given everything that they had said in the
past.
Some background:
I had been working with Steve Shenton, a British software developer who had
heard of the libreboot project several months before then. He wanted to port
the ThinkPad X200 to libreboot. Back then, it had coreboot support and could
be run blob-free, except for the Intel Management Engine. See
http://libreboot.org/faq/#intelme - older generations of Intel hardware can
have the Management Engine firmware removed, where the Management Engine
itself is permanently deactivated, and still work without any issues. The
Management Engine was the only obstacle preventing that laptop from being
added to libreboot. At that time, the newest laptops supported in libreboot
were the ThinkPad X60, T60 and MacBook2,1 (all using them same 2006-era
hardware: ICH7 southbridge, i945 northbridge, etc).
I worked with Steve (sgsit on freenode IRC) for months on solving the ME
issue. It wasn't as simple as just removing the ME firmware and then flashing
that, there were also other changes that you needed to make. Initially, he
found out how to disable it in hardware, by soldering a pin on the
motherboard called "GPIO33" to ground, but this also meant that the user had
to actually solder. We both decided that this was unacceptable. We wanted a
software method instead, and that's what he found. He spent weeks reverse
engineering Intel's proprietary utils for manipulating what's called a "flash
descriptor", trying to find what's called a "soft strap" that could be used
to disable the ME firmware.
On those (and newer) Intel systems, the flash chip is divided into regions.
On the X200 (without libreboot), these regions are: Descriptor (4KiB),
Management Engine / ME (2008KiB or 6100KiB), GbE (8KiB), platform data
(32KiB), BIOS (2MiB). These regions are defined in the descriptor, which the
hardware uses when booting the machine.
He wrote a proof of concept utility, called ich9deblob, that did the
following:
* Set bits in the descriptor, called "soft straps", which he found through
reverse engineering, that disable the ME and TPM.
* Disabled (removed) the ME and Platform Data regions, leaving only:
Descriptor, GbE and BIOS.
* Modified the descriptor so that it defined a GbE region just after the
descriptor, and the BIOS region to fill the rest of the space
The GbE region is non-copyrightable non-executable data for the onboard Intel
ethernet chipset, for networking. It contains everything, including MAC
address.
It sounds simple from the above summary, but it was weeks of solid work just
to find out how to do that, and to come up with a proof of concept, which
wasn't even very usable at the time. While this was in progress, I read the
same datasheets that Steve had access to, and learned everything from him.
Based in his proof of concept, I then spent *2 months* modifying the
ich9deblob utility. The first major thing that I did was reverse engineer the
format of the GbE region, writing code for ich9deblob that could generate it
from scratch.
At the time, in order to do this, you needed a dump of the original
Lenovo/Phoenix BIOS, from ich9deblob would extract the descriptor, make the
required modifications and then extract the GbE region, and create a 12KiB
Descriptor+GbE file, which you then inserted into a coreboot ROM image for
the X200 and then flash. At that point, you had a laptop where the ME was
entirely disabled, and not present at all. I should mention, that Steve made
this possible, and this was the first time that anyone had done such a thing.
However, ich9deblob in its form back then was unsuitable if we wanted RYF
endorsement, because the descriptor+GbE image that it generated was still a
"blob". However, the format of the descriptor and GbE regions were both
documented in datasheets.
Based on Steve's work, I spent *2 months* working flat out, on the following
modifications:
* reverse engineered the format of the GbE region, based on datasheets
* polished ich9deblob, made it easier to use, added the ability to change the
MAC address
* wrote a new util, from scratch, based on ich9deblob, called "ich9gen",
which could generate a fully libre descriptor+GbE file from scratch, without
an original firmware dump.
With the Descriptor and GbE fully reverse engineered, and with libreboot
flashed in the BIOS region, we then had a fully free system, upon which we
could install an ath9k wireless chipset and fully free GNU/Linux distribution
(such as Trisquel). The X200 was ready for FSF endorsement at that point.
During those 2 months, I also worked every hour of every day integrating all
of this into libreboot. This included documentation, integrating ich9gen,
testing, bug fixing, and more. I worked almost every hour of every day,
without breaks. I even worked on christmas day. Check the libreboot git logs
from around December 2014 and January 2015, and you'll see.
Chris and Bob are both incompetent when it comes to firmware development, and
would not have been able to contribute anything substantial to libreboot. Not
only that, but they were (still are) overly hostile towards the libreboot
project and the company that I had at the time (and still have, under a new
name) which funds the project. I saw it as hypocritical that ThinkPenguin
wanted to take the hard work of me and Steve, then profit from it without
giving anything back in return, at least not code wise. Chris did email me to
offer "donations" to the libreboot project, but this would have been very
little and not enough to sustain the project. I actually saw that as an even
bigger insult. It's like, they want to break your leg, and then offer help to
fix it for you.
No! I refuse to have masters. ThinkPenguin will never control me. Basically,
it was the biggest insult ever, and I wasn't about to lay down idly and
accept what they (ThinkPenguin) were proposing, which meant going out of
business and living in poverty, working for almost nothing.
ThinkPenguin was (and still is) a threat to the libreboot project. This is
why, I withheld everything X200-related, instead developing it on my own (and
working twice as hard). At the time of this development work, I was also
working with the FSF for RYF endorsement. Certification was granted, and on
January 24, 2015 I made a surprise libreboot release for the X200. 4 days
later, I went for a product launch on Gluglug (now minifree.org). On January
29, 2015 the announcement was made public. This concluded the months of hard
work that me and Steve put into it. I offered to pay Steve for his work, but
he thanked me and declined. He did it just for fun, and because he wanted to
help the libreboot project.
ThinkPenguin got everything they deserved. They tried to put me out of
business, and tried to directly undermine the work of the libreboot project.
I fought back, and won. That's all, really.
Minifree (and it's former incarnation, Gluglug) exists only to fund libreboot
development. I use it to pay for development work, infrastructure, research
and so on. It's getting to a point where the company is going to be able to
fund the very work that Chris has called for over the last few years but
hasn't done anything about (getting hardware actually manufactured). My work
on those ThinkPads is not long-term, and *will* come to an end. It's only a
stop gap, serving as a means towards an end. I don't care about Lenovo, at
all.
