1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
|
<?php
/*
Download page
Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
header('Content-type: text/html; charset=utf-8');
ob_start();
include_once "../common/variables.php";
include_once "../common/functions.php";
?>
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
<?php echo miniCss(file_get_contents("../common/css/main.css")); ?>
</style>
<title>Answers to Frequently Asked Questions about libreboot</title>
</head>
<body>
<div id="pagetop">
<h1>Answers to Frequently Asked Questions about libreboot</h1>
<p>
Over time, there have been many questions asked about libreboot. We have to answer them every time,
so it makes sense to document them here instead. More questions and answers will be added here,
as time goes by. <a href="../">Back to home page</a>
</p>
<h2>Hardware compatibility</h2>
<ul class="cascade">
<li><a href="#compatibility">What systems are compatible with libreboot?</a></li>
<li><a href="#intel">When will modern Intel systems be supported?</a></li>
<li><a href="#librem">Will the Purism LibreM laptops be supported?</a></li>
<li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li>
<li><a href="#desktops">Will desktop/server hardware be supported?</a></li>
<li><a href="#randomhardware">Hi, I have <insert random system here>, is it supported?</a></li>
<li><a href="#arm">What about ARM?</a></li>
<li><a href="#amd">What about AMD?</a></li>
</ul>
<h2>General questions</h2>
<ul class="cascade">
<li><a href="#install">How do I install libreboot?</a></li>
<li><a href="#bootpassword">How do I set a boot password?</a></li>
<li><a href="#writeprotect">How do I write-protect the flash chip?</a></li>
<li><a href="#biossettings">How do I change the BIOS settings?</a></li>
<li><a href="#reinstallos">Do I need to re-flash when I re-install GNU/Linux?</a></li>
</ul>
<h2>Operating Systems</h2>
<ul class="cascade">
<li><a href="#gnulinux">Can I use GNU/Linux?</a> (yes, you can)</li>
<li><a href="#gnuhurd">Can I use GNU/Hurd?</a></li>
<li><a href="#bsd">Can I use BSD?</a></li>
<li><a href="#windows">Can I use Windows?</a></li>
<li><a href="#other">Are other operating systems compatible?</a></li>
</ul>
<h2></h2>
</div>
<div>
<h1>Hardware compatibility</h1>
<h2 id="compatibility">What systems are compatible with libreboot?</h2>
<p>
See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="intel">When will modern Intel systems be supported?</h2>
<p>
The probability is currently estimated to be below 1%, that any post-2008 Intel hardware will ever be supported in libreboot. The main issues are as follows:
</p>
<h3>Intel Management Engine (ME)</h3>
<p>
The most glaring issue on modern Intel hardware (beyond year ~2008) is
the <i>Management Engine</i>. This is a separate processor that exists in all Intel chipsets
past the year ~2006; some systems between those years can have the Management Engine firmware
removed (with the ME processor permanently deactivated), but not replaced (due to cryptographic signature checking on the firmware).
The management engine provides remote access capabilities, independently from the running operating system. It has full access to
your RAM, and it has full networking support. It also handles the TPM module, AMT (Active Management Technology), Boot Guard and
various DRM mechanisms. The ME also performs some basic hardware initialization and power management, on recent systems.
</p>
<p>
All modern Intel systems built after around the year 2008 (after ICH9) require this blob, and
will not boot without it (or will shut down after 30 minutes). Replacing it is impossible, unless you are Intel (only they have the private
key, necessary for signing the firmware). The Management Engine is covered on a lot of websites
(e.g. <a href="http://me.bios.io/Main_Page">me.bios.io</a>, <a href="http://io.smashthestack.org/me/">smashthestack.org</a>,
the <a href="http://www.coreboot.org/Intel_Management_Engine">coreboot wiki</a>, <a href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology">wikipedia</a>, <a href="https://www.fsf.org/blogs/community/active-management-technology">FSF blog</a>) and
a book titled <i><a href="https://www.apress.com/9781430265719">Platform Embedded Security Technology Revealed</a></i> (PESTR), published by Apress (ISBN 9781430265719).
</p>
<p>
The Management Engine processor is an <i>ARC</i> microcontroller. The firmware is based
on <a href="http://rtos.com/products/threadx/ARC">ThreadX RTOS</a>, which is an embedded operating system
designed specifically for those chips. Manufacturers (not just Intel) can pay for a (proprietary) license
providing access to the source code, but they are not allowed to share it with anyone. In other words, even
if Intel wanted to release the source code for this blob, they could not do so. Even if they did, the ME
firmware is cryptographically signed, where the signature is verified at boot time. If you try to use your own modified
version of the ME firmware, it will be rejected by the ARC processor and your system will not boot. In other words,
the ME firmware is <i>tivoized</i>.
</p>
<p>
The Management Engine is a giant backdoor, allowing full access to your entire system for malicious adversaries.
The libreboot project strongly recommends that you avoid it entirely, and this means avoiding the latest generation of Intel hardware.
</p>
<h3>CPU microcode updates</h3>
<p>
All modern x86 CPUs (from Intel and AMD) use what is called <i>microcode</i>. CPUs are extremely complex,
and difficult to get right, so the circuitry is designed in a very generic way, where only basic instructions
are handled in hardware. Most of the instruction set is implemented using microcode, which is low-level software
running inside the CPU that can specify how the circuitry is to be used, for each instruction. The built-in microcode
is part of the hardware, and read-only. Both the circuitry and the microcode can have bugs, which could cause reliability issues.
</p>
<p>
Microcode <i>updates</i> are proprietary blobs, uploaded to the CPU at boot time, which patches the built-in
microcode and disables buggy parts of the CPU to improve reliability. In the past, these updates were
handled by the operating system kernel, but on all recent systems it is the boot firmware that must perform this task.
Coreboot does distribute microcode updates for Intel and AMD CPUs, but libreboot cannot, because the whole point of libreboot
is to be 100% free software.
</p>
<p>
On some older Intel CPUs, it is possible to exclude the microcode updates and not have any reliability issues in practise.
All current libreboot systems work without microcode updates (otherwise, they wouldn't be supported in libreboot). However,
all modern Intel CPUs require the microcode updates, otherwise the system will not boot at all, or it will be extremely
unstable (memory corruption, for example).
</p>
<p>
Intel CPU microcode updates are <i>signed</i>, which means that you could not even run a modified version, even if
you had the source code. If you try to upload your own modified updates, the CPU will reject them.
</p>
<h3>Firmware Support Package (FSP)</h3>
<p>
On all recent Intel systems, coreboot support has revolved around integrating a blob (for each system) called
the <i>FSP</i> (firmware support package), which handles most of the hardware initialization, including
memory initialization. At present, it is believed that this can be replaced, but it will require a lot
of work on reverse engineering which will likely take many years. Intel distributes the FSP blob to
firmware developers (including coreboot).
</p>
<h3>Intel is uncooperative</h3>
<p>
For years, coreboot has been struggling against Intel. Intel has been shown to be extremely uncooperative in general.
Many coreboot developers, and companies, have tried to get Intel to cooperate; namely, releasing source code
for the firmware components. Even Google, which sells millions of <i>chromebooks</i> (coreboot pre-installed)
have been unable to persuade them.
</p>
<p>
Even when Intel does cooperate, they still don't provide source code. They might provide limited information
(datasheets) under strict corporate NDA (non-disclosure agreement), but even that is not guaranteed. Even ODMs and IBVs can't
get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).
</p>
<p>
Recent Intel graphics chipsets also <a href="https://01.org/linuxgraphics/intel-linux-graphics-firmwares?langredirect=1">require firmware blobs</a>.
</p>
<p>
<b>Basically, all Intel hardware from year 2010 and beyond will never be supported by libreboot. The libreboot project
is actively ignoring all modern Intel hardware at this point, and focusing on alternative platforms.</b>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="librem">Will the Purism LibreM laptops be supported?</h2>
<p>
Probably not (it uses latest generation of Intel hardware - see <a href="#intel">#intel</a>). It would be nice
if libreboot could run on these laptops, but it's extremely unlikely
due to the fact that there are signed proprietary blobs that cannot be replaced
(Management Engine, mandatory CPU microcode updates).
Also, <a href="https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed">rumour has it</a> that not even coreboot has support
yet for these systems.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="thinkpads">Will the latest ThinkPad models be supported?</h2>
<p>
The latest ThinkPad generation supported in libreboot are the ones
using the GM45 (ICH9) chipsets, such as the ThinkPad X200 or T400.
See <a href="#intel">#intel</a>.
Newer Intel ThinkPads will probably never be supported in libreboot,
due to the fact that there are signed blobs that cannot be replaced
(e.g. Intel Management Engine). Newer Lenovo laptops are
also <a href="https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot">starting to use</a> the <a href="https://mjg59.dreamwidth.org/33981.html">Intel Boot Guard</a>, which specifically blocks the use of
firmware that has not been signed by the OEM.
</p>
<p>
Coreboot does have support for some more recent Lenovo laptops, but libreboot cannot support most of these.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="desktops">Will desktop/server hardware be supported?</h2>
<p>
A common issue with desktop hardware is the Video BIOS. Libreboot has to initialize the graphics chipset,
but most graphics cards lack a free Video BIOS for this purpose. Some desktop motherboards supported in
coreboot do have onboard graphics chipsets, but these also require a proprietary Video BIOS, in most cases.
</p>
<p>
There is the XGI Z9s PCI-E graphics card, documented under <i>Board Ports</i> in <a href="../docs/tasks.html">../docs/tasks.html</a>, which might be viable for you.
</p>
<p>
Although not desktop hardware (it's a server board), libreboot does support
the <a href="../docs/hcl/kfsn4-dre.html">ASUS KFSN4-DRE</a>, with more server hardware
support on the horizon, as outlined in <a href="../docs/tasks.html">../docs/tasks.html</a>.
These boards have onboard graphics chipsets for which free native graphics initialization code
does exist (as well as free initialization code for everything else in the boot firmware).
These systems can be used to build very high-powered workstations, though it will be quite a bit
bigger (physically) and more expensive than a standard desktop computer. However, it is the best
option currently available in libreboot for this purpose.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="randomhardware">Hi, I have <insert random system here>, is it supported?</h2>
<p>
Most likely not. First, you must consult coreboot's own hardware compatibility list
at <a href="http://www.coreboot.org/Supported_Motherboards">http://www.coreboot.org/Supported_Motherboards</a> and,
if it is supported, check whether it can run without any proprietary blobs in the ROM image. If it can: wonderful! Libreboot
can support it, and you can add support for it using the notes at <a href="../docs/maintain/index.html">../docs/maintain/index.html</a>.
If not, then you will need to figure out how to reverse engineer and replace (or remove) those blobs that do still exist, in such a way
where the system is still usable in some defined way.
</p>
<p>
For those systems where no coreboot support exists, you must first port it to coreboot and,
if it can then run without any blobs in the ROM image, it can be added to libreboot.
See: <a href="http://www.coreboot.org/Motherboard_Porting_Guide">Motherboard Porting Guide</a> (this is just the tip of the iceberg!)
</p>
<p>
Please note that board development should be done upstream (in coreboot) and merged downstream (into libreboot). This is
the correct way to do it, and it is how the libreboot project is coordinated so as to avoid too much forking of the
coreboot source code.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="arm">What about ARM?</h2>
<p>
TODO
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="amd">What about AMD?</h2>
<p>
Libreboot has support for some AMD platforms, with more on the horizon.
See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
</p>
<p>
More AMD-related information will be added to this page at a later date.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<div>
<h1>General questions</h1>
<h2 id="install">How do I install libreboot?</h2>
<p>
See <a href="../docs/install/index.html">../docs/install/index.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="bootpassword">How do I set a boot password?</h2>
<p>
If you are using the GRUB payload, you can add a username and password (salted, hashed)
to your GRUB configuration that resides inside the flash chip. The following guides (which
also cover full disk encryption, including the /boot/ directory) show how to set a boot password
in GRUB: <a href="../docs/gnulinux/encrypted_trisquel.html">../docs/gnulinux/encrypted_trisquel.html</a> and <a href="../docs/gnulinux/encrypted_parabola.html">../docs/gnulinux/encrypted_parabola.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="writeprotect">How do I write-protect the flash chip?</h2>
<p>
By default, there is no write-protection on a libreboot system. This is for usability reasons,
because most people do not have easy access to an external programmer for re-flashing their firmware,
or they find it inconvenient to use an external programmer.
</p>
<p>
On some systems, it is possible to write-protect the firmware, such that it is rendered read-only
at the OS level (external flashing is still possible, using dedicated hardware). For example, on
current GM45 laptops (e.g. ThinkPad X200, T400), you can write-protect (see <a href="../docs/hcl/gm45_remove_me.html#ich9gen">../docs/hcl/gm45_remove_me.html#ich9gen</a>).
Depending on your flash chip,
you can also write-protect the i945 laptops, such as the ThinkPad X60 or T60 (see <a href="../docs/security/x60_security.html">../docs/security/x60_security.html</a>)
and <a href="../docs/security/t60_security.html">../docs/security/t60_security.html</a> for links to a video explaining it).
</p>
<p>
It's possible to write-protect on all libreboot systems, but the instructions need to be written.
The documentation is in the main git repository, so you are welcome to submit patches adding these instructions.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="biossettings">How do I change the BIOS settings?</h2>
<p>
Libreboot actually uses the <a href="http://www.coreboot.org/GRUB2">GRUB payload</a>.
More information about payloads can be found at <a href="http://www.coreboot.org/Payloads">coreboot.org/Payloads</a>.
</p>
<p>
Libreboot inherits the modular payload concept from coreboot, which means that pre-OS bare-metal <i>BIOS setup</i> programmes
are not very practical. Coreboot (and libreboot) does include a utility called <i>nvramtool</i>, which can be used
to change some settings. You can find nvramtool under <i>coreboot/util/nvramtool/</i>, in the libreboot source archives.
</p>
<p>
The <i>-a</i> option in nvramtool will list the available options, and <i>-w</i> can be used to change them. Consult
the nvramtool documentation on the coreboot wiki for more information.
</p>
<p>
In practise, you don't need to change any of those settings, in most cases.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="reinstallos">Do I need to re-flash when I re-install GNU/Linux?</h2>
<p>
Not anymore. Recent versions of libreboot (using the GRUB payload) will automatically
switch to a GRUB configuration on the HDD or SSD, if it exists. You can also load a different
GRUB configuration, from any kind of device that is supported in GRUB (such as a USB flash drive). For more information,
see <a href="../docs/gnulinux/grub_cbfs.html">../docs/gnulinux/grub_cbfs.html</a>
</p>
</div>
<div>
<h1>Operating Systems</h1>
<h2 id="gnulinux">Can I use GNU/Linux?</h2>
<p>
Absolutely! GNU/Linux is well-tested in libreboot, and highly recommended.
See <a href="../docs/gnulinux/grub_boot_installer.html">installing GNU/Linux</a> and <a href="../docs/gnulinux/grub_cbfs.html">booting GNU/Linux</a>.
</p>
<p>
The <a href="https://fsf.org/">Free Software Foundation</a> maintains
a <a href="https://gnu.org/distros/free-distros.html">list of free GNU/Linux distributions</a>, certified
to distribute and endorse <a href="https://www.gnu.org/philosophy/free-sw.html">free software</a>, exclusively.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="gnuhurd">Can I use GNU/Hurd?</h2>
<p>
Unknown. Probably not. Feel free to try it, and report your findings.
</p>
<p>
<a href="https://www.gnu.org/software/hurd/hurd.html">GNU Hurd</a> is a microkernel developed by
the <a href="https://gnu.org/">GNU project</a>, and was (still is) intended to be the kernel for the
GNU operating system. For historical reasons, <a href="https://kernel.org/">Linux</a> became the primarily
adopted kernel (the libreboot project urges everyone to install and use <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">linux-libre</a> on their GNU systems),
and was adapted for use with the GNU system. This is <a href="https://www.gnu.org/gnu/why-gnu-linux.html">why</a> we
say <a href="https://www.gnu.org/gnu/linux-and-gnu.en.html">GNU/Linux</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="bsd">Can I use BSD?</h2>
<p>
Potentially. It may be possible to boot most BSD systems if you use
the <a href="http://coreboot.org/SeaBIOS">SeaBIOS</a> payload.
Most BSD systems seem to require a full Video BIOS implementation, which
libreboot lacks for the most part, so you won't have a visual display, but you
might be able to use an EHCI debug and/or serial console.
</p>
<p>
FreeBSD is rumoured to be somewhat compatible (with the GRUB payload, even), when booting with
text-mode graphics initialization, but you probably won't be able to use X11.
</p>
<p>
For the most part, BSD systems remain untested in libreboot.
BSD systems <a href="https://www.gnu.org/distros/common-distros.html">contain blobs</a>, so do beware.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="windows">Can I use Windows?</h2>
<p>
Windows is incompatible with libreboot, and will probably remain so. <a href="https://gnu.org/philosophy/malware-microsoft.html">Never use Windows</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="other">Are other operating systems compatible?</h2>
<p>
Unknown. Probably not.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<?php
include "../common/footer.php";
?>
</body>
</html>
<?php
$strHtml = ob_get_clean();
echo miniHtml($strHtml);
?>
|