summaryrefslogtreecommitdiffstats
path: root/site/faq/index.php
diff options
context:
space:
mode:
Diffstat (limited to 'site/faq/index.php')
-rw-r--r--site/faq/index.php417
1 files changed, 417 insertions, 0 deletions
diff --git a/site/faq/index.php b/site/faq/index.php
new file mode 100644
index 0000000..cb7cda5
--- /dev/null
+++ b/site/faq/index.php
@@ -0,0 +1,417 @@
+<?php
+/*
+ Download page
+ Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as
+ published by the Free Software Foundation, either version 3 of the
+ License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+ header('Content-type: text/html; charset=utf-8');
+ ob_start();
+ include_once "../common/variables.php";
+ include_once "../common/functions.php";
+?>
+<!DOCTYPE html>
+<html>
+<head>
+ <style type="text/css">
+ <?php echo miniCss(file_get_contents("../common/css/main.css")); ?>
+ </style>
+ <title>Answers to Freqently Asked Questions about libreboot</title>
+</head>
+
+<body>
+
+ <div id="pagetop">
+
+ <h1>Answers to Freqently Asked Questions about libreboot</h1>
+ <p>
+ Over time, there have been many questions asked about libreboot. We have to answer them every time,
+ so it makes sense to document them here instead. More questions and answers will be added here,
+ as time goes by. <a href="../">Back to home page</a>
+ </p>
+ <h2>Hardware compatibility</h2>
+ <ul class="cascade">
+ <li><a href="#compatibility">What systems are compatible with libreboot?</a></li>
+ <li><a href="#intel">When will modern Intel systems be supported?</a></li>
+ <li><a href="#librem">Will the Purism LibreM laptops be supported?</a></li>
+ <li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li>
+ <li><a href="#desktops">Will desktop/server hardware be supported?</a></li>
+ <li><a href="#randomhardware">Hi, I have &lt;insert random system here&gt;, is it supported?</a></li>
+ <li><a href="#arm">What about ARM?</a></li>
+ <li><a href="#amd">What about AMD?</a></li>
+ </ul>
+ <h2>General questions</h2>
+ <ul class="cascade">
+ <li><a href="#install">How do I install libreboot?</a></li>
+ <li><a href="#bootpassword">How do I set a boot password?</a></li>
+ <li><a href="#writeprotect">How do I write-protect the flash chip?</a></li>
+ <li><a href="#biossettings">How do I change the BIOS settings?</a></li>
+ <li><a href="#reinstallos">Do I need to re-flash when I re-install GNU/Linux?</a></li>
+ </ul>
+ <h2>Operating Systems</h2>
+ <ul class="cascade">
+ <li><a href="#gnulinux">Can I use GNU/Linux?</a> (yes, you can)</li>
+ <li><a href="#gnuhurd">Can I use GNU/Hurd?</a></li>
+ <li><a href="#bsd">Can I use BSD?</a></li>
+ <li><a href="#windows">Can I use Windows?</a></li>
+ <li><a href="#other">Are other operating systems compatible?</a></li>
+ </ul>
+ <h2></h2>
+ </div>
+
+ <div>
+ <h1>Hardware compatibility</h1>
+
+ <h2 id="compatibility">What systems are compatible with libreboot?</h2>
+ <p>
+ See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="intel">When will modern Intel systems be supported?</h2>
+ <p>
+ The probability is currently estimated to be below 1%, that any post-2008 Intel hardware will ever be supported in libreboot. The main issues are as follows:
+ </p>
+ <h3>Intel Management Engine (ME)</h3>
+ <p>
+ The most glaring issue on modern Intel hardware (beyond year ~2008) is
+ the <i>Management Engine</i>. This is a separate processor that exists in all Intel chipsets
+ past the year ~2006; some systems between those years can have the Management Engine firmware
+ removed (with the ME processor permanently deactivated), but not replaced (due to cryptographic signature checking on the firmware).
+ The management engine provides remote access capabilities, independently from the running operating system. It has full access to
+ your RAM, and it has full networking support. It also handles the TPM module, AMT (Active Management Technology), Boot Guard and
+ various DRM mechanisms. The ME also performs some basic hardware initialization and power management, on recent systems.
+ </p>
+ <p>
+ On all modern Intel systems built after around the year 2008 (after ICH9) require this blob, and
+ will not boot without it. Replacing it is impossible, unless you are Intel (only they have the private
+ key, necesarry for signing the firmware). The Management Engine is covered on lots of websites
+ (e.g. <a href="http://me.bios.io/Main_Page">me.bios.io</a>, <a href="http://io.smashthestack.org/me/">smashthestack.org</a>,
+ the <a href="http://www.coreboot.org/Intel_Management_Engine">coreboot wiki</a>, <a href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology">wikipedia</a>, <a href="https://www.fsf.org/blogs/community/active-management-technology">FSF blog</a>) and
+ a book titled <i><a href="https://www.apress.com/9781430265719">Platform Embedded Security Technology Revealed</a></i> (PESTR), published by Apress (ISBN 9781430265719).
+ </p>
+ <p>
+ The Management Engine processor is an <i>ARC</i> microcontroller. The firmware is based
+ on <a href="http://rtos.com/products/threadx/ARC">ThreadX RTOS</a>, which is an embedded operating system
+ designed specifically for those chips. Manufacturers (not just Intel) can pay for a (proprietary) license
+ providing access to the source code, but they are not allowed to share it with anyone. In other words, even
+ if Intel wanted to release the source code for this blob, they could not do so.
+ </p>
+ <p>
+ The Management Engine is a giant backdoor, allowing full access to your entire system for malicious adversaries.
+ </p>
+ <h3>CPU microcode updates</h3>
+ <p>
+ All modern x86 CPUs (from Intel and AMD) use what is called <i>microcode</i>. CPUs are extremely complex,
+ and difficult to get right, so the circuitry is designed in a very generic way, where only basic instructions
+ are handled in hardware. Most of the instruction set is implemented using microcode, which is low-level software
+ running inside the CPU that can specify how the circuitry is to be used, for each instruction. The built-in microcode
+ is part of the hardware, and read-only. Both the circuitry and the microcode can have bugs, which could cause reliability issues.
+ </p>
+ <p>
+ Microcode <i>updates</i> are proprietary blobs, uploaded to the CPU at boot time, which patches the built-in
+ microcode and disables buggy parts of the CPU to improve reliability. In the past, these updates were
+ handled by the operating system kernel, but on all recent systems it is the boot firmware that must perform this task.
+ Coreboot does distribute microcode updates for Intel and AMD CPUs, but libreboot cannot, because the whole point of libreboot
+ is to be 100% free software.
+ </p>
+ <p>
+ On some older Intel CPUs, it is possible to exclude the microcode updates and not have any reliability issues in practise.
+ All current libreboot systems work without microcode updates (otherwise, they wouldn't be supported in libreboot). However,
+ all modern Intel CPUs require the microcode updates, otherwise the system will not boot at all, or it will be extremely
+ unstable (memory corruption, for example).
+ </p>
+ <p>
+ Intel CPU microcode updates are <i>signed</i>, which means that you could not even run a modified version, even if
+ you had the source code. If you try to upload your own modified updates, the CPU will reject them.
+ </p>
+ <h3>Firmware Support Package (FSP)</h3>
+ <p>
+ On all recent Intel systems, coreboot support has revolved around integrating a blob (for each system) called
+ the <i>FSP</i> (firmware support package), which handles most of the hardware initialization, including
+ memory initialization. At present, it is believed that this can be replaced, but it will require a lot
+ of work on reverse engineering which will likely take many years. Intel distributes the FSP blob to
+ firmware developers (including coreboot).
+ </p>
+ <h3>Intel is uncooperative</h3>
+ <p>
+ For years, coreboot has been struggling against Intel. Intel has been shown to be extremely uncooperative in general.
+ Many coreboot developers, and companies, have tried to get Intel to cooperate; namely, releasing source code
+ for the firmware components. Even Google, which sells millions of <i>chromebooks</i> (coreboot pre-installed)
+ have been unable to persuade them.
+ </p>
+ <p>
+ Even when Intel does cooperate, they still don't provide source code. They might provide limited information
+ (datasheets) under strict corporate NDA (non-disclosure agreement), but even that is not guaranteed. Even ODMs and IBVs can't
+ get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).
+ </p>
+ <p>
+ Recent Intel graphics chipsets also <a href="https://01.org/linuxgraphics/intel-linux-graphics-firmwares?langredirect=1">require firmware blobs</a>.
+ </p>
+ <p>
+ <b>Basically, all Intel hardware from year 2010 and beyond will never be supported by libreboot. The libreboot project
+ is actively ignoring all modern Intel hardware at this point, and focusing on alternative platforms.</b>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="librem">Will the Purism LibreM laptops be supported?</h2>
+ <p>
+ Probably not (it uses latest generation of Intel hardware - see <a href="#intel">#intel</a>). It would be nice
+ if libreboot could run on these laptops, but it's extremely unlikely
+ due to the fact that there are signed proprietary blobs that cannot be replaced
+ (Management Engine, mandatory CPU microcode updates).
+ Also, <a href="https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed">rumour has it</a> that not even coreboot has support
+ yet for these systems.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="thinkpads">Will the latest ThinkPad models be supported?</h2>
+ <p>
+ The latest ThinkPad generation supported in libreboot are the ones
+ using the GM45 (ICH9) chipsets, such as the ThinkPad X200 or T400.
+ See <a href="#intel">#intel</a>.
+ Newer Intel ThinkPads will probably never be supported in libreboot,
+ due to the fact that there are signed blobs that cannot be replaced
+ (e.g. Intel Management Engine). Newer Lenovo laptops are
+ also <a href="https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot">starting to use</a> the <a href="https://mjg59.dreamwidth.org/33981.html">Intel Boot Guard</a>, which specifically blocks the use of
+ firmware that has not been signed by the OEM.
+ </p>
+ <p>
+ Coreboot does have support for some more recent Lenovo laptops, but libreboot cannot support most of these.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="desktops">Will desktop/server hardware be supported?</h2>
+ <p>
+ A common issue with desktop hardware is the Video BIOS. Libreboot has to initialize the graphics chipset,
+ but most graphics cards lack a free Video BIOS for this purpose. Some desktop motherboards supported in
+ coreboot do have onboard graphics chipsets, but these also require a proprietary Video BIOS, in most cases.
+ </p>
+ <p>
+ There is the XGI Z9s PCI-E graphics card, documented under <i>Board Ports</i> in <a href="../docs/tasks.html">../docs/tasks.html</a>, which might be viable for you.
+ </p>
+ <p>
+ Although not desktop hardware (it's a server board), libreboot does support
+ the <a href="../docs/hcl/kfsn4-dre.html">ASUS KFSN4-DRE</a>, with more server hardware
+ support on the horizon, as outlined in <a href="../docs/tasks.html">../docs/tasks.html</a>.
+ These boards have onboard graphics chipsets for which free native graphics initialization code
+ does exist (as well as free initialization code for everything else in the boot firmware).
+ These systems can be used to build very high-powered workstations, though it will be quite a bit
+ bigger (physically) and more expensive than a standard desktop computer. However, it is the best
+ option currently available in libreboot for this purpose.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="randomhardware">Hi, I have &lt;insert random system here&gt;, is it supported?</h2>
+ <p>
+ Most likely not. First, you must consult coreboot's own hardware compatibility list
+ at <a href="http://www.coreboot.org/Supported_Motherboards">http://www.coreboot.org/Supported_Motherboards</a> and,
+ if it is supported, check whether it can run without any proprietary blobs in the ROM image. If it can: wonderful! Libreboot
+ can support it, and you can add support for it using the notes at <a href="../docs/maintain/index.html">../docs/maintain/index.html</a>.
+ If not, then you will need to figure out how to reverse engineer and replace (or remove) those blobs that do still exist, in such a way
+ where the system is still usable in some defined way.
+ </p>
+ <p>
+ For those systems where no coreboot support exists, you must first port it to coreboot and,
+ if it can then run without any blobs in the ROM image, it can be added to libreboot.
+ See: <a href="http://www.coreboot.org/Motherboard_Porting_Guide">Motherboard Porting Guide</a> (this is just the tip of the iceberg!)
+ </p>
+ <p>
+ Please note that board development should be done upstream (in coreboot) and merged download (into libreboot). This is
+ the correct way to do it, and it is how the libreboot project is coordinated so as to avoid too much forking of the
+ coreboot source code.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="arm">What about ARM?</h2>
+ <p>
+ TODO
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+ <h2 id="amd">What about AMD?</h2>
+ <p>
+ Libreboot has support for some AMD platforms, with more on the horizon.
+ See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
+ </p>
+ <p>
+ More AMD-related information will be added to this page at a later date.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+ </div>
+
+ <div>
+ <h1>General questions</h1>
+
+ <h2 id="install">How do I install libreboot?</h2>
+ <p>
+ See <a href="../docs/install/index.html">../docs/install/index.html</a>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="bootpassword">How do I set a boot password?</h2>
+ <p>
+ If you are using the GRUB payload, you can add a username and password (salted, hashed)
+ to your GRUB configuration that resides inside the flash chip. The following guides (which
+ also cover full disk encryption, including the /boot/ directory) show how to set a boot password
+ in GRUB: <a href="../docs/gnulinux/encrypted_trisquel.html">../docs/gnulinux/encrypted_trisquel.html</a> and <a href="../docs/gnulinux/encrypted_parabola.html">../docs/gnulinux/encrypted_parabola.html</a>
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="writeprotect">How do I write-protect the flash chip?</h2>
+ <p>
+ By default, there is no write-protection on a libreboot system. This is for usability reasons,
+ because most people do not have access to an external programmer for re-flashing their firmware.
+ </p>
+ <p>
+ On some systems, it is possible to write-protect the firmware, such that it is rendered read-only
+ at the OS level (external flashing is still possible, using dedicated hardware). For example, on
+ current GM45 laptops (e.g. ThinkPad X200, T400), you can write-protect (see <a href="../docs/hcl/gm45_remove_me.html#ich9gen">../docs/hcl/gm45_remove_me.html#ich9gen</a>).
+ Depending on your flash chip,
+ you can also write-protect the i945 laptops, such as the ThinkPad X60 or T60 (see <a href="../docs/security/x60_security.html">../docs/security/x60_security.html</a>)
+ and <a href="../docs/security/t60_security.html">../docs/security/t60_security.html</a> for links to a video explaining it).
+ </p>
+ <p>
+ It's possible to write-protect on all libreboot systems, but the instructions need to be written.
+ The documentation is in the main git repository, so you are welcome to submit patches adding these instructions.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+ <h2 id="biossettings">How do I change the BIOS settings?</h2>
+ <p>
+ Libreboot actually uses the <a href="http://www.coreboot.org/GRUB2">GRUB payload</a>.
+ More information about payloads can be found at <a href="http://www.coreboot.org/Payloads">coreboot.org/Payloads</a>.
+ </p>
+ <p>
+ Libreboot inherits the modular payload concept from coreboot, which means that pre-OS bare-metal <i>BIOS setup</i> programmes
+ are not very practical. Coreboot (and libreboot) does include a utility called <i>nvramtool</i>, which can be used
+ to change some settings. You can find nvramtool under <i>coreboot/util/nvramtool/</i>, in the libreboot source archives.
+ </p>
+ <p>
+ The <i>-a</i> option in nvramtool will list the available options, and <i>-w</i> can be used to change them. Consult
+ the nvramtool documentation on the coreboot wiki for more information.
+ </p>
+ <p>
+ In practise, you don't need to change any of those settings, in most cases.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+ <h2 id="reinstallos">Do I need to re-flash when I re-install GNU/Linux?</h2>
+ <p>
+ Not anymore. Recent versions of libreboot (using the GRUB payload) will automatically
+ switch to a GRUB configuration on the HDD or SSD, if it exists. For more information,
+ see <a href="../docs/gnulinux/grub_cbfs.html">../docs/gnulinux/grub_cbfs.html</a>
+ </p>
+ </div>
+
+ <div>
+ <h1>Operating Systems</h1>
+ <h2 id="gnulinux">Can I use GNU/Linux?</h2>
+ <p>
+ Absolutely! GNU/Linux is well-tested in libreboot, and highly recommended.
+ See <a href="../docs/gnulinux/grub_boot_installer.html">installing GNU/Linux</a> and <a href="../docs/gnulinux/grub_cbfs.html">booting GNU/Linux</a>.
+ </p>
+ <p>
+ The <a href="https://fsf.org/">Free Software Foundation</a> maintains
+ a <a href="https://gnu.org/distros/free-distros.html">list of free GNU/Linux distributions</a>, certified
+ to distribute and endorse <a href="https://www.gnu.org/philosophy/free-sw.html">free software</a>, exclusively.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="gnuhurd">Can I use GNU/Hurd?</h2>
+ <p>
+ Unknown. Probably not. Feel free to try it, and report your findings.
+ </p>
+ <p>
+ <a href="https://www.gnu.org/software/hurd/hurd.html">GNU Hurd</a> is the microkernel developed by
+ the <a href="https://gnu.org/">GNU project</a>, and was (still is) intended to be the kernel for the
+ GNU operating system. For historical reasons, <a href="https://kernel.org/">Linux</a> became the primarily
+ adopted kernel (the libreboot project urges everyone to install and use <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">linux-libre</a> on their GNU systems),
+ and was adapted for use with the GNU system. This is <a href="https://www.gnu.org/gnu/why-gnu-linux.html">why</a> we
+ say <a href="https://www.gnu.org/gnu/linux-and-gnu.en.html">GNU/Linux</a>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="bsd">Can I use BSD?</h2>
+ <p>
+ Potentially. It may be possible to boot most BSD systems if you use
+ the <a href="http://coreboot.org/SeaBIOS">SeaBIOS</a> payload.
+ Most BSD systems seem to require a full Video BIOS implementation, which
+ libreboot lacks for the most part, so you won't have a visual display, but you
+ might be able to use an EHCI debug and/or serial console.
+ </p>
+ <p>
+ FreeBSD is rumoured to be somewhat compatible (with the GRUB payload, even), when booting with
+ text-mode graphics initialization, but you probably won't be able to use X11.
+ </p>
+ <p>
+ For the most part, BSD systems remain untested in libreboot.
+ BSD systems <a href="https://www.gnu.org/distros/common-distros.html">contain blobs</a>, so do beware.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="windows">Can I use Windows?</h2>
+ <p>
+ Windows is incompatible with libreboot, and will probably remain so. <a href="https://gnu.org/philosophy/malware-microsoft.html">Never use Windows</a>.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+
+ <h2 id="other">Are other operating systems compatible?</h2>
+ <p>
+ Unknown. Probably not.
+ </p>
+ <p>
+ <a href="#pagetop">Back to top of page</a>
+ </p>
+ </div>
+
+<?php
+ include "../common/footer.php";
+?>
+
+</body>
+</html>
+<?php
+ $strHtml = ob_get_clean();
+ echo miniHtml($strHtml);
+?>