diff options
Diffstat (limited to 'site/faq/index.php')
-rw-r--r-- | site/faq/index.php | 417 |
1 files changed, 417 insertions, 0 deletions
diff --git a/site/faq/index.php b/site/faq/index.php new file mode 100644 index 0000000..cb7cda5 --- /dev/null +++ b/site/faq/index.php @@ -0,0 +1,417 @@ +<?php +/* + Download page + Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + header('Content-type: text/html; charset=utf-8'); + ob_start(); + include_once "../common/variables.php"; + include_once "../common/functions.php"; +?> +<!DOCTYPE html> +<html> +<head> + <style type="text/css"> + <?php echo miniCss(file_get_contents("../common/css/main.css")); ?> + </style> + <title>Answers to Freqently Asked Questions about libreboot</title> +</head> + +<body> + + <div id="pagetop"> + + <h1>Answers to Freqently Asked Questions about libreboot</h1> + <p> + Over time, there have been many questions asked about libreboot. We have to answer them every time, + so it makes sense to document them here instead. More questions and answers will be added here, + as time goes by. <a href="../">Back to home page</a> + </p> + <h2>Hardware compatibility</h2> + <ul class="cascade"> + <li><a href="#compatibility">What systems are compatible with libreboot?</a></li> + <li><a href="#intel">When will modern Intel systems be supported?</a></li> + <li><a href="#librem">Will the Purism LibreM laptops be supported?</a></li> + <li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li> + <li><a href="#desktops">Will desktop/server hardware be supported?</a></li> + <li><a href="#randomhardware">Hi, I have <insert random system here>, is it supported?</a></li> + <li><a href="#arm">What about ARM?</a></li> + <li><a href="#amd">What about AMD?</a></li> + </ul> + <h2>General questions</h2> + <ul class="cascade"> + <li><a href="#install">How do I install libreboot?</a></li> + <li><a href="#bootpassword">How do I set a boot password?</a></li> + <li><a href="#writeprotect">How do I write-protect the flash chip?</a></li> + <li><a href="#biossettings">How do I change the BIOS settings?</a></li> + <li><a href="#reinstallos">Do I need to re-flash when I re-install GNU/Linux?</a></li> + </ul> + <h2>Operating Systems</h2> + <ul class="cascade"> + <li><a href="#gnulinux">Can I use GNU/Linux?</a> (yes, you can)</li> + <li><a href="#gnuhurd">Can I use GNU/Hurd?</a></li> + <li><a href="#bsd">Can I use BSD?</a></li> + <li><a href="#windows">Can I use Windows?</a></li> + <li><a href="#other">Are other operating systems compatible?</a></li> + </ul> + <h2></h2> + </div> + + <div> + <h1>Hardware compatibility</h1> + + <h2 id="compatibility">What systems are compatible with libreboot?</h2> + <p> + See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="intel">When will modern Intel systems be supported?</h2> + <p> + The probability is currently estimated to be below 1%, that any post-2008 Intel hardware will ever be supported in libreboot. The main issues are as follows: + </p> + <h3>Intel Management Engine (ME)</h3> + <p> + The most glaring issue on modern Intel hardware (beyond year ~2008) is + the <i>Management Engine</i>. This is a separate processor that exists in all Intel chipsets + past the year ~2006; some systems between those years can have the Management Engine firmware + removed (with the ME processor permanently deactivated), but not replaced (due to cryptographic signature checking on the firmware). + The management engine provides remote access capabilities, independently from the running operating system. It has full access to + your RAM, and it has full networking support. It also handles the TPM module, AMT (Active Management Technology), Boot Guard and + various DRM mechanisms. The ME also performs some basic hardware initialization and power management, on recent systems. + </p> + <p> + On all modern Intel systems built after around the year 2008 (after ICH9) require this blob, and + will not boot without it. Replacing it is impossible, unless you are Intel (only they have the private + key, necesarry for signing the firmware). The Management Engine is covered on lots of websites + (e.g. <a href="http://me.bios.io/Main_Page">me.bios.io</a>, <a href="http://io.smashthestack.org/me/">smashthestack.org</a>, + the <a href="http://www.coreboot.org/Intel_Management_Engine">coreboot wiki</a>, <a href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology">wikipedia</a>, <a href="https://www.fsf.org/blogs/community/active-management-technology">FSF blog</a>) and + a book titled <i><a href="https://www.apress.com/9781430265719">Platform Embedded Security Technology Revealed</a></i> (PESTR), published by Apress (ISBN 9781430265719). + </p> + <p> + The Management Engine processor is an <i>ARC</i> microcontroller. The firmware is based + on <a href="http://rtos.com/products/threadx/ARC">ThreadX RTOS</a>, which is an embedded operating system + designed specifically for those chips. Manufacturers (not just Intel) can pay for a (proprietary) license + providing access to the source code, but they are not allowed to share it with anyone. In other words, even + if Intel wanted to release the source code for this blob, they could not do so. + </p> + <p> + The Management Engine is a giant backdoor, allowing full access to your entire system for malicious adversaries. + </p> + <h3>CPU microcode updates</h3> + <p> + All modern x86 CPUs (from Intel and AMD) use what is called <i>microcode</i>. CPUs are extremely complex, + and difficult to get right, so the circuitry is designed in a very generic way, where only basic instructions + are handled in hardware. Most of the instruction set is implemented using microcode, which is low-level software + running inside the CPU that can specify how the circuitry is to be used, for each instruction. The built-in microcode + is part of the hardware, and read-only. Both the circuitry and the microcode can have bugs, which could cause reliability issues. + </p> + <p> + Microcode <i>updates</i> are proprietary blobs, uploaded to the CPU at boot time, which patches the built-in + microcode and disables buggy parts of the CPU to improve reliability. In the past, these updates were + handled by the operating system kernel, but on all recent systems it is the boot firmware that must perform this task. + Coreboot does distribute microcode updates for Intel and AMD CPUs, but libreboot cannot, because the whole point of libreboot + is to be 100% free software. + </p> + <p> + On some older Intel CPUs, it is possible to exclude the microcode updates and not have any reliability issues in practise. + All current libreboot systems work without microcode updates (otherwise, they wouldn't be supported in libreboot). However, + all modern Intel CPUs require the microcode updates, otherwise the system will not boot at all, or it will be extremely + unstable (memory corruption, for example). + </p> + <p> + Intel CPU microcode updates are <i>signed</i>, which means that you could not even run a modified version, even if + you had the source code. If you try to upload your own modified updates, the CPU will reject them. + </p> + <h3>Firmware Support Package (FSP)</h3> + <p> + On all recent Intel systems, coreboot support has revolved around integrating a blob (for each system) called + the <i>FSP</i> (firmware support package), which handles most of the hardware initialization, including + memory initialization. At present, it is believed that this can be replaced, but it will require a lot + of work on reverse engineering which will likely take many years. Intel distributes the FSP blob to + firmware developers (including coreboot). + </p> + <h3>Intel is uncooperative</h3> + <p> + For years, coreboot has been struggling against Intel. Intel has been shown to be extremely uncooperative in general. + Many coreboot developers, and companies, have tried to get Intel to cooperate; namely, releasing source code + for the firmware components. Even Google, which sells millions of <i>chromebooks</i> (coreboot pre-installed) + have been unable to persuade them. + </p> + <p> + Even when Intel does cooperate, they still don't provide source code. They might provide limited information + (datasheets) under strict corporate NDA (non-disclosure agreement), but even that is not guaranteed. Even ODMs and IBVs can't + get source code from Intel, in most cases (they will just integrate the blobs that Intel provides). + </p> + <p> + Recent Intel graphics chipsets also <a href="https://01.org/linuxgraphics/intel-linux-graphics-firmwares?langredirect=1">require firmware blobs</a>. + </p> + <p> + <b>Basically, all Intel hardware from year 2010 and beyond will never be supported by libreboot. The libreboot project + is actively ignoring all modern Intel hardware at this point, and focusing on alternative platforms.</b> + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="librem">Will the Purism LibreM laptops be supported?</h2> + <p> + Probably not (it uses latest generation of Intel hardware - see <a href="#intel">#intel</a>). It would be nice + if libreboot could run on these laptops, but it's extremely unlikely + due to the fact that there are signed proprietary blobs that cannot be replaced + (Management Engine, mandatory CPU microcode updates). + Also, <a href="https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed">rumour has it</a> that not even coreboot has support + yet for these systems. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="thinkpads">Will the latest ThinkPad models be supported?</h2> + <p> + The latest ThinkPad generation supported in libreboot are the ones + using the GM45 (ICH9) chipsets, such as the ThinkPad X200 or T400. + See <a href="#intel">#intel</a>. + Newer Intel ThinkPads will probably never be supported in libreboot, + due to the fact that there are signed blobs that cannot be replaced + (e.g. Intel Management Engine). Newer Lenovo laptops are + also <a href="https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot">starting to use</a> the <a href="https://mjg59.dreamwidth.org/33981.html">Intel Boot Guard</a>, which specifically blocks the use of + firmware that has not been signed by the OEM. + </p> + <p> + Coreboot does have support for some more recent Lenovo laptops, but libreboot cannot support most of these. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="desktops">Will desktop/server hardware be supported?</h2> + <p> + A common issue with desktop hardware is the Video BIOS. Libreboot has to initialize the graphics chipset, + but most graphics cards lack a free Video BIOS for this purpose. Some desktop motherboards supported in + coreboot do have onboard graphics chipsets, but these also require a proprietary Video BIOS, in most cases. + </p> + <p> + There is the XGI Z9s PCI-E graphics card, documented under <i>Board Ports</i> in <a href="../docs/tasks.html">../docs/tasks.html</a>, which might be viable for you. + </p> + <p> + Although not desktop hardware (it's a server board), libreboot does support + the <a href="../docs/hcl/kfsn4-dre.html">ASUS KFSN4-DRE</a>, with more server hardware + support on the horizon, as outlined in <a href="../docs/tasks.html">../docs/tasks.html</a>. + These boards have onboard graphics chipsets for which free native graphics initialization code + does exist (as well as free initialization code for everything else in the boot firmware). + These systems can be used to build very high-powered workstations, though it will be quite a bit + bigger (physically) and more expensive than a standard desktop computer. However, it is the best + option currently available in libreboot for this purpose. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="randomhardware">Hi, I have <insert random system here>, is it supported?</h2> + <p> + Most likely not. First, you must consult coreboot's own hardware compatibility list + at <a href="http://www.coreboot.org/Supported_Motherboards">http://www.coreboot.org/Supported_Motherboards</a> and, + if it is supported, check whether it can run without any proprietary blobs in the ROM image. If it can: wonderful! Libreboot + can support it, and you can add support for it using the notes at <a href="../docs/maintain/index.html">../docs/maintain/index.html</a>. + If not, then you will need to figure out how to reverse engineer and replace (or remove) those blobs that do still exist, in such a way + where the system is still usable in some defined way. + </p> + <p> + For those systems where no coreboot support exists, you must first port it to coreboot and, + if it can then run without any blobs in the ROM image, it can be added to libreboot. + See: <a href="http://www.coreboot.org/Motherboard_Porting_Guide">Motherboard Porting Guide</a> (this is just the tip of the iceberg!) + </p> + <p> + Please note that board development should be done upstream (in coreboot) and merged download (into libreboot). This is + the correct way to do it, and it is how the libreboot project is coordinated so as to avoid too much forking of the + coreboot source code. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="arm">What about ARM?</h2> + <p> + TODO + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + <h2 id="amd">What about AMD?</h2> + <p> + Libreboot has support for some AMD platforms, with more on the horizon. + See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>. + </p> + <p> + More AMD-related information will be added to this page at a later date. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + </div> + + <div> + <h1>General questions</h1> + + <h2 id="install">How do I install libreboot?</h2> + <p> + See <a href="../docs/install/index.html">../docs/install/index.html</a> + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="bootpassword">How do I set a boot password?</h2> + <p> + If you are using the GRUB payload, you can add a username and password (salted, hashed) + to your GRUB configuration that resides inside the flash chip. The following guides (which + also cover full disk encryption, including the /boot/ directory) show how to set a boot password + in GRUB: <a href="../docs/gnulinux/encrypted_trisquel.html">../docs/gnulinux/encrypted_trisquel.html</a> and <a href="../docs/gnulinux/encrypted_parabola.html">../docs/gnulinux/encrypted_parabola.html</a> + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="writeprotect">How do I write-protect the flash chip?</h2> + <p> + By default, there is no write-protection on a libreboot system. This is for usability reasons, + because most people do not have access to an external programmer for re-flashing their firmware. + </p> + <p> + On some systems, it is possible to write-protect the firmware, such that it is rendered read-only + at the OS level (external flashing is still possible, using dedicated hardware). For example, on + current GM45 laptops (e.g. ThinkPad X200, T400), you can write-protect (see <a href="../docs/hcl/gm45_remove_me.html#ich9gen">../docs/hcl/gm45_remove_me.html#ich9gen</a>). + Depending on your flash chip, + you can also write-protect the i945 laptops, such as the ThinkPad X60 or T60 (see <a href="../docs/security/x60_security.html">../docs/security/x60_security.html</a>) + and <a href="../docs/security/t60_security.html">../docs/security/t60_security.html</a> for links to a video explaining it). + </p> + <p> + It's possible to write-protect on all libreboot systems, but the instructions need to be written. + The documentation is in the main git repository, so you are welcome to submit patches adding these instructions. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + <h2 id="biossettings">How do I change the BIOS settings?</h2> + <p> + Libreboot actually uses the <a href="http://www.coreboot.org/GRUB2">GRUB payload</a>. + More information about payloads can be found at <a href="http://www.coreboot.org/Payloads">coreboot.org/Payloads</a>. + </p> + <p> + Libreboot inherits the modular payload concept from coreboot, which means that pre-OS bare-metal <i>BIOS setup</i> programmes + are not very practical. Coreboot (and libreboot) does include a utility called <i>nvramtool</i>, which can be used + to change some settings. You can find nvramtool under <i>coreboot/util/nvramtool/</i>, in the libreboot source archives. + </p> + <p> + The <i>-a</i> option in nvramtool will list the available options, and <i>-w</i> can be used to change them. Consult + the nvramtool documentation on the coreboot wiki for more information. + </p> + <p> + In practise, you don't need to change any of those settings, in most cases. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + <h2 id="reinstallos">Do I need to re-flash when I re-install GNU/Linux?</h2> + <p> + Not anymore. Recent versions of libreboot (using the GRUB payload) will automatically + switch to a GRUB configuration on the HDD or SSD, if it exists. For more information, + see <a href="../docs/gnulinux/grub_cbfs.html">../docs/gnulinux/grub_cbfs.html</a> + </p> + </div> + + <div> + <h1>Operating Systems</h1> + <h2 id="gnulinux">Can I use GNU/Linux?</h2> + <p> + Absolutely! GNU/Linux is well-tested in libreboot, and highly recommended. + See <a href="../docs/gnulinux/grub_boot_installer.html">installing GNU/Linux</a> and <a href="../docs/gnulinux/grub_cbfs.html">booting GNU/Linux</a>. + </p> + <p> + The <a href="https://fsf.org/">Free Software Foundation</a> maintains + a <a href="https://gnu.org/distros/free-distros.html">list of free GNU/Linux distributions</a>, certified + to distribute and endorse <a href="https://www.gnu.org/philosophy/free-sw.html">free software</a>, exclusively. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="gnuhurd">Can I use GNU/Hurd?</h2> + <p> + Unknown. Probably not. Feel free to try it, and report your findings. + </p> + <p> + <a href="https://www.gnu.org/software/hurd/hurd.html">GNU Hurd</a> is the microkernel developed by + the <a href="https://gnu.org/">GNU project</a>, and was (still is) intended to be the kernel for the + GNU operating system. For historical reasons, <a href="https://kernel.org/">Linux</a> became the primarily + adopted kernel (the libreboot project urges everyone to install and use <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">linux-libre</a> on their GNU systems), + and was adapted for use with the GNU system. This is <a href="https://www.gnu.org/gnu/why-gnu-linux.html">why</a> we + say <a href="https://www.gnu.org/gnu/linux-and-gnu.en.html">GNU/Linux</a>. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="bsd">Can I use BSD?</h2> + <p> + Potentially. It may be possible to boot most BSD systems if you use + the <a href="http://coreboot.org/SeaBIOS">SeaBIOS</a> payload. + Most BSD systems seem to require a full Video BIOS implementation, which + libreboot lacks for the most part, so you won't have a visual display, but you + might be able to use an EHCI debug and/or serial console. + </p> + <p> + FreeBSD is rumoured to be somewhat compatible (with the GRUB payload, even), when booting with + text-mode graphics initialization, but you probably won't be able to use X11. + </p> + <p> + For the most part, BSD systems remain untested in libreboot. + BSD systems <a href="https://www.gnu.org/distros/common-distros.html">contain blobs</a>, so do beware. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="windows">Can I use Windows?</h2> + <p> + Windows is incompatible with libreboot, and will probably remain so. <a href="https://gnu.org/philosophy/malware-microsoft.html">Never use Windows</a>. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + + <h2 id="other">Are other operating systems compatible?</h2> + <p> + Unknown. Probably not. + </p> + <p> + <a href="#pagetop">Back to top of page</a> + </p> + </div> + +<?php + include "../common/footer.php"; +?> + +</body> +</html> +<?php + $strHtml = ob_get_clean(); + echo miniHtml($strHtml); +?> |