<?php
/*
Frequently asked questions
Copyright (C) 2015 Francis Rowe <info@gluglug.org.uk>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
header('Content-type: text/html; charset=utf-8');
ob_start();
include_once "../common/variables.php";
include_once "../common/functions.php";
?>
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
<?php echo miniCss(file_get_contents("../common/css/main.css")); ?>
</style>
<title>Answers to Frequently Asked Questions about libreboot</title>
</head>
<body>
<div id="pagetop">
<h1>Answers to Frequently Asked Questions about libreboot</h1>
<p>
Over time, there have been many questions asked about libreboot. We have to answer them every time,
so it makes sense to document them here instead. More questions and answers will be added here,
as time goes by. <a href="../">Back to home page</a>
</p>
<h2>Hardware compatibility</h2>
<ul class="cascade">
<li><a href="#compatibility">What systems are compatible with libreboot?</a></li>
<li>
<a href="#intel">Why is the latest Intel hardware unsupported in libreboot?</a>
<ul>
<li><a href="#intelme">Intel Management Engine (ME)</a></li>
<li><a href="#microcode">CPU microcode updates</a></li>
<li><a href="#fsp">Firmware Support Package (FSP)</a></li>
<li><a href="#intelbastards">Intel is uncooperative</a></li>
</ul>
</li>
<li><a href="#librem">Will the Purism LibreM laptops be supported?</a></li>
<li><a href="#thinkpads">Will the latest Thinkpad models be supported?</a></li>
<li><a href="#desktops">Will desktop/server hardware be supported?</a></li>
<li><a href="#randomhardware">Hi, I have <insert random system here>, is it supported?</a></li>
<li><a href="#arm">What about ARM?</a></li>
<li><a href="#amd">What about AMD?</a></li>
</ul>
<h2>General questions</h2>
<ul class="cascade">
<li><a href="#install">How do I install libreboot?</a></li>
<li><a href="#repugnantpi">How do I programme an SPI flash chip with the Raspberry Pi?</a></li>
<li><a href="#bootpassword">How do I set a boot password?</a></li>
<li><a href="#writeprotect">How do I write-protect the flash chip?</a> (for example, to protect against firmware-level malware being installed)</li>
<li><a href="#biossettings">How do I change the BIOS settings?</a></li>
<li><a href="#bootloader">Do I need to install a bootloader when installing GNU/Linux?</a></li>
<li><a href="#reinstallos">Do I need to re-flash when I re-install GNU/Linux?</a></li>
</ul>
<h2>Freedom questions</h2>
<ul class="cascade">
<li>
<a href="#otherfirmware">What other firmware exists outside of libreboot?</a>
<ul>
<li><a href="#firmware-ec">EC (embedded controller) firmware</a></li>
<li><a href="#firmware-hddssd">HDD/SSD firmware</a></li>
<li><a href="#firmware-nic">NIC (ethernet controller)</a></li>
<li><a href="#firmware-cpu">CPU microcode</a></li>
<li><a href="#firmware-sound">Sound card</a></li>
<li><a href="#firmware-webcam">Web cam</a></li>
<li><a href="#firmware-usbhost">USB host controller</a></li>
</ul>
</li>
</ul>
<h2>Operating Systems</h2>
<ul class="cascade">
<li><a href="#gnulinux">Can I use GNU/Linux?</a> (yes, you can)</li>
<li><a href="#gnuhurd">Can I use GNU/Hurd?</a></li>
<li><a href="#bsd">Can I use BSD?</a></li>
<li><a href="#windows">Can I use Windows?</a></li>
<li><a href="#otheros">Are other operating systems compatible?</a></li>
</ul>
<h2></h2>
</div>
<div>
<h1>Hardware compatibility</h1>
<h2 id="compatibility">What systems are compatible with libreboot? <span class="ref">(<a href="#compatibility">#compatibility</a>)</span></h2>
<p>
See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="intel">Why is the latest Intel hardware unsupported in libreboot? <span class="ref">(<a href="#intel">#intel</a>)</span></h2>
<p>
It is extremely unlikely that any post-2008 Intel hardware will ever be supported in libreboot. The main issues are as follows:
</p>
<h3 id="intelme">Intel Management Engine (ME) <span class="ref">(<a href="#intelme">#intelme</a>)</span></h3>
<p>
The most glaring issue on modern Intel hardware (beyond year ~2008) is
the <i>Management Engine</i>. This is a separate processor that exists in all Intel chipsets
past the year ~2006; some systems between those years can have the Management Engine firmware
removed (with the ME processor permanently deactivated), but not replaced (due to cryptographic signature checking on the firmware)
- see <a href="../docs/hcl/gm45_remove_me.html">../docs/hcl/gm45_remove_me.html</a>.
The management engine provides remote access capabilities, independently from the running operating system. It has full access to
your RAM, and it has full networking support. It also handles the TPM module, AMT (Active Management Technology), Boot Guard and
various <a href="https://defectivebydesign.org/what_is_drm_digital_restrictions_management">DRM</a> mechanisms.
The ME also performs some basic hardware initialization and power management, on recent systems.
</p>
<p>
All modern Intel systems built after around the year 2008 (after ICH9) require this blob, and
will not boot without it (or will shut down after 30 minutes). Replacing it is impossible, unless you are Intel (only they have the private
key, necessary for signing the firmware). The Management Engine is covered on a lot of websites
(e.g. <a href="http://me.bios.io/Main_Page">me.bios.io</a>, <a href="http://io.smashthestack.org/me/">smashthestack.org</a>,
the <a href="http://www.coreboot.org/Intel_Management_Engine">coreboot wiki</a>, <a href="https://en.wikipedia.org/wiki/Intel_Active_Management_Technology">wikipedia</a>, <a href="https://www.fsf.org/blogs/community/active-management-technology">FSF blog</a>) and
a book titled <i><a href="https://www.apress.com/9781430265719">Platform Embedded Security Technology Revealed</a></i> (PESTR), published by Apress (ISBN 9781430265719).
</p>
<p>
The Management Engine processor is an <i>ARC</i> microcontroller. The firmware is based
on <a href="http://rtos.com/products/threadx/ARC">ThreadX RTOS</a>, which is an embedded operating system
designed specifically for those chips. Manufacturers (not just Intel) can pay for a (proprietary) license
providing access to the source code, but they are not allowed to share it with anyone. In other words, even
if Intel wanted to release the source code for this blob, they could not do so. Even if they did, the ME
firmware is cryptographically signed, where the signature is verified at boot time. If you try to use your own modified
version of the ME firmware, it will be rejected by the ARC processor and your system will not boot. In other words,
the ME firmware is <i><a href="https://www.gnu.org/proprietary/proprietary-tyrants.html">tivoized</a></i>.
</p>
<p>
The Management Engine is a giant backdoor, allowing full access to your entire system for malicious adversaries.
The libreboot project strongly recommends that you avoid it entirely, and this means avoiding the latest generation of Intel hardware.
</p>
<h3 id="microcode">CPU microcode updates <span class="ref">(<a href="#microcode">#microcode</a>)</span></h3>
<p>
All modern x86 CPUs (from Intel and AMD) use what is called <i>microcode</i>. CPUs are extremely complex,
and difficult to get right, so the circuitry is designed in a very generic way, where only basic instructions
are handled in hardware. Most of the instruction set is implemented using microcode, which is low-level software
running inside the CPU that can specify how the circuitry is to be used, for each instruction. The built-in microcode
is part of the hardware, and read-only. Both the circuitry and the microcode can have bugs, which could cause reliability issues.
</p>
<p>
Microcode <i>updates</i> are proprietary blobs, uploaded to the CPU at boot time, which patches the built-in
microcode and disables buggy parts of the CPU to improve reliability. In the past, these updates were
handled by the operating system kernel, but on all recent systems it is the boot firmware that must perform this task.
Coreboot does distribute microcode updates for Intel and AMD CPUs, but libreboot cannot, because the whole point of libreboot
is to be 100% free software.
</p>
<p>
On some older Intel CPUs, it is possible to exclude the microcode updates and not have any reliability issues in practise.
All current libreboot systems work without microcode updates (otherwise, they wouldn't be supported in libreboot). However,
all modern Intel CPUs require the microcode updates, otherwise the system will not boot at all, or it will be extremely
unstable (memory corruption, for example).
</p>
<p>
Intel CPU microcode updates are <i>signed</i>, which means that you could not even run a modified version, even if
you had the source code. If you try to upload your own modified updates, the CPU will reject them. In other words,
the microcode updates are <i><a href="https://www.gnu.org/proprietary/proprietary-tyrants.html">tivoized</a></i>.
</p>
<h3 id="fsp">Firmware Support Package (FSP) <span class="ref">(<a href="#fsp">#fsp</a>)</span></h3>
<p>
On all recent Intel systems, coreboot support has revolved around integrating a blob (for each system) called
the <i>FSP</i> (firmware support package), which handles all of the hardware initialization, including
memory initialization. Reverse engineering and replacing this blob is almost impossible, due to how complex it is. Even for the most skilled developer,
it would take years to replace. Intel distributes this blob to firmware developers, without source.
</p>
<h3 id="intelbastards">Intel is uncooperative <span class="ref">(<a href="#intelbastards">#intelbastards</a>)</span></h3>
<p>
For years, coreboot has been struggling against Intel. Intel has been shown to be extremely uncooperative in general.
Many coreboot developers, and companies, have tried to get Intel to cooperate; namely, releasing source code
for the firmware components. Even Google, which sells millions of <i>chromebooks</i> (coreboot pre-installed)
have been unable to persuade them.
</p>
<p>
Even when Intel does cooperate, they still don't provide source code. They might provide limited information
(datasheets) under strict corporate NDA (non-disclosure agreement), but even that is not guaranteed. Even ODMs and IBVs can't
get source code from Intel, in most cases (they will just integrate the blobs that Intel provides).
</p>
<p>
Recent Intel graphics chipsets also <a href="https://01.org/linuxgraphics/intel-linux-graphics-firmwares?langredirect=1">require firmware blobs</a>.
</p>
<p>
<b>Basically, all Intel hardware from year 2010 and beyond will never be supported by libreboot. The libreboot project
is actively ignoring all modern Intel hardware at this point, and focusing on alternative platforms.</b>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="librem">Will the Purism LibreM laptops be supported? <span class="ref">(<a href="#librem">#librem</a>)</span></h2>
<p>
Probably not (it uses latest generation of Intel hardware - see <a href="#intel">#intel</a>). It would be nice
if libreboot could run on these laptops, but it's extremely unlikely
due to the fact that there are signed proprietary blobs that cannot be replaced and are required
(<a href="#intelme">Intel Management Engine</a> and <a href="#microcode">CPU microcode updates</a>).
It uses the proprietary <a href="#fsp">Intel FSP</a> blob for the entire hardware initialization, which
Intel <a href="#intelbastards">won't provide</a> the source code for. The Video BIOS (initialization firmware
for the graphics hardware) is also proprietary, and will likely take years to reverse engineer and replace
(once again, Intel won't provide the source code).
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="thinkpads">Will the latest ThinkPad models be supported? <span class="ref">(<a href="#thinkpads">#thinkpads</a>)</span></h2>
<p>
The latest ThinkPad generation supported in libreboot are the ones
using the GM45 (ICH9) chipsets, such as the ThinkPad X200 or T400.
See <a href="#intel">#intel</a>.
Newer Intel ThinkPads will probably never be supported in libreboot,
due to the fact that there are signed blobs that cannot be replaced
(e.g. <a href="#intelme">Intel Management Engine</a>). Newer Lenovo laptops are
also <a href="https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot">starting to use</a> the <a href="https://mjg59.dreamwidth.org/33981.html">Intel Boot Guard</a>, which specifically blocks the use of
firmware that has not been signed by the OEM.
</p>
<p>
Coreboot does have support for some more recent Lenovo laptops, but libreboot cannot support most of these.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="desktops">Will desktop/server hardware be supported? <span class="ref">(<a href="#desktops">#desktops</a>)</span></h2>
<p>
A common issue with desktop hardware is the Video BIOS. Libreboot has to initialize the graphics chipset,
but most graphics cards lack a free Video BIOS for this purpose. Some desktop motherboards supported in
coreboot do have onboard graphics chipsets, but these also require a proprietary Video BIOS, in most cases.
</p>
<p>
There is the XGI Z9s PCI-E graphics card, documented under <i>Board Ports</i> in <a href="../docs/tasks.html">../docs/tasks.html</a>, which might be viable for you.
</p>
<p>
Although not desktop hardware (it's a server board), libreboot does support
the <a href="../docs/hcl/kfsn4-dre.html">ASUS KFSN4-DRE</a>, with more server hardware
support on the horizon, as outlined in <a href="../docs/tasks.html">../docs/tasks.html</a>.
These boards have onboard graphics chipsets for which free native graphics initialization code
does exist (as well as free initialization code for everything else in the boot firmware).
These systems can be used to build very high-powered workstations, though it will be quite a bit
bigger (physically) and more expensive than a standard desktop computer. However, it is the best
option currently available in libreboot for this purpose.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="randomhardware">Hi, I have <insert random system here>, is it supported? <span class="ref">(<a href="#randomhardware">#randomhardware</a>)</span></h2>
<p>
Most likely not. First, you must consult coreboot's own hardware compatibility list
at <a href="http://www.coreboot.org/Supported_Motherboards">http://www.coreboot.org/Supported_Motherboards</a> and,
if it is supported, check whether it can run without any proprietary blobs in the ROM image. If it can: wonderful! Libreboot
can support it, and you can add support for it using the notes at <a href="../docs/maintain/index.html">../docs/maintain/index.html</a>.
If not, then you will need to figure out how to reverse engineer and replace (or remove) those blobs that do still exist, in such a way
where the system is still usable in some defined way.
</p>
<p>
For those systems where no coreboot support exists, you must first port it to coreboot and,
if it can then run without any blobs in the ROM image, it can be added to libreboot.
See: <a href="http://www.coreboot.org/Motherboard_Porting_Guide">Motherboard Porting Guide</a> (this is just the tip of the iceberg!)
</p>
<p>
Please note that board development should be done upstream (in coreboot) and merged downstream (into libreboot). This is
the correct way to do it, and it is how the libreboot project is coordinated so as to avoid too much forking of the
coreboot source code.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="arm">What about ARM? <span class="ref">(<a href="#arm">#arm</a>)</span></h2>
<p>
TODO
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="amd">What about AMD? <span class="ref">(<a href="#amd">#amd</a>)</span></h2>
<p>
Libreboot has support for some AMD platforms, with more on the horizon.
See <a href="../docs/hcl/index.html">../docs/hcl/index.html</a>.
</p>
<p>
More AMD-related information will be added to this page at a later date.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<div>
<h1>General questions</h1>
<h2 id="install">How do I install libreboot? <span class="ref">(<a href="#install">#install</a>)</span></h2>
<p>
See <a href="../docs/install/index.html">../docs/install/index.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="repugnantpi">How do I programme an SPI flash chip with the Raspberry Pi? <span class="ref">(<a href="#repugnantpi">#repugnantpi</a>)</span></h2>
<p>
The RPi can be used to install libreboot onto a system that uses SPI flash, but libreboot intentionally doesn't document it.
Why? Blobs. The RPi requires a blob for the integrated video chipset, in order to boot. This was true of the original RPi, and
has continued to be true for all subsequent revisions of the hardware. The RPi people clearly don't give a damn about your freedom,
so we don't give a damn about endorsing them.
</p>
<p>
There are other, more freedom-friendly SPI programmers available, documented on <a href="../docs/install/index.html">../docs/install/index.html</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="bootpassword">How do I set a boot password? <span class="ref">(<a href="#bootpassword">#bootpassword</a>)</span></h2>
<p>
If you are using the GRUB payload, you can add a username and password (salted, hashed)
to your GRUB configuration that resides inside the flash chip. The following guides (which
also cover full disk encryption, including the /boot/ directory) show how to set a boot password
in GRUB: <a href="../docs/gnulinux/encrypted_trisquel.html">../docs/gnulinux/encrypted_trisquel.html</a> and <a href="../docs/gnulinux/encrypted_parabola.html">../docs/gnulinux/encrypted_parabola.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="writeprotect">How do I write-protect the flash chip? <span class="ref">(<a href="#writeprotect">#writeprotect</a>)</span></h2>
<p>
By default, there is no write-protection on a libreboot system. This is for usability reasons,
because most people do not have easy access to an external programmer for re-flashing their firmware,
or they find it inconvenient to use an external programmer.
</p>
<p>
On some systems, it is possible to write-protect the firmware, such that it is rendered read-only
at the OS level (external flashing is still possible, using dedicated hardware). For example, on
current GM45 laptops (e.g. ThinkPad X200, T400), you can write-protect (see <a href="../docs/hcl/gm45_remove_me.html#ich9gen">../docs/hcl/gm45_remove_me.html#ich9gen</a>).
Depending on your flash chip,
you can also write-protect the i945 laptops, such as the ThinkPad X60 or T60 (see <a href="../docs/security/x60_security.html">../docs/security/x60_security.html</a>)
and <a href="../docs/security/t60_security.html">../docs/security/t60_security.html</a> for links to a video explaining it).
</p>
<p>
It's possible to write-protect on all libreboot systems, but the instructions need to be written.
The documentation is in the main git repository, so you are welcome to submit patches adding these instructions.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="biossettings">How do I change the BIOS settings? <span class="ref">(<a href="#biossettings">#biossettings</a>)</span></h2>
<p>
Libreboot actually uses the <a href="http://www.coreboot.org/GRUB2">GRUB payload</a>.
More information about payloads can be found at <a href="http://www.coreboot.org/Payloads">coreboot.org/Payloads</a>.
</p>
<p>
Libreboot inherits the modular payload concept from coreboot, which means that pre-OS bare-metal <i>BIOS setup</i> programmes
are not very practical. Coreboot (and libreboot) does include a utility called <i>nvramtool</i>, which can be used
to change some settings. You can find nvramtool under <i>coreboot/util/nvramtool/</i>, in the libreboot source archives.
</p>
<p>
The <i>-a</i> option in nvramtool will list the available options, and <i>-w</i> can be used to change them. Consult
the nvramtool documentation on the coreboot wiki for more information.
</p>
<p>
In practise, you don't need to change any of those settings, in most cases.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="bootloader">Do I need to install a bootloader when installing GNU/Linux? <span class="ref">(<a href="#bootloader">#bootloader</a>)</span></h2>
<p>
Libreboot integrates the GRUB bootloader already, as a <i><a href="http://www.coreboot.org/Payloads">payload</a></i>. This means
that the GRUB bootloader is actually <i>flashed</i>, as part of the boot firmware (libreboot). This means that you do
not have to install a boot loader on the HDD or SSD, when installing GNU/Linux. You'll be able to boot GNU/Linux just fine,
using the bootloader (GRUB) that is in the flash chip.
</p>
<p>
This also means that even if you remove the HDD or SSD, you'll still have a functioning bootloader installed which
could be used to boot a live GNU/Linux distribution installer from a USB flash drive.
See <a href="../docs/gnulinux/grub_boot_installer.html">.../docs/gnulinux/grub_boot_installer.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="reinstallos">Do I need to re-flash when I re-install GNU/Linux? <span class="ref">(<a href="#reinstallos">#reinstallos</a>)</span></h2>
<p>
Not anymore. Recent versions of libreboot (using the GRUB payload) will automatically
switch to a GRUB configuration on the HDD or SSD, if it exists. You can also load a different
GRUB configuration, from any kind of device that is supported in GRUB (such as a USB flash drive). For more information,
see <a href="../docs/gnulinux/grub_cbfs.html">../docs/gnulinux/grub_cbfs.html</a>
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<div>
<h1>Freedom questions</h1>
<h2 id="otherfirmware">What other firmware exists outside of libreboot? <span class="ref">(<a href="#otherfirmware">#otherfirmware</a>)</span></h2>
<p>
The main freedom issue on any system, is the boot firmware (usually referred to as a BIOS or UEFI). Libreboot replaces the boot firmware
with fully free code, but even with libreboot, there may still be other hardware components in the system (e.g. laptop) that run
their own dedicated firmware, sometimes proprietary. These are on secondary processors, where the firmware is usually read-only, written for very specific tasks.
While these are unrelated to libreboot, technically speaking, it makes sense to document some of the issues here.
</p>
<p>
Note that these issues are not unique to libreboot systems. They apply universally, to most systems. The issues described below
are the most common (or otherwise critical).
</p>
<p>
Dealing with these problems will most likely be handled by a separate project.
</p>
<h3 id="firmware-ec">EC (embedded controller) firmware <span class="ref">(<a href="#firmware-ec">#firmware-ec</a>)</span></h3>
<p>
Most (all?) laptops have this. The EC (embedded controller) is a small, separate processor that basically processes inputs/outputs
that are specific to laptops. For example:
</p>
<ul class="cascade">
<li>
When you flick the radio on/off switch, the EC will enable/disable the wireless devices (wifi, bluetooth, etc) and enable/disable
an LED that indicates whether it's turned on or not
</li>
<li>
Listen to another chip that produces temperature readings, adjusting fan speeds accordingly (or turning the fan(s) on/off).
</li>
<li>
Takes certain inputs from the keyboard, e.g. brightness up/down, volume up/down.
</li>
<li>
Detect when the lid is closed or opened, and send a signal indicating this.
</li>
<li>
Etc.
</li>
</ul>
<p>
Alexander Couzens from coreboot (lynxis on coreboot IRC) is working on a free EC firmware replacement for the ThinkPads
that are supported in libreboot. See:
<a href="https://github.com/lynxis/h8s-ec">https://github.com/lynxis/h8s-ec</a>
(not ready yet).
</p>
<p>
Most (all?) chromebooks have free EC firmware. Libreboot is currently looking into supporting a few ARM-based chromebooks.
</p>
<p>
EC is only present on laptops. On desktop/server boards it is absent (not required).
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-hddssd">HDD/SSD firmware <span class="ref">(<a href="#firmware-hddssd">#firmware-hdd-ssd</a>)</span></h3>
<p>
HDDs and SSDs have firmware in them, intended to handle the internal workings of the device while exposing a simple,
standard interface (such as AHCI/SATA) that the OS software can use, generically. This firmware is transparent to the user
of the drive.
</p>
<p>
HDDs and SSDs are quite complex, and these days contain quite complex hardware which is even capable of running an entire
operating system (by this, we mean that the drive itself is actually running its own embedded operating system), even GNU/Linux
or BusyBox/Linux.
</p>
<p>
Example attack that malicious firmware could do: substitute your SSH keys, allowing unauthorized remote access by an unknown
adversary. Or maybe substitute your GPG keys. AHCI (SATA) drives also will have DMA, which means that they could read
from system memory; the drive can have its own hidden storage, theoretically, where it could read your LUKS keys and store them
unencrypted for future retrieval by an adversary.
</p>
<p>
With proper IOMMU, it might be possible to mitigate the DMA-related issues.
</p>
<p>
Some proof of concepts have been demonstrated. For HDDs:<br/>
<a href="https://spritesmods.com/?art=hddhack&page=1">https://spritesmods.com/?art=hddhack&page=1</a><br/>
For SSDs:<br/>
<a href="http://www.bunniestudios.com/blog/?p=3554">http://www.bunniestudios.com/blog/?p=3554</a>
</p>
<p>
Viable free replacement firmware is currently unknown to exist. For SSDs, the <a href="http://www.openssd-project.org/wiki/The_OpenSSD_Project">OpenSSD</a> project may be interesting.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-nic">NIC (ethernet controller) <span class="ref">(<a href="#firmware-nic">#firmware-nic</a>)</span></h3>
<p>
Ethernet NICs will typically run firmware inside, which is responsible for initializing the device internally.
Theoretically, it could be configured to drop packets, or even modify them.
</p>
<p>
With proper IOMMU, it might be possible to mitigate the DMA-related issues.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-cpu">CPU microcode <span class="ref">(<a href="#firmware-cpu">#firmware-cpu</a>)</span></h3>
<p>
Implements an instruction set. See <a href="#microcode">#microcode</a> for a brief description.
Here we mean microcode built in to the CPU. We are not talking about the updates supplied by the boot firmware
(libreboot does not include microcode updates, and only supports systems that will work without it)
Microcode can be very powerful. No proof that it's malicious, but it could theoretically
</p>
<p>
CPUs often on modern systems have a processor inside it for things like power management.
ARM for example, has lots of these.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-sound">Sound card <span class="ref">(<a href="#firmware-sound">#firmware-sound</a>)</h3>
<p>
Sound hardware (integrated or discrete) typically has firmware on it (DSP) for processing input/output.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-webcam">Web cam <span class="ref">(<a href="#firmware-webcam">#firmware-webcam</a></h3>
<p>
Webcams have firmware integrated into them that process the image input into the camera; adjusting focus,
white balancing and so on.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h3 id="firmware-usbhost">USB host controller <span class="ref">(<a href="#firmware-usbhost">#firmware-usbhost</a>)</span></h3>
<p>
Doesn't really apply to current libreboot systems (none of them have USB 3.0 at the moment), but
USB 3.0 host controllers typically rely on firmware to implement the XHCI specification. Some newer
coreboot ports also require this blob, if you want to use USB 3.0.
</p>
<p>
This doesn't affect libreboot at the moment, because all current systems that are supported only
have older versions of USB available. USB devices also don't have DMA (but the USB host controller itself does).
</p>
<p>
With proper IOMMU, it might be possible to mitigate the DMA-related issues (with the host controller).
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<div>
<h1>Operating Systems</h1>
<h2 id="gnulinux">Can I use GNU/Linux? <span class="ref">(<a href="#gnulinux">#gnulinux</a>)</span></h2>
<p>
Absolutely! GNU/Linux is well-tested in libreboot, and highly recommended.
See <a href="../docs/gnulinux/grub_boot_installer.html">installing GNU/Linux</a> and <a href="../docs/gnulinux/grub_cbfs.html">booting GNU/Linux</a>.
</p>
<p>
Any recent distribution should work, as long as it uses KMS (kernel mode setting) for the graphics.
</p>
<p>
The <a href="https://fsf.org/">Free Software Foundation</a> maintains
a <a href="https://gnu.org/distros/free-distros.html">list of free GNU/Linux distributions</a>, certified
to distribute and endorse <a href="https://www.gnu.org/philosophy/free-sw.html">free software</a>, exclusively.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="gnuhurd">Can I use GNU/Hurd? <span class="ref">(<a href="#gnuhurd">#gnuhurd</a>)</span></h2>
<p>
Unknown. Probably not. Feel free to try it, and report your findings.
</p>
<p>
<a href="https://www.gnu.org/software/hurd/hurd.html">GNU Hurd</a> is a microkernel developed by
the <a href="https://gnu.org/">GNU project</a>, and was (still is) intended to be the kernel for the
GNU operating system. For historical reasons, <a href="https://kernel.org/">Linux</a> became the primarily
adopted kernel (the libreboot project urges everyone to install and use <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">linux-libre</a> on their GNU systems),
and was adapted for use with the GNU system. This is <a href="https://www.gnu.org/gnu/why-gnu-linux.html">why</a> we
say <a href="https://www.gnu.org/gnu/linux-and-gnu.en.html">GNU/Linux</a>. Read the <a href="https://www.gnu.org/gnu/gnu-linux-faq.html">GNU/Linux FAQ</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="bsd">Can I use BSD? <span class="ref">(<a href="#bsd">#bsd</a>)</span></h2>
<p>
Potentially. It may be possible to boot most BSD systems if you use
the <a href="http://coreboot.org/SeaBIOS">SeaBIOS</a> payload.
Most BSD systems seem to require a full Video BIOS implementation, which
libreboot lacks for the most part, so you won't have a visual display, but you
might be able to use an EHCI debug and/or serial console.
</p>
<p>
FreeBSD is rumoured to be somewhat compatible (with the GRUB payload, even), when booting with
text-mode graphics initialization, but you probably won't be able to use X11.
</p>
<p>
For the most part, BSD systems remain untested in libreboot.
BSD systems <a href="https://www.gnu.org/distros/common-distros.html">contain blobs</a>, so do beware.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="windows">Can I use Windows? <span class="ref">(<a href="#windows">#windows</a>)</span></h2>
<p>
Windows is incompatible with libreboot, and will probably remain so. <a href="https://gnu.org/philosophy/malware-microsoft.html">Never use Windows</a>.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
<h2 id="otheros">Are other operating systems compatible? <span class="ref">(<a href="#otheros">#otheros</a>)</span></h2>
<p>
Unknown. Probably not.
</p>
<p>
<a href="#pagetop">Back to top of page</a>
</p>
</div>
<?php
include "../common/footer.php";
?>
</body>
</html>
<?php
$strHtml = ob_get_clean();
echo miniHtml($strHtml);
?>