탐색 도움말
로그인
kmac
/
blog_posts
Watch 1
Star 0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
브렌치: master
브랜치 태그
blog_posts
/
libre_hardware.md

libre_hardware.md 12 KB
고유링크 히스토리 Raw

title: "A Brief Introduction to Free/Libre Hardware" date: 2019-01-20

category: TechTips

If you are interested in free/libre software because it respects users' freedoms, you may wish to run your software atop free hardware. This article is about the options you have for running free hardware. It primarily focuses on Libreboot, but I briefly examine some other options as well (EOMA68, Beagle Bone Black, and Coreboot).

Context

Free hardware, in the context of computing, refers to machines that the user can inspect, repair, and modify to function in whatever way the user sees fit. Many hobbyists, tech enthusiasts, and proponents of free software use such hardware, for both practical and ideological reasons. The practical benefit is that you have the control to do with the machine what you wish, and this is particularly important if you have complex or unusual requirements. The ideological appeal of free hardware is that it does not impose disempowering contraints on the user/owner of the machine, and that it can be trusted, to a somewhat greater degree than non-free hardware, to not be acting against the best interests of the user (e.g., by monitoring the user's behavior without consent).

Running fully free/libre hardware is, unfortunately, not as simple as buying a certain brand of laptop or disabling some components in the machines you are currently running. There are a couple of primary sources of difficulty in running free hardware, particularly in getting started. This post aims to reduce some of that initial difficulty.

The first difficulty is that nearly nearly all modern computing hardware contains propietary, and potentially malicious, components that cannot be removed or disabled. Most notable among these components is the Intel Management Engine (ME), which is a secondary processor in all Intel-based systems built after about 2007, that sits alongside your CPU, has full access to all of the resources of your machine, and can be activated remotely. In other words, the ME is a hardware backdoor that cannot be disabled (technically it can be disabled, but if it is, it will force system shut down after 30 minutes, meaning you can only use the machine in 30 minute blocks).

The ME is marketed as a remote support technology, as a way for system administrators to remotely manage machines, and it may very well be of great use to enterprise customers. But the fact that it cannot be disabled or removed means that you are not, and cannot be, in full control of your machine, and so for users interested in free hardware, it does not much matter what the intended/marketed use is: if you do not want it, you should not be forced to tolerate it existing/running in the machine you use, doing who knows what.

The ME has recieved a lot of negative press recently, in part because security researchers Mark Ermolov and Maxim Goryachy identified a vulnerability in the ME that would permit an attacker to execute arbitrary code on a powered-down computer; in other words, a vulnerability that would allow a malicious actor to completely "own "a machine (see here for their BlackHat 2017 slides). See here and here for more information about the Intel Management Engine).

This problem is not limited to Intel-based machines; AMD has their own remote management platform, called AMD Secure Technology, formerly called AMD Platform Security Processor. While it has not recieved as much attention around the web, it falls into the same category as the Intel ME: it is a (potential) remote backdoor. It is a non-free component of a computer that you cannot rid yourself of, and it is therefore not freedom-respecting.

This first, and perhaps most significant, difficulty, then, is that if you want to use free hardware, you cannot use modern hardware. Depending on your needs, this may or may not be an insurmountable problem. Hopefully chip makers and computer manufacturers will someday soon begin offering fully free/libre hardware products, but as it stands today, you have to make a choice between freedom, on the one hand, and convenience and computing power on the other.

The second difficulty is that, if you decide you want to use fully free/libre hardware, you will probably be required to purchase a new (read: fairly old, second-hand, possibly refurbished) machine, and to then make some modifications to it. These modifications might be quite minor (running some install scripts), or may be more extensive, requiring you to fully disassemble your laptop, attach an external micro-controller (like a Beagle Bone Black) to your CPU, flash your ROM chip, and then reassemble the machine. This latter course of action is possible even if you are not particularly hardware savvy, on account of Libreboot's excellent tutorials and resources, but it is not for the faint of heart. It is time-consuming, and it can be intimidating, scary, and frustrating. But, as the saying goes, "freedom ain't free".

We will first look at using the Libreboot bootloader on older ThinkPad models, and afterwards examine some non-Libreboot alternatives. There are efforts underway to build modern hardware that is freedom respecting and convenient (see below for discussion), but at the present moment, I think Libreboot is the most solid option for running free hardware.

Libreboot Machines

Boot firmware is the software that runs when you power on your machine. It initializes your hardware and begins loading the operating system. This is what is typically referred to as the BIOS (or Basic Input/Output System). This software tends to be stored in a flash-memory chip inside your machine, and is not easily modifiable.

Coreboot aims to replace a computer's proprietary BIOS with a fully free and open source alternative. The Coreboot project has made fantastic progress in providing builds for a number of a different machines (see here for a list of currently supported mainboards), but has been unable to solve one major stumbling block: the removal of the Intel Management Engine (discussed above).

Enter Libreboot: a distro of Coreboot that targets a small number of machines (mostly older thinkpads) that do not ship with the management engine, and thus can be modified to exclusively run free software. If you want to run fully free hardware, Libreboot is currently your best bet.

Libreboot currently only supports a handful of machines: the macbook 2.1, and these Thinkpads:

  • X60/X60t
  • X200
  • T60
  • T400
  • T500
  • R400
  • W500

Libreboot will only work with certain model specs (or "sub-models"). For example, the X60 has about 5 different displays that it had shipped with, and only 2 or 3 of them will work with Libreboot. If you decide to buy a computer to run Libreboot on it, you will have to check very carefully that the machine's specs are supported (or if you are a skilled hardware hacker, you may be able to help add a new machine to the list of supported devices).

These machines are avilable in abundance and fairly cheaply from sites like Amazon and Ebay. They should be cheap: after all, they are all about a decade old.

The easiest machines to get Libreboot running on are probably the X60/X60t and the T60. These models do not need to be disassembled; Libreboot can be flashed fairly simply via an install script. A small bit of disassembly will typically be required to replace the stock wifi card with a model that uses free drivers (Libreboot recommends Atheros chips), but this is far less daunting than the full laptop break-down, as is required by the other models.

If you wish to try out Librebooting a machine, head over to their installation guide, here.

Alternatives

If you can't or don't want to use a Librebooted machine, you have a few other options, some of which we'll briefly outline here.

1. Coreboot

Coreboot supports many more machines than does Libreboot (Coreboot actually support mainboards, not specific computer models, so you may have to track down the model name/number of the board in your machine).

You may currently be using a machine that is supported by Coreboot, so if you want to keep using your current hardware, Coreboot may be your best bet. Moving to Coreboot will get you much closer to a fully free system than the stock BIOS, leaving only the Intel ME behind as proprietary software.

If you are interested in going this route, but your current hardware is not supported by Coreboot, you could either purchase supported hardware and flash Coreboot onto it, or you could buy hardware that ships with Coreboot. Purism sells high-end, modern machines with Coreboot installed by default. These folks are working to provide quality computing options to freedom- and privacy-conscious consumers, and are well-worth looking at if you are in the market for some new hardware.

2. EOMA68

The EOMA-68 (or the Embedded Open Modular Architecture Standard 68; a bit of a mouthful) is a modular computer designed to be easy to upgrade, environmentally friendly, and privacy respecting. It is a new paradigm for the personal computer, and looks quite promising. It is still early days, so it unclear how successful this model will be.

The project is lead by Luke Leighton, and has been crowdfunded through crowdsupply.com. If you're interested in checking it out, you can visit the crowdfunding page here.

3. Beagle Bone Black

The Beagle Bone Black (BBB) is a small SOIC (system on a chip) that packs a punch. These micro-computers are great for hobby projects, and they become more capable with each iteration. While you can use various distributions of GNU/Linux on them, you may find them not quite performant enough for use as a full-time computer. This depends upon your needs, however, and in some specific, niche use-cases, you may find one of these systems is a perfect fit for your needs.

A BBB is much like the popular Raspberry Pi, but unlike the Pi, it uses fully free, deblobbed software. They are the external controller recommended by the Libreboot project for flashing your boot ROM. A BBB can be purchased for about $60. If you're heading down the free hardware path, one of these little machines can make a great addition to your toolbelt.

Conclusion

Fully free computing requires free hardware. Modern computers are not free, as they ship with components that the machine's owner can neither inspect nor modify. If you want to fully "own" your machine, you will need to go back in time a bit, spend some time hacking and disassembling an old laptop, and be prepared to accept some tradeoffs: namely, sacrificing some of the capabilities and design sensibilities of modern hardware in exchange for gaining greater privacy, security, and full ownership of your machine.

If you choose to go the route of libre hardware, I strongly recommend looking into the Libreboot project. While no solution today is perfect, Libreboot goes further than any other option. Your first successful boot ROM flash really will feel liberating.