Transparency in firmware with Libreboot
Liberated
Libreboot is a project dedicated to making firmware free as in freedom.
For users who believe in free software, one of the biggest benefits is that, because you have access to the source code, you know what your computer is doing. Proprietary, closed-source systems contain binary-only code that might be compromising your security and privacy – and you wouldn't even know it.
Linux and other open source systems offer a level of transparency that simply isn't possible with proprietary systems; however, even if you are using an all-free distro recommended by the Free Software Foundation (FSF) [1], your system might not be as free as you think. Most computers today come with proprietary firmware that boots the system and manages certain low-level tasks related to the hardware. Proprietary firmware has many of the same problems proprietary software has: You don't really know what it is doing, and it could be putting your security and privacy at risk.
BIOS, and its successor UEFI, are standards for the firmware systems preinstalled into most of the personal computers sold around the world, and they are generally not distributed under a free license. In addition, Intel's management engine, which has been integrated into hardware since 2008, is a thorn in the side of the proponents of completely free systems, allowing remote access and opening up several possibilities for attack. Another problem with proprietary firmware for users with high security needs is microcode updates, which are supposed to improve the microcode of the CPU but add an extra layer of uncertainty and potential vulnerability.
For all these reasons, resourceful developers have begun to replace the remaining non-free components in computer systems with free alternatives – including free firmware.
Coreboot [2] is a community project dedicated to developing an open source firmware alternative. Coreboot, which was formerly known as the LinuxBIOS project, claims to support over 230 main boards. In addition to bringing transparency to the firmware, Coreboot also claims to improve boot time by removing some of the unnecessary features and code bloat associated with mainstream firmware systems.
Players
Several small international companies have emerged around free BIOS implementations. These vendors fill the niche of providing computers for users who want a system that is truly all free. They can also offer the benefit of faster boot time with a trimmed down system, and they are in a unique position to avoid the planned obsolescence of the computer industry by maintaining support for older systems that are no longer relevant to the big hardware vendors.
Nearly all of these companies primarily offer Lenovo laptops. The economies of the free firmware industry mean that the companies tend to work with large volumes of older computers: the most common models are series X200, T400, and T500 ThinkPads, which the original manufacturer produced between 2008 and mid-2010. These systems are based on the Core 2 duo processors of Intel's Penryn architecture, which have two cores but lack performance-enhancing features such as turboboost and hyper-threading.
The performance of these devices is fine for office and Internet applications, but demanding tasks such as CAD applications or video transcoding push the hardware to its performance limit. Many modified Lenovo notebooks are certified by the FSF.
(The US provider Purism is an exception to this low-end-hardware strategy. See the box entitled "Purism: A Different Approach.")
Purism: A Different Approach
US provider Purism is a laptop vendor that specializes in free firmware, but Purism doesn't depend on older systems. The company is itself a laptop manufacturer that uses state-of-art hardware. Purism equips the devices with coreboot and removes other closed-source elements: For example, the company's Librem notebooks exclusively use WLAN cards with the free-firmware-friendly Atheros chipsets. In addition to the coreboot BIOS, Purism uses the Debian-derived PureOS and Qubes OS operating systems.
The capitalization of the company demonstrates the value of this business idea: Purism received approximately US$2.5 million in working capital as part of a crowdfounding scheme. This influx of capital enabled the company to modify its original concept of built-to-order and now sell their notebooks from stock – eliminating months of delivery time.
Libreboot
The Libreboot project [3] was founded in December 2013 in the UK with the goal of replacing the BIOS and video BIOS of common GPUs with free components by reverse engineering. Libreboot, which is written in C and Assembler, is a derivative of coreboot, but the Libreboot developers remove some remaining proprietary firmware blobs that still exist in the coreboot. Libreboot programmers do not try to compete with coreboot but participate actively in its development by contributing patches and simplified installation processes.
Libreboot was simultaneously implemented on several server and desktop systems with standard components, as well as on some notebooks. Since extensive adjustments for the chipset and motherboard were necessary, the software runs on a limited number of hardware components. The worldwide distribution of the devices is managed by a company called Minifree [4]. The name Minifree is short for Ministry of Freedom – a reference to the novel 1984.
Minifree was founded in December 2014 by 23-year-old Leah Rowe (see the "Meet Libreboot and Minifree Founder Leah Rowe" box). The company only sells computers that have been upgraded with Libreboot. Minifree contributes to the financing of the coreboot distribution, and it also pays for additional developers who port Libreboot to new hardware.
Meet Libreboot and Minifree Founder Leah Rowe
LM: Minifree Ltd. currently only offers a laptop model, a modified Lenovo ThinkPad T400. Although technically and visually in very good condition, these machines are around eight years old. Lenovo has long been distributing more modern computers with considerably higher performance. Libreboot is not yet available for more modern devices with the Core i architecture. Is there any chance that this will change soon?
Leah Rowe: We're working on setting up Libreboot for Sandy Bridge systems. Specifically, we are porting to ThinkPad X220 laptops. After that, we'll work on the ThinkPad T420.
This work is still in progress because we still need the non-free firmware for Intel's management engine to operate the devices. Without this firmware, the system performs a hard reset every 30 minutes – we're trying to eliminate this. In the past, there was the ThinkPad X200 with Libreboot; we want to offer this option again in the future. In addition, we want to accelerate the sale of the T400 so that we have more resources to finance the X220 ports.
LM: Is there any support from well-known hardware manufacturers for the Libreboot project? Have you tried to get support?
LR: No. We do not receive any support from the manufacturers. We have tried to convince AMD to support us. At the beginning of 2017, we talked to AMD about cooperating with coreboot and Libreboot, which would have led to the release of non-free PSP firmware [6]. I was just told that my request had been forwarded to the responsible team.
I no longer believe that these manufacturers will ever cooperate with us. We are more oriented towards the RISC-V project [7], which develops a completely free Instruction Set Architecture for a CPU.
RISC-V is not yet usable in laptops, workstations, or servers, but it is already suitable for developer boards or for a microcontroller setup. With RISC-V, it would be possible in the future to offer large-scale OEM systems with completely free hardware, but that will take a few more years.
LM: What support is Libreboot currently receiving from the free software community? And what support do you want – apart from programmers who can help develop free firmware?
LR: Libreboot has recently appointed a new full-time maintainer for the project. On our website, we offer an overview for developers who wish to contribute. Recently, a number of people who have not been involved in the project have contributed to Libreboot.
My main concern is to get more support outside programming. Anyone can participate in the Libreboot project – even without technical experience: For example, volunteers can provide help to users on the IRC channel or help improve the documentation.
There is also a Librecore project that Libreboot is working with. Many highly qualified developers work for Librecore, setting up new hardware ports and making them available for Libreboot. Libreboot is currently based on coreboot, but in the future, we want to use Librecore as an upstream for hardware initialization.
Librecore is a fork of coreboot. Today, Libreboot is a coreBoot distribution; in the future, it will be a Librecore distribution. Primarily, we want to attract more supporters, so that their work will allow us to use more hardware and Libreboot's list of supported hardware will continue to grow.
Depending on availability of the necessary hardware, Minifree offers a freely configurable server and desktop system, notebooks, and accessories. The devices are mostly systems from older processor generations, because the great effort for the implementation of Libreboot allows only limited modifications, especially for laptops.
In addition to the actual BIOS, the developers also adapt the embedded controllers, removing Intel's management engine or the equivalent Secure Processor from AMD. In addition, they replace problematic network hardware with components that do not require proprietary firmware, such as Qualcomm/Atheros components.
After the upgrade, the computer systems are completely free of closed source software, which means a distribution that does not use proprietary binary blobs and does not require separate firmware for the operation of some hardware components runs without any functional impairment.
The Lenovo ThinkPad T400 notebooks, currently offered by Minifree and certified by the FSF under the "Respects Your Freedom" program, are therefore completely free systems. These systems come with a two-year guarantee at prices of between just under EUR240 to EUR630 (~$296-$777), plus shipping.
Operating System
Minifree preinstalls Trisquel Linux on its devices. Trisquel is an Ubuntu derivative from which the developers have removed any non-free components [5]. The system also differs visually from the baseline Ubuntu system: Instead of the fuzzy brown and purple tones in the original, Trisquel features fresh blue and green, with application windows featuring 3D effects in light gray shades (Figure 1).
Trisquel Linux, which originates in Spain, has the approval of the FSF as a completely free operating system. Minifree provides the complete source code for Trisquel, totaling almost 5GB, as well as the source code for Libreboot, which weighs in at several hundred megabytes.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
There's a New Open Source Terminal App in Town
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.