Booting up the coreboot firmware alternative
Distro Walk – coreboot
Coreboot is an open source firmware alternative with an emphasis on speed and simplicity.
In the next few years, how you boot a computer could change drastically. A firmware alternative known as coreboot [1] is well on the way to becoming readily available, and it is likely to become more popular as development accelerates. For one thing, coreboot is a giant leap forward for open hardware. Just as importantly, on hardware where it can be implemented, coreboot boots three to four times faster than the familiar BIOS or UEFI, and, depending on how it is configured, sometimes even faster.
Originally known as LinuxBIOS, coreboot was founded in 1999 at Los Alamos National Laboratory, the research and development facility best known for its role in the development of the atomic bomb. Today, coreboot's major contributors include manufacturers such as AMD and SiS, and motherboard vendors such as MSI, as well as various participants in the Google Summer of Code.
Supported CPU architectures include x86-64, ARM, ARM64, and RISC-V, as well as AMD's Geode and other software-on-a-chip platforms. In addition to Linux, coreboot directly supports BSD, OpenBSD, and Windows 2000 or later. You can also use coreboot indirectly with other operating systems specified in the payload. In addition, coreboot has inspired a number of spin-off projects, such as the Libreboot distribution [2] and librecore [3], which places a heavy emphasis on software freedom and non-x86 architectures. As these lists show, coreboot is supported across a wide spectrum of hardware and developed by an alliance of academics, manufacturers, and community members. Although reverse engineering is sometimes required, in a growing number of cases, coreboot developers can get schematics directly from manufacturers.
Developers have long recognized the growing need for a new firmware solution. According to the coreboot site, the size of a BIOS once averaged about 100KB but the average size is now closer to 8MB, and it almost certainly contains obsolete and redundant code, which seriously slows boot time. By contrast, the coreboot site claims [4] that "For desktops and laptop machines, coreboot can frequently boot to the start of the operating system in under a second. For servers, it can cut minutes off of the boot time." Not only that, but coreboot is designed to meet modern security standards, and, being smaller than a conventional BIOS, it provides a smaller target for security breaches. Yet another advantage is that, in keeping with open source tenets, "The architecture of coreboot is designed to have an unbrickable update process. Updating firmware should be no more dangerous than installing your favorite app on your mobile phone" [4]. In every way, coreboot is a timely overhaul of the conventional concept of computer firmware.
How Coreboot Works
Coreboot is designed to provide the absolute minimum of instructions to launch a modern operating system. The minimum structure means that coreboot must be modified for each chipset and motherboard it supports, which delays progress but tends to increase efficiency.
Coreboot runs in five required stages plus an optional stage on x86 machines [5] (shown in timeline form in Figure 1):
- bootblock: The first stage is written in assembly language and is intended to set up the C environment used for the rest of the coreboot process. Tasks include initializing the Cache-as-RAM, which uses the CPU cache as memory for the heap and stack space required by the C environment. On x86 systems, the bootblock stage also switches the CPU from 16-bit real mode to 32-bit protected mode.
- verstage: An optional stage that starts the root of trust if verified boot is used.
- romstage: Prepares the system to access DRAM directly.
- postcar: Tears down the Cache-as-RAM memory and loads the ramstage.
- ramstage: Initializes hardware, including PCI, on-chip, and graphics devices, trusted platform modules, and the CPU. Initialization tables are prepared for the operating system, and hardware and firmware are locked down.
- payload: Loads a chunk of software carried in firmware storage that initializes the process of launching the operating system. Two commonly used payloads are SeaBIOS, an implementation of the x86 BIOS, and TianoCore, an open source version of UEFI. The GRUB2 bootloader can also serve as a coreboot payload. Given coreboot's speed, long-time Linux users might be bemused to find that it is impossible to read the output of the boot process as it happens. They will need instead to open
/var/log/boot.log
.
Figure 1 also illustrates how the coreboot stages fit within the stages of the EDK II cross-platform firmware specification.
System76: A Sample Implementation
According to Wikipedia, computers with coreboot are available, including some x86-based Chromebooks, and from One Laptop per Child, Minifree (formerly Gluglug), PC Engines, Purism, System76, and Star Labs. Most of these computers are laptops, and some are refurbished, but the list has grown steadily over the past few years.
My hands-on experience with coreboot comes from a recently purchased Darter Pro from System76. In the past few years, System76 has emerged as a major manufacturer of Linux computers. Originally, System76 shipped its computers with a standard BIOS. However, gradually, it has been switching to coreboot for its laptops. As of March 2023, all of its six laptop models use coreboot. No official word yet of when coreboot will come to the company's desktops, servers, and minis, but a reasonable guess is that it is only a matter of time.
After the traditional BIOS (Figure 2) and UEFI implementations, coreboot on the Darter Pro comes as something of a shock. The BIOS of an earlier version of the Darter Pro had 38 top-level items, including specifications, as well as support settings for Secure Boot, Thunderbolt 3, and virtualization. By contrast, the current Darter Pro coreboot menu shown in Figure 3, which is accessed by holding down the Esc key at start-up, is a radical simplification.
System76's coreboot adoption seems a work in progress, so perhaps more items will be added in the months to come. The GitHub development pages seem at the least to keep that possibility open. However, this implementation of the firmware offers only the information that users are most likely to want, and not all of that can be changed. If System76's coreboot menu is compared with coreboot's build configuration (Figure 4), you can see that System76 chooses relevance and simplicity in its coreboot build.
Much of the usual information in the BIOS is available in System76 Open Firmware, along with instructions on how to customize the firmware and flash it – as well as suggestions on how to recover if things go wrong. Control of hardware such as the keyboard, fan, and battery is available through System76 Open EC Firmware (Embedded Controller), sometimes in the form of keyboard shortcuts and sometimes in the form of desktop applications. Other implementations of coreboot will differ to some degree; Purism's Librem 14 laptop [6], for instance, is advertised as having "Disabled the Intel Management engine" and "Less binary blob firmware," with an emphasis on security. But no matter what the priorities are, the ultimate goal of a coreboot implementation is to provide a simpler, more efficient way to start a computer.
Welcome to the Revolution
Coreboot faces serious obstacles. Too often, it has to work around proprietary code, which takes time and sometimes compromises the project's open source philosophy. Perhaps, too, the conservatism of corporations favors the established structure of BIOS and UEFI, for no better reason than its familiarity. Probably, though, the greatest obstacle is the fact that every chipset and motherboard requires its own implementation. Still, the use of separate payloads eases that restriction and has led to another advantage: well-organized, clear, and complete documentation, both in the project itself [7] and among early retailers such as System76.
Coreboot's natural advantages are so obvious that to predict its future dominance is far from rash. Just to see a computer boot at a fraction of the time you expect, or to realize how easy flashing firmware can be, is enough to make a believer out of the most cynical. One way or the other, expect to hear more about coreboot in the near future.
Infos
- coreboot: https://coreboot.org/
- Libreboot: https://libreboot.org/
- librecore: https://firmwaresecurity.com/tag/libreboot/
- Advantages for end users: https://www.coreboot.org/users.html
- coreboot architecture: https://doc.coreboot.org/getting_started/architecture.html
- Purism's Librem 14: https://puri.sm/products/librem-14/
- Documentation: https://doc.coreboot.org/getting_started/index.html
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.