Hi all,
Would there be a way to fit CPU that has the scrubbed ME region and a coreboot port, on another laptop?
I have read the “Intel’s Management Engine” page and am still struggling to understand if the modifications are hardware specific (as in customized for the hardware of the librem 13).
Is it possible at all, and if yes would that bring any issues regarding the 30-minute check?
Thanking you in advance
The ME code is executed on the CPU, but it’s stored on the motherboard, in the same chip where the BIOS code is stored. There’s no storage on the CPU. To move the scrubbed ME, you’d have to move the BIOS chip, but unfortunately, BIOS is always specific to the motherboard. Your only option is to alter the ME code on the new motherboard, regardless of the CPU used.
Thank you. So even flashing coreboot on a different laptop (a thinkpad that already has available coreboot code) would not allow the use of the scrubbed ME without extensive modifications and patching?
As I have been looking at the issue of having Core Boot on another laptop.
From the QUBES OS website someone has a converted Laptop for sale.
There is a place in github that has the method to PROM the the Lenovo X230, but not any other laptop. Lenovo X230 is a third generation Intel. I could buy a lower resource (less RAM, Less Processor) for almost a reasonable price. But I would still need to open it. Replace the small battery. Re-Do the thermal paste. Program the BIOS to Core Boot, although it has detailed instructions on the how to. Probably put the maximum RAM in it. I see a base machine for $250. or so on NewEgg.
It was suggested that besides trying to get my own, Lenovo X230 and do all the necessary things. I could get one of the more modern Chrome Books, which have Core Boot built in. Still, not really cheap in that one really need 4 GB of RAM, and more than 16 GB of SSD. Chrome Books usually have those components soldered into the MOBO. I don’t think I would try to solder a replacement. I did speak Dell about a Chrome Book (no affiliation with Dell, just I live in Texas and thinking they are a respectable computer manufacturer must be in the water.) Dell has a one set of Chrome Books that part of there business side. I am told there is a big difference in the quality of Dell manufacturing for business machines versus those computers built for masses. They have one Chrome Book, and I am not sure if those models have Core Boot, which are like $1600.00. So I did not investigate further. I could put my pennies together and try to snipe a refurbished ChromeBook from Dell. It was suggested that I could purchase a more minimal ChromeBook and boot from the SD card. Which might function.
This a bunch of folks worrying about the issue of finding a laptop with Core Boot.
https://groups.google.com/forum/#!topic/qubes-users/Qe01UkXdd1U
QUBES OS has a lot of interesting info about security. https://www.qubes-os.org/
Do let us know if you find something interesting.
System76 also ships laptops with Coreboot (https://system76.com/laptops).
Their laptops are a newer generation than the Librems and they ship with support for EFI boot such as systemd-boot, etc. I don’t think the Librems support EFI boot.
The ME region in the system76 laptops is disabled with the hap bit set which is working on the newer iterations of ME based upon this pull request (https://github.com/corna/me_cleaner/pull/282) though its not yet implemented in a release.
The thing you would be missing with a system76 laptop though is PureBoot and the integration with the Librem Key.
They currently offer two models with support for Coreboot.
I should have said something else. I suspect the Pure OS has been specifically dovetailed to fit the Librem laptop. While the tech people at Librem/Pure are good natured and willing to help us a bit in installing Pure onto other hardware, they do not promise tech support, can not afford in time, to help for installing Pure to non-librem hardware.
I also suspect that it might be valid to say that the Librem/Pure OS is intended to stop things like Surveillance Capitalism, not to be a means to prevent power groups, like the NSA from being able to spy on us.
Sorry if OP feels I have spoken on things not germane to OP original Question. Might be our Moderator will want to offer some other explanation besides my suspicions of how things are…
I think it is rather opposite - they stripped Debian Linux of non-free packages, added some privacy features - and then hand-tailored hardware to work with it.
Of course it wasn’t pure bottom-up or top-down, rather the mix which met in the middle as end product, but I’m pretty sure the reason it does not work on other laptops is not privacy-related customisation made by purism, but mere removal of non-free components of the debian (which contains firmware blobs). You can try it yourself to make your opinion - eg install debian on system with coreboot and without non-free/contrib (main/security only).
ruff, I suspect your answer is more accurate. However, if one intends to use Pure Linux on a non-librem laptop, then one should be more knowledgeable than I in how to sort out driver issues. It might be easier to start with a list of programs and settings for Pure Linux, install the free source/free drivers version of Debian. Then add the programs used by Pure Linux. Of course it is easier just to try Pure Linux, and see. Right not I am having a problem getting Ubuntu 19.10 to install on a laptop (well actually to boot after it shows a clean install) where the live version of Ubuntu 19.10 works. So I am leery of introducing more problems. I guess I am just not experienced enough.and I should be either on the Ubuntu or Debian forum about this.
The idea was more, regardless of the version of linux, regarding the use of the CPU provided by librem on a completely different computer that supports coreboot, like some versions of the thinkpad.
Would that work, or would the new CPU require modifications in the (already working) version of coreboot on a thinkpad?
So yea for original post Dorota has answered that - Librem does not power CPU, rather modifies motherboard to disable privacy/security breaching features. You can install any other intel CPU off the shelf into the socket (any other that supports it) and it will work in privacy-honouring mode (whout ME backdoors).
yes, I understand that it disables intel ME by modifying the motherboard (i.e. using coreboot : which is software), but they also explain how they disable it from a hardware point of view using “Field Programmable Fuses” (https://puri.sm/learn/intel-me/)
In this case, on a lenovo laptop already running coreboot, it seems to be better to also use this CPU… but would that involve additional modifications of the coreboot?
The CPU on newer iterations of laptops is soldered down to the motherboard, they are not socketed anymore. At least not that I have seen. Besides that even if you could the bits you want are not in the CPU, they are in the firmware (PureBoot).
I think a more realistic approach would be to attempt to port the firmware (PureBoot) to another laptop with similar hardware (same CPU/iGPU) and flash it to the SPI on that device.
I don’t think that would be that straightforward either though, you would need to be familiar with flashrom+SPI programmer and be able to port the firmware over to the other platform. The source is available on github if I’m not mistaken, but I still don’t think it would be that straightforward and it would run the risk of bricking the device if you’re not able to recover from a bad flash.
Thanks for this, I did not think of the soldered CPU!! That settles it…
Wouldn’t this be kind of self defeating? I have a x230, and while is a fantastic laptop, i don’t see how privacy and security nuts would be interested. Who cares if the CPu’s ME is neutered, as you can’t verify the rest of the hardware in question.
The US government has banned Lenovo Thinkpads on numerous occasions because of hardware backdoors, etc. Even if that is just a hype train, why would someone concerned to begin with, want to risk it?
I admit to not being much of a knowledgeable person. What I see is this.
That a modified version of the X230 is what what has passed the certification test. I feel if price was not an object, I would buy a Librem first. As I can not afford a Librem or the finished X230, I really have not studied, worried about it much. The X230 is modified by re-seller to include replacing some other internal hardware as well as changing the Intel Processor evil.