My current system is over a decade old. It’s one of very last without UEFI and also one of the most powerful from back then.
Unfortunately at some point i will have to replace it and every new “run of the mill” computer these days has UEFI.
I understand that:
Purism products support coreboot + Seabios (So you do not have to use UEFI)
Other Companies like System76 at least use coreboot with an Open Source UEFI payload.
– I have not looked into this but i guess the goal is to put (only) you back in control?
– Even if so, I’m still not a Fan because i want a BASIC Input Output System. I do not even want the additional UEFI functionality and vulnerability.
But let’s say i manage to buy or build a System using coreboot + Seabios (no UEFI) for how much longer will i be able to
use it as a daily driver? Will recent Debian, Ubuntu, Linux Mint etc. Versions still be compatible in 10 years from now?
Also non UEFI has a 2TB limit for boot drives.
This is not a problem for now, but who knows what is in 5, 10 years.
Also will it be possible to run future windows versions in virtualbox if the host system runs linux and doesn’t support UEFI and TPM 2.0 ?
Not to mention will it still be possible to “hack” future windows versions to run without UEFI and TPM 2.0 like it is possible windows 11? I doubt that and if so microsoft will probably give you a hard time if you attempt running that.
That said i’m trying to completely get rid of windows within the next 1-2 years.
But sometimes i still have to use it unfortunately. I’m not sure if i will be able to get rid of it to
the point where i do not even have to run it inside a virtualbox vm.
Finally, i’m concerned about freedom, privacy and control but i’m not a security freak.
That means i currently run Q4OS Plasma on a system without UEFI and TPM 2.0. But at the same time, i also don’t use encryption AT ALL (i think in most cases it’s a bad idea/not worth the risks to encrypt data) and do use auto login for example.
Edit:
Also what would be the closest Mainboard/Platform that supports coreboot + Seabios for building something like a HP Z8 G5 Fury? (Highend Desktop Workstation)
You’ll have to ask the time traveler guy to answer your question about the futur
Same as you, my main computer doesn’t have UEFI (15 years old motherboard), and I know some day it will die and I will have to replace it
I can’t really answer to your questions, only make some assumptions
I think in 5, 10 years and more, there will still be a GNU community to find some ways around those obvious backdoor functionalities that are added by shitty companies
As long as some companies make products compatible with coreboot + Seabios, we will always have good enough choices
The day hardware can’t run those anymore, that’s when our choices will become really shitty
If Microsoft add more shitty boot mechanisms to Windows, you can hope coreboot / Seabios / grub will evolve to manage those changes
And VMs are emulating hardware, which means they can make believe anything they want to the controlled system, so it should not be a problem for VMs, I would not worry about that
Also, here an idea : You can try now to find / salvage / buy old computer stuff (maybe the exact same hardware you have now), and keep it somewhere until the day your current hardware dies, you will then have acceptable replacement parts
I believe PureBoot (coreboot, with Heads payload instead of UEFI or SeaBIOS) is able to boot an OS that was installed under UEFI. I haven’t tested this recently but I believe it works if the partitioning meets PureBoot’s requirements.
Installing under PureBoot will use BIOS mode as the OS will default to that for any firmware that’s not UEFI. PureBoot doesn’t really care, that’s just the OS’s choice. I think that if distributions stop supporting BIOS install, it will still be possible to install them under PureBoot. I don’t know of any UEFI-only distributions since Fedora backed down from deprecating BIOS boot, but if it happens, I think we will get PureBoot to work with it.
Linux can boot >2TB drives under BIOS, I’ve tested this with SeaBIOS and AMI. Use a GPT partition table, and create a 2 MB bios-grub partition, since the GRUB stage 2 needs a place on the disk (in MBR partitioning it just sits in some unallocated space, GPT neatly puts it in a partition).
For my last job I ran Windows 11 in qemu/KVM, which worked fine with UEFI firmware for the VM and a virtual TPM. The host firmware and TPM don’t matter in that case. I can’t guess what MS could do in the future, they could try to interfere with it, but it worked fine with no hacks at least within the last few years.
So does it even matter what we use?
Standard UEFI (with Secure Boot und TPM 2.0 Disabled) vs. Coreboot + SeaBios vs. Pureboot (Based on Coreboot)
I’m not an expert when it comes to this low level stuff.
But i assue if you have a backdoor in coreboot you can still prevent the machine from booting, enable tpm 2.0 and encryption
such as put malware on the os?
If yes why? if not why? Would love some clarification.
What can and what can’t you do with a coreboot backdoor on a system that uses coreboot + Seabios?
Are you saying you don’t want to use coreboot (any payload) because the NSA is contributing to it?
coreboot is open source, and contributions from any party are reviewed by others. If the NSA wanted to backdoor coreboot (maybe they do, I don’t know), I would expect them to do it from an account not obviously associated with the NSA. The NSA contributes to other things like Linux also, they created SELinux (mentioned in the linked articles).
Don’t construe this as defending the NSA in general, but just because they have contributed to an open source project does not in my mind taint that project. The NSA needs secure computers as well. The wonderful thing about open source is that we can take any good things they offer without tying them to any bad things we would not want. (I don’t know of any specific “bad things” regarding coreboot, but that is my general philosophy about open source.)
In principle, backdoored firmware could do nearly anything it wanted to the OS. Preventing the machine from booting would be easy. It could in theory tamper with the OS kernel as it’s loaded, or tamper with new firmware images as they are written.
Some of those attacks would be very complex though. For example, tampering with a new firmware image is possible, but it would also have to somehow pass flashrom’s verification pass, perhaps by tampering the kernel to in turn tamper with an executable named ‘flashrom’ to alter its verification pass.
As always, you need to decide what measures are reasonable for you to take, given your threat model. This risk exists but it is mitigated by the complexity of the attack. You have to decide how likely it is that a threat actor with those resources would want to target you, and weigh that against the costs of any measures you’d take to defend against that attack.
From my end, I work to reduce the costs of those measures - by making firmware security simpler, making privacy-respecting devices that are easy to use, etc. This enables more people to choose more secure options easily.
Well lets just say i would be more enthusiastic if they would not.
Yeah but they have a lot of ressources. They can run their own non public coreboot and linux versions.
Well i guess this answers the question.
The thing is i don’t know if there is a backdoor in coreboot or not, so i just assume there is.
At the end of the day replacing Standard UEFI with Coreboot + UEFI payload (pureboot for example) is already an improvement since you cut companies like microsoft out of the equation.
Replacing it with coreboot + Seabios means even less attack points since it’s much more basic.
If we assume there are backdoors (maybe not even added intentionally) in everything (standard bios, coreboot, uefi, linux, windows, encryption algorithms…) running coreboot + Seabios is probably as good as it gets and more than sufficient for most people, including me.
The most important part is obviously to prevent companies like microsoft from having control over the system. Most people (including me) can’t spot and fix coreboot and linux backdoors/vulerabilities anyway so we have to live with them unfortunately.
PureBoot isn’t UEFI or BIOS - it’s a different thing entirely. It’s coreboot with Heads as the payload, which is a Linux kernel combined with tools/scripts to boot your OS.
Sorry i just assumed it’s UEFI . But i’m pleasantly surprised to find out its not. I think i need to look closer at it. Because at some point i probably have to replace BIOS with something else.
Can you use pureboot on any coreboot compatible hardware or only purism hardware?
I like the librem 14 but obviously there is no desktop workstation / mainboard from purism at this time.
Not a lot of desktop boards though I’m afraid. KGPE-D16 needs a maintainer, hasn’t been tested for several PRs IIRC. Talos-II has a workstation version, it’s PPC64, I don’t know offhand whether the Heads port supports the workstation board or focused on the server.
That link is interesting, but it’s not really avoiding UEFI in the sense discussed here. All of the answers still use UEFI firmware, but are tricking the OS in various ways to install in BIOS mode.
I get that, it’s still a benefit - it’s nice that BIOS installs don’t have the OS tied to firmware state that’s needed to boot it. UEFI adds state that has to be right in the firmware (though some firmwares will detect it sometimes, yada yada, it’s still a headache).
PureBoot Basic can autodetect and boot the OS with no firmware state too
