Hi,
You got some excellent questions, so let me try to answer them to the best of my abilities …
A librem laptop is a recent hardware with a focus on privacy and security. It does that by giving you a system which works without requiring any binary blobs in the linux kernel, and it has hardware killswitches to allow you to disable wifi/bluetooth/camera/microphone. The libreboot laptops are old machines that are refurbished and have the ME removed, and run linux. I don’t know if they come with a webcam/microphone, but if they do, you can’t kill those by hardware, you could duct-tape the camera, but you can’t mute the microphone for example. If they don’t come with webcam/mic, then that’s one less feature they have.. you get the idea.
The big difference in terms of software is that the libreboot comes with libreboot and librem comes with coreboot. Coreboot uses binary blobs to initialize the hardware, while libreboot doesn’t. That’s why libreboot is limited to pre-2008 (not sure exactly if it’s pre-2008 or pre-some-other-date) harware.
well, yes, and no. The ME being neutralized makes it really neutralized, it doesn’t have a kernel, it doesn’t have a network stack, it can’t do anything. Our latest releases actually come with a disabled ME, which is totally disabled and not running. The libreboot laptops have it ‘completely removed’ from the flash, yes, but the ME still runs some code from its own internal rom, so really, there’s not that much of a difference between the two, since both will run ‘some code’ at boot to initialize the hardware, then both will disable themselves (libreboot because it can’t find the rest of the firmware in the flash, and librem because it finds the HAP feature enabled which tells it to disable itself, shut down and stop running). If you read my blog post about the ME disablement you’ll see that there is always some code running from the ROM. Libreboot doesn’t mention this because it obviously goes against their marketing campaign that the ME is “completely removed”. The difference though is that the FSF can RYF certify a device if it has no externally-loaded binary blob, if the full ME firmware was stored inside the ME’s internal chip itself and it was running, it would still be RYF, but if you have 1KB of code loaded from an external chip (the flash), then you can’t RYF certify it anymore. So that’s the big difference for the ME, the code that it runs is not ‘externally loaded’ for the libreboot.
Yes, that’s because the pre-20xx hardware had the FSP reverse engineered already (or maybe there was documentation, things were simpler back then, etc…) and so coreboot/libreboot can initialize the hardware all by itself. At some point though, support is non existent and we need to use the FSP, which is “Firmware Support Package” which is just an intel-fancy-word to say “code to initialize the RAM and the PCH”.
You can see the mention of it in the Binary Situation page of coreboot, although in that page, it’s referred to as “Memory Reference Code” because it was called the MRC in coreboot for broadwell, then it became the full FSP image after skylake.
Yes, it does have an IOMMU, however, it’s not currently enabled, it just need to be enabled in coreboot, and that’s the thing we’re going to work on next. Older hardware simply do not have IOMMU support as far as I know.
The VBIOS isn’t freed yet, but there is work already for a native graphics init. However, I think the last I heard was that there was some bug that made it not work for skylake and they were still looking into it. So there is progress there, the VBIOS isn’t freed, but it should be easy to free it eventually, so just keep an eye out for that. As for the EC, it’s unfortunately not freed either. We looked into that rather quickly, but I think the task would not be a trivial one. The EC however doesn’t have much control over your system, I might be wrong here but as far as I know, it mostly manages the battery and fans.
See the Freedom Roadmap. For a device to be RYF certified, you need to have 100% free software on it. Due to the small portion of ME code remaining, as well as the FSP and VBIOS, the device can’t be RYF certified. I don’t know if the EC would count though. Either way, work is being done to move us forward on that roadmap, so eventually we hope to get RYF, but for now it’s not possible.
It used to be certified, then Qubes decided to change the deal we had with them and it was just not financially viable. I already explained some of the new costs involved in keeping the certification here if you’re interested int he details. But there are three things here :
- Librem 13 v1 was Qubes 3.x certified
- Librem 13 v2 never went through the Qubes 3.x certification, but there are no technical reasons for it not to work
- Librem 13 v2 would not work with Qubes 4.x (which I’d like to remind everyone is not yet officially released) because it requires IOMMU to be enabled.
(Note that when I say “librem 13 v2” that also includes “Librem 13 v3”).
The libreboot page had a very anti-purism text in their FAQ which was full of false statements and was really bashing on purism for no good reason. It was eventually taken down after a long time, then I think a more subdued version was put back into their FAQ. I think that since the one-and-only project leader of libreboot is also the main person benefiting financially from the sale of the libreboot laptops, you need to be careful about such statements. I think that making a statement about competitors without it turning ugly, hurting someone’s feelings, or being accused of skewing the truth to our advantage, would just be too hard, so I think it’s just better to let people decide on their own or find answers elsewhere. The rest for a flamewar is too great.
That’s a mistake I’ve seen others make before. The statement says without the parenthesis says that “Purism laptops are completeely free from the BIOS to the bootloader through the kernel, including the operating system and all software”. Now, if you add the parenthesis, you realize that the “BIOS (see the history of our coreboot involvement)” is freed because it runs coreboot instead of a proprietary BIOS, and that the “kernel (with no mystery code, binary blobs or firmware blobs)” is the linux kernel with no binary blobs. The freed coreboot BIOS itself is not binary blob free, it’s the linux kernel that is binary blob free, so it’s important not to confuse the two.
Most machines nowadays that run linux require a lot of binary firmware for them to work. I think just for the wifi to work, we only found one wifi card that doesn’t require a binary firmware, so the fact that you can run a binary-free linux distribution on the machine and that every feature (other than bluetooth) works, is a great achievement/feature of the laptops in itself and that’s what the statement is making, not to be confused with the binary-freedom-status within coreboot itself.
Yep, pretty much a good conclusion, so I’ll just reuse your conclusion for my post as well, thanks! 