There has been some rumors about different add-ons to the Librem 13/15 being non-free like the NVME Drives. I’ve been debating between getting the LIbrem 13 or a Technoethical T400s and would like to fully understand any freedom issues.
well, this is no secret, there are of course non-free firmware parts in the Librem laptops, this is almost impossible to avoid. Devices like laptops contain a dozen or more CPUs, all of which need some form of software, aka firmware. There is e.g. the embedded controller, the touchpad controller, the Wifi chip, the Bluetooth chip, the storage devices (NVME or SATA) etc. Many of these have their firmware included in silicon, like in a ROM or flash space they come with. Some others do need a firmware download at runtime.
The current state on the Librem laptops is that we do not ship any firmware that needs to get loaded at runtime. This has to do with security issues and also with freedom issues around runtime loaded firmwares. What we also do is that we try to free firmwares as much as possible, like we got rid of the proprietary BIOS and replaced it with Coreboot. Are we there yet and fully free and open? No. But we are working hard on it and solve the puzzle piece by piece.
My only criticism for this is that laptops like the Technoethical T400s are RYF certified.
I understand that Librem Laptops have many hardware advantages like SSD Drives, Intel Core I7, graphics, e.c.t. But, why would stuff like the touchpad, Bluetooth, wifi, e.t.c contain non free software when free’d options are in use?
Could Purism not swap out these components, similar to what Technoethical does? Also, why aren’t free’d storage devices available?
TL;DR In FSF terms, in what areas are the Librem laptops free?
the thing is there is STILL some % of the binary blob left that they can NOT get out and have the device working. for this reason the fact REMAINS that NOBODY knows what that code does besides the obvious functions it performs in order for the device to work as you can’t see that code. so even if it’s still just a few percent left of the blobs they can still behave in an unpredictable fashion for no one can read the code.
and it’s especially dangerous if the “blob” resides in the firmware level (this is a low level code and it is that much more important than the actual os)
@jeremiah Yes, and Purism is none the less making huge strides . But, in other forums (example) people seem to think Purism only has the non removable (at least until we reverse engineer) portion of the Intel Core I7. This however, seems not to be the case (please correct me if I’m wrong) but Librem Laptops still contains and run non-free wifi, bluetooth, storage devices, and touchpads.
Generally speaking, other operations like Technoethical remove these portions. Why can’t the same be said for Purism?
the thing is there is STILL some % of the binary blob left that they can NOT get out and have the device working…
@reC Thanks you for your input, however the issue I’m trying to understand is WHAT non-free software is still there. I understand we may have no idea what it does, but it would be helpful to understand what company makes it and what we do know about it.
that’s what i was trying to say.
only the persons who wrote that code and the ones that have a copy of it or have seen it after beeing written can tell us for a FACT what it does. but even then unless the actual code on each persons device can be seen and read NOBODY can TRUST even that person that has whitnessed the code inception because we can’t verify if the firmware has remained the same (for example maybe since it was originally written it has been modified at least once)
Good question(s). I can only speak from the things I have direct experience in, other things I may describe incorrectly which would only add to the confusion. I do know for example that sometimes we encounter binary blobs as part of the firmware. When these blobs are disassembled through reverse engineering best efforts they reveal themselves to be configuration data sometimes and not executable code.
I can’t speak for Purism as I don’t work there, but they seem to be aiming to strike a balance between having a computer with FSF RYF seal of approval and a computer that someone would actually want to have to use every day. I can tell you right now that if they were offering what I see on Technoethical, I would be fighting to get WiFi working on another MacBook. Would I prefer a totally free laptop? Absolutely. I prefer a fast, modern laptop that looks great, more, though, and am content to make this compromise while their team keeps doing what they’re doing.
Well, concerning these firmwares in touchpad and other controllers, I would be really amazed if the firmware for these would be freely available for the T400? Can you point me to these firmware sources? There is a trackpoint in the T400 which is proprietary IBM/Lenovo IP, patented even - there is the firmware available? The T400 can also include Bluetooth. The Bluetooth module contains a firmware. Is this sourcecode available? Where?
My point here is, just because Linux does not load a firmware at runtime does not mean that there is no firmware. A current laptop contain a dozen or more CPUs which all need software. Many of them, like a touchpad controller, come with this pre-installed in silicon (like I described some posts ago). As a user you do not see that and can consider this complete component as “hardware”. This is also what RYF does. As soon as this firmware becomes updateable and especially as soon as the firmware needs to get loaded at runtime, e.g. through the Linux kernel, things start to get non-freedom-respecting and thus concerning (or unethical).
ATM PureOS does not ship any non-free binary only firmwares. On the Librem laptops this means these are almost RYF. The bits missing for RYF on the Librem laptops are the non-free parts that are still needed to initialize the CPU, i.e. parts coming from the FSP (Firmware Support Package).
just because Linux does not load a firmware at runtime does not mean that there is no firmware
This is my question, if I understand correctly to receive RYF certification you can have non-free software but that software must not run or be easily confused (please correct if wrong).
The Technoethical T400s is RYF certified.
he bits missing for RYF on the Librem laptops are the non-free parts that are still needed to initialize the CPU, i.e. parts coming from the FSP (Firmware Support Package).
To clarify, the only thing keeping you Purism from reaching RYF certification is the Intel ME(which is disabled) and the Intel FSP (which is open source)?
All the rumors about the drives and such running non-free software or being a security threat are untrue?
First of all firmwares.Very strictly speaking RYF to my knowledge requires that firmwares are opaque to users, i.e. you must not have to deal with them; and they should be immutable - i.e. also no updates. This way a chip containing a firmware can be considered as just a piece of hardware. This way it can be assured that no one can disable or otherwise limit the freedom of the users by tinkering with the firmware. It will always stay the same, with the same documented and defined interface.
That was the idea.
From what I know FSF is thinking about redefining this a bit. The problem with this approach is that if you have more complex devices with a larger firmware (like a WiFi chip), the higher is the chance that the firmware contains bugs which can threaten the user’s security. So making this requirement so strict that even security related firmware updates become impossible can not be in the general interest. The problem here is, if you open the door for upgrades, you also open the door to potential security threats by upgrading malicious firmware. So there is a mitigation needed which is being thought about and worked on - but with not timeline.
Concerning Purism laptops, we have to use some parts of the ME firmware, yes, or else the machine will not boot. We have eliminated a large part of it already and also set the disable bit so that even the remaining parts do not get executed, but yes, it is still there. We are working on further eliminating it but this reverse engineering effort is extremely intense - browse through our blog posts and you will quickly recognize how much effort this really is; we invest a lot in that. We also have to use other binaries like the video BIOS which is currently extracted during Coreboot build time from the running BIOS. Currently there is no free replacement for it.
Yes, there are rumors that Intel will release large parts of the FSP as open source now but the question is which parts will be really free then? I assume that quite some parts will remain binary only but under a license to share the binaries but not to reverse engineer them. We have to see, the project was IIRC just announced. (Similar half-and-half “free” things can also be found e.g. with the well known Esspressif SDKs for the WiFi microcontrollers. The SDK is free and many parts are even open source, but the core WiFi stack and radio handling is implemented in binary only libraries which come with the “free” SDK. So it is free to use and some parts are actually available in source code but the whole package is not free software.)
Finally, concerning storage drives’ firmware and such, of course these “rumors” are not false. Like I wrote above, as soon as a firmware can be updated or circumvented then there are of course security threats. Current RYF is very strict about that. But what I wanted to point out is that devices like the T400 that was mentioned here also contain non free firmwares. There is currently and practically no way around it and the example you give with the storage drives totally applies here - buy a drive (harddisk or SSD) and stick in that device and you have that (upgradeable) piece of firmware in this device. I am not aware of any storage device for a PC (IDE, SATA or NVME) that does not come with a firmware that is not upgradeable or free.
I believe that author is trying to ask why these firmware aren’t part of Purism’s liberation.
You can find several recent statements of Purism CEO Todd Weaver stating that Intel ME is the last part for full free software liberation. For example in the recent Monero Talk:
"[…] we don’t include any binaries in anything beyond what’s called the Intel management […] so that’s the last remaining piece which believe that we’re already okay […] then we are completely liberated on the laptop " - Video Link. Date: November 23, 2018
What has Purism done to verify that this software isn’t malicious? What can it do?
Does this not affect Purism’s roadmap to FSF RYF certification?
And finally, I would like to note that the ThinkPad T400s is different than the Technoethical T400s and that although I cannot guarantee it doesn’t include non-free software it is RYF certified. I recommend looking into the Technoethical T400s’ specifications page. @nicole.faerber@jeremiah
I’ve looked at Technoethical’s RYF page at FSF and I don’t see anything that leads me to believe that they’ve successfully mitigated all binary blobs. All the wording I see says “free operating system” and even when searching for “firmware” I can’t find any reference. The most relevant info from FSF seems to be;
Many Wi-Fi chipsets have free software drivers for GNU/Linux but require proprietary firmware blobs loaded at run-time. Developers with experience with wireless firmware may consider freeing these firmwares, such as the firmware from Broadcom and Marvell SDIO chips.
I think this is the situation everyone finds themselves in, but I haven’t looked closely at Technoethical’s set up so I can’t say.
However, there is an exception for secondary embedded processors. The exception applies to software delivered inside auxiliary and low-level processors and FPGAs, within which software installation is not intended after the user obtains the product. This can include, for instance, microcode inside a processor, firmware built into an I/O device, or the gate pattern of an FPGA. The software in such secondary processors does not count as product software.
We want users to be able to upgrade and control the software at as many levels as possible. If and when free software becomes available for use on a certain secondary processor, we will expect certified products to adopt it within a reasonable period of time. This can be done in the next model of the product, if there is a new model within a reasonable period of time. If this is not done, we will eventually withdraw the certification.
To me, this sounds like the exception you both are talking about (then again, not extremely technical). I would like to hear you opinion on it though, considering you both contribute to Purism. @firstname.lastname@example.org
As to my questions above, has Purism tooken any steps to “sandbox” or somehow restrict these non-free programs? Do we have any idea what they can do?
The quote you’ve added does bare some similarity to our situation, yes. Note that we do not ship an FPGA currently on any device to the best of my knowledge but they mention ‘firmware’ which is something we encounter.
As for “sandboxing” that is generally done in the space that user applications run in. In the case of firmware that firmware is essentially burned into the silicon, on very few occasions can you change it. This is why FPGA (Field Programmable Gate Arrays) have become so popular, you can change them once they’re deployed. The Linux kernel runs “on top” as it were of the firmware and special software that plugs into the kernel (a driver) drives the device by communicating with the firmware. Here’s an example: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/ar7010_1_1.fw That firmware is likely written in a language called assembly which is meant to be run on the physical hardware, and will only work on that specific physical device since it is made to move electrons on that specific device. As such, it is not ‘sandboxed’ but it is somewhat isolated since it can only run on the physical device and can’t run on the operating system itself.
i commend you for this noble quest. what a nightmare right ?
just remember that as long as there are people that chose to fight “fire with fire” there MUST be SOME way to enforce law. as such no matter how much we ALL wish for 100% freedom respecting devices there IS the justified need to not be 100% free if that makes sense.
unfortunately the people that have been entrusted with LAW consider that WORLD > FREEDOM as such there is no way to have at any point 100% freedom respecting devices. it’s sad but this is to say “try not to go crazy”
I would boil it down to; There is no really newer cpu sultuon then in the t400 which allow libreboot and therfore RYF certification for notebooks.
Purism decided to use newer hardware wich has alsmost no firmaware for cpu.
So the question is just are you willing to make this trade of for the better perfromance?
The fact that these are the biggest companies tells us a lot of people don’t even care that much about the performance.
I respect what technoethical is doing, but I like what Purism is doing more, and I honestly think their approach is going to have a more positive impact, so that’s where I’m going to keep spending my money. I don’t know if they’re selling refurbished computers or what, but a company with products like that isn’t going to gain enough market share to put pressure on anyone