Group: Hardware/Computers/Laptops/Freeable laptops/Libreboot Laptops comparison
Contents
- 1 Warning
- 2 Introduction
- 3 Specifications
- 4 Freedom, Privacy, Security reviews
Warning
This is a work in progress and is or might be incomplete
Introduction
Given that several computers are compatible with Libreboot, this work tries to document the differences relevant to a person wanting to get such a device.
This article focus only on laptop computers for now as desktop computers have different specificities.
Specifications
Comparison table
Device | Form factor | CPU | Max RAM | CPU upgradable? | Max screen resolution | Card Reader | Fingerprint Reader | TPM | Light | IRDA | Dock | Extension cards | ATA/SATA ports/slots | Ethernet | Internal mini-pcie slots | Internal microphones | SIM card slot for modems | Bluetooth | Input devices | Firewire | Webcam | Free software EC | NIC firmware | Management engine | Flash chip | Flash chip physical access | Intel Flash descriptor | Device |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Lenovo Thinkpad T60 | Big laptop | x86, i686 or x86_64 (depending on the CPU) | Less than 4G, DDR2 | Yes | 1600x1200 mate | No | Optional | Yes, soldered standalone chip | Yes | Yes | Yes, has LPC LDRQ# connected but DMA is disabled in software | Yes, cardbus, not initialized until the OS loads the driver | 1x internal 2.5" SATA HDD, ATA DVD reader. | 1000 (e1000e) | 1 or 2(populated/unpopulated) | 1? 2? | optional | optional |
|
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module | No | No | no, the chip is capable of it but is not configured for it, even with the default boot firmware. | no | soic-8 | Medium | ? | Lenovo Thinkpad T60 |
Lenovo Thinkpad X60, X60s | Small laptop | x86, i686 or x86_64 (depending on the CPU) | Less than 4G, DDR2 | Soldered | 1024x768 mate | SDIO | Optional | Yes, soldered standalone chip | Yes | Yes | Yes, has LPC LDRQ# connected but DMA is disabled in software | Yes, cardbus, not initialized until the OS loads the driver | 1x internal 2.5" SATA HDD, dock: ATA? | 1000 (e1000e) | 1 or 2(populated/unpopulated) | 1? 2? | optional | optional |
|
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module | No | No | no, the chip is capable of it but is not configured for it, even with the default boot firmware. | no | soic-8 | Medium | ? | Lenovo Thinkpad X60, X60s |
Lenovo Thinkpad X200 | Small laptop | x86_64 | 8G DDR3 (Require specific DIMM) | Soldered | 1280x800, mate | Mass storage, USB | Optional | Management engine application | Yes | No | Yes, no DMA signals exported | Yes, Express Card, should have DMA | 1x internal 2.5" SATA HDD, dock: ? | 1000 (e1000e) | 1? 2? or 3 | 1? or 2? | optional? | optional? |
|
No | Optional | No | Disabled with coreboot and libreboot | Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. | soic-16 or soic-8 | Easy | Yes | Lenovo Thinkpad X200 |
Lenovo Thinkpad T400 | Big laptop | x86_64 | 8G DDR3 (Require specific DIMM) | Yes | 1440x900 mate | No | Optional | Management engine application | Yes | No | Yes, TODO: Check DMA status | Yes, Express Card, should have DMA | 1x internal 2.5" SATA HDD, dock: ? | 1000 (e1000e) | 1? 2? or 3 | 1? or 2? | Optional? | Optional? |
|
Yes | Optional | No | Disabled with coreboot and libreboot | Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. | soic-16 or soic-8 | Hard | Yes | Lenovo Thinkpad T400 |
Device | Form factor | CPU | Max RAM | CPU upgradable? | Max screen resolution | Card Reader | Fingerprint Reader | TPM | Light | IRDA | Dock | Extension cards | ATA/SATA ports/slots | Ethernet | Internal mini-pcie slots | Internal microphones | SIM card slot for modems | Bluetooth | Input devices | Firewire | Webcam | Free software EC | NIC firmware | Management engine | Flash chip | Flash chip physical access | Intel Flash descriptor | Device |
Second hand devices consideration
Shops and people (TODO)
Thermal paste (TODO)
I945 or GM45 ?
Performances
The GM45 is faster (Better GPU, CPU). The maximum amount of RAM on the I945 chipset is a bit less than 4G, and is around 8G on GM45.
Management Engine
The GM45 has a Management Engine. See this article for what the management engine really is. In a nutshell it's a chip designed to remove users control over their computer.
It is often said that the Management Engine can be disabled on some computers.
Here on computers with a GM45 chipset, it can be "disabled" by removing the code and data that is is supposed to load from the Management Engine partition on the boot flash. This is done in a way that still makes the computer work.
However The Management Engine processor is undocumented, and code baked into it(bootrom) still runs at boot. What that code does is not known, but it is supposed to load (and check?) the code that resides on the Management Engine Partition on the boot flash, and possibly to initialize hardware.
TPM
A Trusted Platform Module(TPM) is a dedicated processor that exposes several features by following the TPM standard:
- It can computer the hash of the data you send to it and return that hash to you.
- It has a private key and can sign that hash.
- The successive hash depends on the previous ones.
- It can release a secret when a specific hash is attained
This can be used in several ways, for instance to make sure that the computer boots with integrity by releasing a secret only when a certain hash is attained. To do that the first piece of the boot software is set read-only. At boot it then initializes the TPM and sends its code to the TPM. It also sends the next software in the boot chain to the TPM before executing it. This way if that next software is modified, the hash won't be ever attained.
Caveats:
- This requires to force the code that initializes the TPM to run (for instance by making it read-only so it cannot be changed, so it would be forced to run)
- If the user is not in control, it could be used to force the user to run certain software configuration to access some data.
As with the hardware it can either be implemented:
- as a separate chip (which cannot be trusted as there is no way to know what the chip really does and does not do)
- as software running in the management engine, which cannot be trusted, and put the user freedom privacy and security at risk as it requires the management engine to run non-free code. See the part on the management engine for more details about it.
The issue is that most TPMs run nonfree firmwares (which can be updated). So we cannot really trust its security.
Even if there are some free software implementations of TPMs that exist (like in the Talos II), they are not used in the Thinkpads supported by Libreboot.
Flash descriptor
The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash.
Partition | Usage |
Descriptor |
|
BIOS |
|
ME |
|
GbE |
|
Platform | ? |
The flash descriptor can also set read/write permissions on the partitions. It can for instance be used to make the whole flash chip read-only for the software running on the laptop: To modify what is in the flash chip, the user would have to disassemble the laptop and reprogram the flash chip with an external programmer, instead of simply running the flashrom program on the laptop.
Input devices
Trackpoint
- When used to a mouse or a touchpad, adapting to a trackpoint can be quite long (it tooks several weeks for me).
- Mices, touchpads and trackpoints's precision/speed and acceleration can be configured. The ratio between speed and precision can be less favorable on a trackpoint than a touchpad.
- The trackpoint is in the middle of the keyboard, so when extensively using the keyboard, and using less the mouse, it is a huge advantage as the hands don't have to keep moving back and forth between the touchpad/mouse and the keyboard. Not only this can increase computer usage efficiency, but it also causes less wrist strain than a touchpad or a mouse
- The trackpoint requires less effort to move.
- The rubber cap is replaceable and wears out with years of usages. Having a weared out cap results in a way less favorable precision/speed ratio, so in that case it's advised to replace it.
- The trackpoint is probably more easy to use in public transportation or vehicles (as there is a lot of vibration, acceleration etc in such environments).
Touchpad (TODO)
Keyboards (TODO)
Flash chip access and reflashing difficulties
Lenovo, at the time, didn't manufacture I945 or GM45 Thinkpads with Libreboot. So Libreboot need to somehow be installed on such laptops to run.
Depending on the laptop:
- It might be possible to install Libreboot without having to open/disassemble the laptop, or not.
- It might be easy or hard and time consuming to disassemble the laptop enough to access the flash chip.
Depending on you:
- You might find it easy or hard to disassemble a laptop and might or might not be inclined to do everything your self.
- You might be inclined to go buy the laptop second hand yourself, and the required parts, and have it flashed at a hackerspace that proposes to do it.
- You might find it easier to just buy the laptop with Libreboot preinstalled. There are various shops selling computers with Libreboot preinstalled but it is better to look at the Respect Your Freedom FSF page in order to buy them. This is to make sure they really respect your freedom (else they may require proprietary software to work, be shipped with a GNU/Linux distribution that has proprietary software in their repositories, etc).
Installation through software
- With I945 thinkpads, When running the stock boot firmware (BIOS/UEFI), Installing coreboot/libreboot can be done, just by running some commands on the laptop, without disassembling and opening it with a screwdriver.
Installation through hardware
- On GM45 thinkpads this is not the case, to do such installation, the laptop must be disassembled. Depending on the laptop this can take a lot of time, or be really easy. Easy or hard is relative to the time spent to disassemble the laptops. It takes way less time to disassemble a Thinkpad X200 than it is to disassemble a thinkpad T400.
Installation through hackerspaces (TODO)
Installation through commerce
When one lacks the skills to install Libreboot, commerce can alleviate such difficulties by either:
- Selling computers with Libreboot pre-installed
- Flashing an existing computer that you send them
Several companies do either or both:
The Free Software Foundation (FSF) also maintains a list of hardware products that respect's people's freedom. This list contains laptop compatible with Libreboot as well as the vendors where you can find them.
The Libreboot project also has a list of vendors
SDIO VS Mass storage
- SDIO has a lower level access and thanks to that it can:
- Gather more data on the SD card being inserted, it can for instance get serial numbers, OEM ids, Hardware and firmwares revision, device name, etc.
- Be able to use SDIO peripherals (Peripherals like WiFi cards are very rare though).
- USB Mass storage is however automatically compatible with many OS, Libreboot payloads, and boot software. Booting on it doesn't require extensive software support. This can be neat as you can boot on a tiny microSD if you use a microSD<->SD adapter.
Processor architectures (WIP)
Distribution or software | self hosted | x86 32bit support | x86 64bit support | ARM support | Audience |
---|---|---|---|---|---|
GuixSD | Yes | Yes | Yes | Yes | GNU/Linux distribution for people with a good command line knowledge, or willing to learn it. |
Hyperbola | Yes | Yes | Yes | No | GNU/Linux distribution for people with a good command line knowledge, or willing to learn it. |
Parabola | Yes | Yes | Yes | Yes | GNU/Linux distribution for people with a good command line knowledge, or willing to learn it. |
PureOS | Yes | No | Yes | No | Easy to use general purpose GNU/Linux distribution |
Trisquel | Yes | Yes | Yes | No | Easy to use general purpose GNU/Linux distribution |
x86 64bit
This is now the most supported architecture. This means that most users are using that.
The x86 64bit architecture appeared after the x86 32bit architecture. This enabled software developers and hardware manufacturers to revisit some design choices and to add various improvements. In practice this enables them to:
- Improve security
- Fix the year 2038 bug and similar
- probably many other small improvements
x86 32bit
Some project stopped to support x86 32bit computers:
- Xen stopped the support for 32bit x86 in xen 4.3
- A 64bit system is required to build Android since Android 2.3
While other projects continue to support 32bit. This also applies when building Replicant.
Some projects made it a secondary architecture. This is the case with Linux where some issues are fixed first for the x86_64 architecture and later for the x86 32bit architecture. This was for instance the case for many of the spectre and meltdown related security issues.
ARM (TODO)
Fingerprint Reader
The fingerprint reader can be used to check fingerprints with fprint under GNU/Linux, but at the time of writing, while the hardware supports it, fprint cannot be used to use it as a very high resolution scanner. If the fingerprint sensor is unused, the cable that goes from the mainboard to it can be removed. Since that cable has 4 pins, and that the fingerprint sensor is connected trough USB, the cable might be able to be used as an internal usb port with some soldering. This can be handy to add extra USB peripherals like GPS or other devices.
Firewire (TODO)
Firewire is a bus very similar to USB, and supports the same kind of peripherals (Hard drives, Ethernet cards, etc).
It is widely used on DV cameras, and can be used to retrieve the videos, but, at it is and was way less common than USB, it has mostly disappeared.
Firewire is also infamously known to have allowed read/write access to the computer's memory by peripherals or other computers, however this is probably fixed by now:
# modinfo firewire_ohci [...] remote_dma:Enable unfiltered remote DMA (default = N) (bool)
It also allows a computer to emulate any firewire peripheral such as hard disks, ethernet card and so on.
Webcam (TODO)
Freedom, Privacy, Security reviews
Modems
Certain laptops have optional 3G/4G modems, which can also be added separately. They are (most of the time?) available in a mini-PCIe form factor, however they are not connected trough mini-PCIe but trough USB: the mini-PCIe connector also export USB signals on it.
Tests
With an Ericsson F3507g modem and a Lenovo Thinkpad X200 running Coreboot and GRUB as payload, the modem is already starting up when the computer is in GRUB. This has been observed by running simtrace when the computer boots.
Since non-free software or free and non-free software is running in such modems, such software can be abused by a malicious attacker to make the computer running coreboot see the modem as an USB keyboard, which can in turn start a terminal emulator and type commands.
If this security risk is relevant for the user, it is a good practice to:
- Make sure that only the internal keyboard is used, this can be done by:
- Making GRUB not load the USB keyboard module
- Disabling USB keyboard support in SeaBIOS
- Using the USB authorization framework in GNU/Linux, for instance by using software like USBGuard
More general issues also apply:
- See the "Mobile telephony operators and privacy" section in the Replicant documentation
- Since the modem runs non-free software and is started at boot, it might be interesting to understand if it connects to the operator network at boot. If not, an attacker might still be able to force it to do so. This has serious privacy implications as, if it is the case, it would allow the network operator to keep track of the computer's location when it is on.
- It might also be very interesting to understand in what conditions the computer running coreboot powers up the modem, for instance if the computer is off, is the modem still powered? Is it still powered in standby? etc
- The modem does allows the operator, trough the SIM card to do things like redirecting calls and so on. This is covered by standards and is documented by the terminal-profile project. In the case of the Ericsson F3507g modem, the data is available here
Tests TODO
- Test what happens with:
nvramtool -w wwan=Disable
This page was a featured resource in August 2021.