Group: Hardware/Computers/Laptops/Freeable laptops/Libreboot Laptops comparison

From LibrePlanet
Jump to: navigation, search

Warning

This is a work in progress and is or might be incomplete

Introduction

Given that several computers are compatible with Libreboot, this work tries to document the differences relevant to a person wanting to get such a device.

This article focus only on laptop computers for now as desktop computers have different specificities.

Specifications

Comparison table

Device Form factor CPU Max RAM CPU upgradable? Max screen resolution Card Reader Fingerprint Reader TPM Light IRDA Dock Extension cards ATA/SATA ports/slots Ethernet Internal mini-pcie slots Internal microphones SIM card slot for modems Bluetooth Input devices Firewire Webcam Free software EC NIC firmware Management engine Flash chip Flash chip physical access Intel Flash descriptor Device
Lenovo Thinkpad T60 Big laptop x86, i686 or x86_64 (depending on the CPU) Less than 4G, DDR2 Yes 1600x1200 mate No Optional Yes, soldered standalone chip Yes Yes Yes, has LPC LDRQ# connected but DMA is disabled in software Yes, cardbus, not initialized until the OS loads the driver 1x internal 2.5" SATA HDD, ATA DVD reader. 1000 (e1000e) 1 or 2(populated/unpopulated) 1? 2? optional optional
  • Keyboard
  • Trackpoint
  • Touchpad
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module No No no, the chip is capable of it but is not configured for it, even with the default boot firmware. no soic-8 Medium ? Lenovo Thinkpad T60
Lenovo Thinkpad X60, X60s Small laptop x86, i686 or x86_64 (depending on the CPU) Less than 4G, DDR2 Soldered 1024x768 mate SDIO Optional Yes, soldered standalone chip Yes Yes Yes, has LPC LDRQ# connected but DMA is disabled in software Yes, cardbus, not initialized until the OS loads the driver 1x internal 2.5" SATA HDD, dock: ATA? 1000 (e1000e) 1 or 2(populated/unpopulated) 1? 2? optional optional
  • Keyboard
  • Trackpoint
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module No No no, the chip is capable of it but is not configured for it, even with the default boot firmware. no soic-8 Medium ? Lenovo Thinkpad X60, X60s
Lenovo Thinkpad X200 Small laptop x86_64 8G DDR3 (Require specific DIMM) Soldered 1280x800, mate Mass storage, USB Optional Management engine application Yes No Yes, no DMA signals exported Yes, Express Card, should have DMA 1x internal 2.5" SATA HDD, dock: ? 1000 (e1000e) 1? 2? or 3 1? or 2? optional? optional?
  • Keyboard
  • Trackpoint
No Optional No Disabled with coreboot and libreboot Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. soic-16 or soic-8 Easy Yes Lenovo Thinkpad X200
Lenovo Thinkpad T400 Big laptop x86_64 8G DDR3 (Require specific DIMM) Yes 1440x900 mate No Optional Management engine application Yes No Yes, TODO: Check DMA status Yes, Express Card, should have DMA 1x internal 2.5" SATA HDD, dock: ? 1000 (e1000e) 1? 2? or 3 1? or 2? Optional? Optional?
  • Keyboard
  • Trackpoint
  • Touchpad
Yes Optional No Disabled with coreboot and libreboot Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. soic-16 or soic-8 Hard Yes Lenovo Thinkpad T400
Device Form factor CPU Max RAM CPU upgradable? Max screen resolution Card Reader Fingerprint Reader TPM Light IRDA Dock Extension cards ATA/SATA ports/slots Ethernet Internal mini-pcie slots Internal microphones SIM card slot for modems Bluetooth Input devices Firewire Webcam Free software EC NIC firmware Management engine Flash chip Flash chip physical access Intel Flash descriptor Device

Second hand devices consideration

Shops and people (TODO)

Thermal paste (TODO)

I945 or GM45 ?

Performances

The GM45 is faster (Better GPU, CPU). The maximum amount of RAM on the I945 chipset is a bit less than 4G, and is around 8G on GM45.

Management Engine

The GM45 has a Management Engine. See this article for what the management engine really is. In a nutshell it's a chip designed to remove users control over their computer.

It is often said that the Management Engine can be disabled on some computers.

Here on computers with a GM45 chipset, it can be "disabled" by removing the code and data that is is supposed to load from the Management Engine partition on the boot flash. This is done in a way that still makes the computer work.

However The Management Engine processor is undocumented, and code baked into it(bootrom) still runs at boot. What that code does is not known, but it is supposed to load (and check?) the code that resides on the Management Engine Partition on the boot flash, and possibly to initialize hardware.

TPM

A Trusted Platform Module(TPM) is a dedicated processor that exposes several features by following the TPM standard:

  • It can computer the hash of the data you send to it and return that hash to you.
  • It has a private key and can sign that hash.
  • The successive hash depends on the previous ones.
  • It can release a secret when a specific hash is attained

This can be used in several ways, for instance to make sure that the computer boots with integrity by releasing a secret only when a certain hash is attained. To do that the first piece of the boot software is set read-only. At boot it then initializes the TPM and sends its code to the TPM. It also sends the next software in the boot chain to the TPM before executing it. This way if that next software is modified, the hash won't be ever attained.

Caveats:

  • This requires to force the code that initializes the TPM to run (for instance by making it read-only so it cannot be changed, so it would be forced to run)
  • If the user is not in control, it could be used to force the user to run certain software configuration to access some data.

As with the hardware it can either be implemented:

  • as a separate chip (which cannot be trusted as there is no way to know what the chip really does and does not do)
  • as software running in the management engine, which cannot be trusted, and put the user freedom privacy and security at risk as it requires the management engine to run non-free code. See the part on the management engine for more details about it.

The issue is that most TPMs run nonfree firmwares (which can be updated). So we cannot really trust its security.

Even if there are some free software implementations of TPMs that exist (like in the Talos II), they are not used in the Thinkpads supported by Libreboot.

Flash descriptor

The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash.

Partition Usage
Descriptor
  • This is where the flash descriptor resides
BIOS
  • This is where the BIOS or Libreboot resides
ME
  • This is the partition where the Management Engine code and data resides
  • On computers with a GM45 chipset, it can be totally removed.
GbE
  • Contains settings for the Intel Gigabit Ethernet Controller such as:
    • the default MAC address
    • The led configurations
Platform ?

The flash descriptor can also set read/write permissions on the partitions. It can for instance be used to make the whole flash chip read-only for the software running on the laptop: To modify what is in the flash chip, the user would have to disassemble the laptop and reprogram the flash chip with an external programmer, instead of simply running the flashrom program on the laptop.

Input devices

Trackpoint

  • When used to a mouse or a touchpad, adapting to a trackpoint can be quite long (it tooks several weeks for me).
  • Mices, touchpads and trackpoints's precision/speed and acceleration can be configured. The ratio between speed and precision can be less favorable on a trackpoint than a touchpad.
  • The trackpoint is in the middle of the keyboard, so when extensively using the keyboard, and using less the mouse, it is a huge advantage as the hands don't have to keep moving back and forth between the touchpad/mouse and the keyboard. Not only this can increase computer usage efficiency, but it also causes less wrist strain than a touchpad or a mouse
  • The trackpoint requires less effort to move.
  • The rubber cap is replaceable and wears out with years of usages. Having a weared out cap results in a way less favorable precision/speed ratio, so in that case it's advised to replace it.
  • The trackpoint is probably more easy to use in public transportation or vehicles (as there is a lot of vibration, acceleration etc in such environments).

Touchpad (TODO)

Keyboards (TODO)

Flash chip access and reflashing difficulties

Lenovo, at the time, didn't manufacture I945 or GM45 Thinkpads with Libreboot. So Libreboot need to somehow be installed on such laptops to run.

Depending on the laptop:

  • It might be possible to install Libreboot without having to open/disassemble the laptop, or not.
  • It might be easy or hard and time consuming to disassemble the laptop enough to access the flash chip.

Depending on you:

  • You might find it easy or hard to disassemble a laptop and might or might not be inclined to do everything your self.
  • You might be inclined to go buy the laptop second hand yourself, and the required parts, and have it flashed at a hackerspace that proposes to do it.
  • You might find it easier to just buy the laptop with Libreboot preinstalled. There are various shops selling computers with Libreboot preinstalled but it is better to look at the Respect Your Freedom FSF page in order to buy them. This is to make sure they really respect your freedom (else they may require proprietary software to work, be shipped with a GNU/Linux distribution that has proprietary software in their repositories, etc).

Installation through software

Installation through hardware

  • On GM45 thinkpads this is not the case, to do such installation, the laptop must be disassembled. Depending on the laptop this can take a lot of time, or be really easy. Easy or hard is relative to the time spent to disassemble the laptops. It takes way less time to disassemble a Thinkpad X200 than it is to disassemble a thinkpad T400.

Installation through hackerspaces (TODO)

Installation through commerce

When one lacks the skills to install Libreboot, commerce can alleviate such difficulties by either:

  • Selling computers with Libreboot pre-installed
  • Flashing an existing computer that you send them

Several companies do either or both:

The Free Software Foundation (FSF) also maintains a list of hardware products that respect's people's freedom. This list contains laptop compatible with Libreboot as well as the vendors where you can find them.

The Libreboot project also has a list of vendors

SDIO VS Mass storage

  • SDIO has a lower level access and thanks to that it can:
    • Gather more data on the SD card being inserted, it can for instance get serial numbers, OEM ids, Hardware and firmwares revision, device name, etc.
    • Be able to use SDIO peripherals (Peripherals like WiFi cards are very rare though).
  • USB Mass storage is however automatically compatible with many OS, Libreboot payloads, and boot software. Booting on it doesn't require extensive software support. This can be neat as you can boot on a tiny microSD if you use a microSD<->SD adapter.

Processor architectures (WIP)

Distribution or software self hosted x86 32bit support x86 64bit support ARM support Audience
GuixSD Yes Yes Yes Yes GNU/Linux distribution for people with a good command line knowledge, or willing to learn it.
Hyperbola Yes Yes Yes No GNU/Linux distribution for people with a good command line knowledge, or willing to learn it.
Parabola Yes Yes Yes Yes GNU/Linux distribution for people with a good command line knowledge, or willing to learn it.
PureOS Yes No Yes No Easy to use general purpose GNU/Linux distribution
Trisquel Yes Yes Yes No Easy to use general purpose GNU/Linux distribution

x86 64bit

This is now the most supported architecture. This means that most users are using that.

The x86 64bit architecture appeared after the x86 32bit architecture. This enabled software developers and hardware manufacturers to revisit some design choices and to add various improvements. In practice this enables them to:

  • Improve security
  • Fix the year 2038 bug and similar
  • probably many other small improvements

x86 32bit

Some project stopped to support x86 32bit computers:

While other projects continue to support 32bit. This also applies when building Replicant.

Some projects made it a secondary architecture. This is the case with Linux where some issues are fixed first for the x86_64 architecture and later for the x86 32bit architecture. This was for instance the case for many of the spectre and meltdown related security issues.

ARM (TODO)

Fingerprint Reader

The fingerprint reader can be used to check fingerprints with fprint under GNU/Linux, but at the time of writing, while the hardware supports it, fprint cannot be used to use it as a very high resolution scanner. If the fingerprint sensor is unused, the cable that goes from the mainboard to it can be removed. Since that cable has 4 pins, and that the fingerprint sensor is connected trough USB, the cable might be able to be used as an internal usb port with some soldering. This can be handy to add extra USB peripherals like GPS or other devices.

Firewire (TODO)

Firewire is a bus very similar to USB, and supports the same kind of peripherals (Hard drives, Ethernet cards, etc).

It is widely used on DV cameras, and can be used to retrieve the videos, but, at it is and was way less common than USB, it has mostly disappeared.


Firewire is also infamously known to have allowed read/write access to the computer's memory by peripherals or other computers, however this is probably fixed by now:

# modinfo firewire_ohci
[...]
remote_dma:Enable unfiltered remote DMA (default = N) (bool)

It also allows a computer to emulate any firewire peripheral such as hard disks, ethernet card and so on.

Webcam (TODO)

Freedom, Privacy, Security reviews

Modems

Certain laptops have optional 3G/4G modems, which can also be added separately. They are (most of the time?) available in a mini-PCIe form factor, however they are not connected trough mini-PCIe but trough USB: the mini-PCIe connector also export USB signals on it.

Tests

With an Ericsson F3507g modem and a Lenovo Thinkpad X200 running Coreboot and GRUB as payload, the modem is already starting up when the computer is in GRUB. This has been observed by running simtrace when the computer boots.

Since non-free software or free and non-free software is running in such modems, such software can be abused by a malicious attacker to make the computer running coreboot see the modem as an USB keyboard, which can in turn start a terminal emulator and type commands.

If this security risk is relevant for the user, it is a good practice to:

  • Make sure that only the internal keyboard is used, this can be done by:
    • Making GRUB not load the USB keyboard module
    • Disabling USB keyboard support in SeaBIOS
    • Using the USB authorization framework in GNU/Linux, for instance by using software like USBGuard

More general issues also apply:

  • See the "Mobile telephony operators and privacy" section in the Replicant documentation
  • Since the modem runs non-free software and is started at boot, it might be interesting to understand if it connects to the operator network at boot. If not, an attacker might still be able to force it to do so. This has serious privacy implications as, if it is the case, it would allow the network operator to keep track of the computer's location when it is on.
  • It might also be very interesting to understand in what conditions the computer running coreboot powers up the modem, for instance if the computer is off, is the modem still powered? Is it still powered in standby? etc
  • The modem does allows the operator, trough the SIM card to do things like redirecting calls and so on. This is covered by standards and is documented by the terminal-profile project. In the case of the Ericsson F3507g modem, the data is available here

Tests TODO

  • Test what happens with:
nvramtool -w wwan=Disable


This page was a featured resource in August 2021.