Group: Hardware/Computers/Laptops/Freeable laptops/GNU Boot Laptops comparison
(→Flash descriptor (TODO)) |
(→Flash descriptor (TODO)) |
||
Line 229: | Line 229: | ||
The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash. | The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash. | ||
− | {| border=" | + | {| border="1" style="font-size: smaller" |
|- | |- | ||
| Partition | | Partition |
Revision as of 19:11, 19 June 2018
Contents
- 1 Warning
- 2 Introduction
- 3 Specifications
- 4 Freedom, Privacy, Security reviews
Warning
This is a work in progress and is or might be incomplete
Introduction
Given that several computers are compatible with Libreboot, this try to document the differences relevant to a person wanting to get such a device.
The focus of this article is laptops (As many users uses laptops) that are also supported by Libreboot or that could easily be supported by it.
Specifications
Comparison table
Device | Form factor | CPU | Max RAM | CPU upgradable? | Max screen resolution | Card Reader | Fingerprint Reader | TPM | Light | IRDA | Dock | Extension cards | ATA/SATA ports/slots | Ethernet | Internal mini-pcie slots | Internal microphones | SIM card slot for modems | Bluetooth | Input devices | Firewire | Webcam | Free software EC | NIC firmware | Management engine | Flash chip | Flash chip physical access | Intel Flash descriptor | Device |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Lenovo Thinkpad T60 | Big laptop | x86, i686 or x86_64 (depending on the CPU) | Less than 4G, DDR2 | Yes | 1600x1200 mate | No | Optional | Yes, soldered standalone chip | Yes | Yes | Yes, has LPC LDRQ# connected but DMA is disabled in software | Yes, cardbus, not initialized until the OS loads the driver | 1x internal 2.5" SATA HDD, ATA DVD reader. | 1000 (e1000e) | 1 or 2(populated/unpopulated) | 1? 2? | optional | optional |
|
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module | No | No | no, the chip is capable of it but is not configured for it, even with the default boot firmware. | no | soic-8 | Medium | ? | Lenovo Thinkpad T60 |
Lenovo Thinkpad X60, X60s | Small laptop | x86, i686 or x86_64 (depending on the CPU) | Less than 4G, DDR2 | Soldered | 1024x768 mate | SDIO | Optional | Yes, soldered standalone chip | Yes | Yes | Yes, has LPC LDRQ# connected but DMA is disabled in software | Yes, cardbus, not initialized until the OS loads the driver | 1x internal 2.5" SATA HDD, dock: ATA? | 1000 (e1000e) | 1 or 2(populated/unpopulated) | 1? 2? | optional | optional |
|
Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module | No | No | no, the chip is capable of it but is not configured for it, even with the default boot firmware. | no | soic-8 | Medium | ? | Lenovo Thinkpad X60, X60s |
Lenovo Thinkpad X200 | Small laptop | x86_64 | 8G DDR3 (Require specific DIMM) | Soldered | 1280x800, mate | Mass storage, USB | Optional | Management engine application | Yes | No | Yes, no DMA signals exported | Yes, Express Card | 1x internal 2.5" SATA HDD, dock: ? | 1000 (e1000e) | 1? 2? or 3 | 1? or 2? | optional? | optional? |
|
No | Optional | No | Disabled with coreboot and libreboot | Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. | soic-16 or soic-8 | Easy | Yes | Lenovo Thinkpad X200 |
Lenovo Thinkpad T400 | Big laptop | x86_64 | 8G DDR3 (Require specific DIMM) | Yes | 1440x900 mate | No | Optional | Management engine application | Yes | No | Yes, TODO: Check DMA status | Yes, Express Card | 1x internal 2.5" SATA HDD, dock: ? | 1000 (e1000e) | 1? 2? or 3 | 1? or 2? | Optional? | Optional? |
|
Yes | Optional | No | Disabled with coreboot and libreboot | Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. | soic-16 or soic-8 | Hard | Yes | Lenovo Thinkpad T400 |
Device | Form factor | CPU | Max RAM | CPU upgradable? | Max screen resolution | Card Reader | Fingerprint Reader | TPM | Light | IRDA | Dock | Extension cards | ATA/SATA ports/slots | Ethernet | Internal mini-pcie slots | Internal microphones | SIM card slot for modems | Bluetooth | Input devices | Firewire | Webcam | Free software EC | NIC firmware | Management engine | Flash chip | Flash chip physical access | Intel Flash descriptor | Device |
Second hand devices consideration
Shops and people (TODO)
Thermal paste (TODO)
I945 or GM45 ?
Performances
The GM45 is faster (Better GPU, CPU). The maximum amount of RAM on the I945 chipset is a bit less than 4G, and is around 8G on GM45.
Management Engine
The GM45 has a Management Engine: It is often said that the Management Engine can be disabled.
What "disabled" really means here is that the code and data that the Management Engine is supposed to load from the Management Engine partition on the boot flash has been removed, in a way that still makes the computer work.
However The Management Engine processor is undocumented, and code baked into it(bootrom) still runs at boot. What that code does is not known, but it is supposed to load (and check?) the code that resides on the Management Engine Partition on the boot flash, and possibly to initialize hardware.
TPM (TODO)
A TPM is a chip that typically offers several features:
Flash descriptor (TODO)
The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash.
Partition | Usage |
Descriptor |
|
BIOS |
|
ME |
|
GbE |
|
Platform | ? |
Input devices
Trackpoint
- When used to a mouse or a touchpad, adapting to a trackpoint can be quite long (it tooks several weeks for me).
- Mices, touchpads and trackpoints's precision/speed and acceleration can be configured. The ratio between speed and precision can be less favorable on a trackpoint than a touchpad.
- The trackpoint is in the middle of the keyboard, so when extensively using the keyboard, and using less the mouse, it is a huge advantage as the hands don't have to keep moving back and forth between the touchpad/mouse and the keyboard. Not only this can increase computer usage efficiency, but it also causes less wrist strain than a touchpad or a mouse
- The trackpoint requires less effort to move.
- The rubber cap is replaceable and wears out with years of usages. Having a weared out cap results in a way less favorable precision/speed ratio, so in that case it's advised to replace it.
Touchpad (TODO)
Keyboards (TODO)
Flash chip access and reflashing difficulties
Lenovo, at the time, didn't manufacture I945 or GM45 Thinkpads with coreboot/libreboot. So coreboot/libreboot need to somehow be installed on such laptops to run.
Depending on the hardware:
- It might be possible to install coreboot/libreboot without having to open/disassemble the laptop, or not.
- It might be easy or hard and time consuming to disassemble the laptop enough to access the flash chip.
Depending on you:
- You might find it easy or hard to disassemble a laptop and might or might not be inclined to do everything your self.
- You might be inclined to go buy the laptop second hand yourself, and the required parts, and have it flashed at a hackerspace that proposes to do it.
- You might find it easier to just buy the laptop with libreboot preinstalled.
Installation trough software
- With I945 thinkpads, When running the stock boot firmware (BIOS/UEFI), Installing coreboot/libreboot can be done, just by running some commands on the laptop, without disassembling and opening it with a screwdriver.
Installation trough hardware
- On GM45 thinkpads this is not the case, to do such installation, the laptop must be disassembled. Depending on the laptop this can take a lot of time, or be really easy. Easy or hard is relative to the time spent to disassemble the laptops. It takes way less time to disassemble a Thinkpad X200 than it is to disassemble a thinkpad T400.
Installation trough hackerspaces (TODO)
Installation trough commerce
When one lacks the skills to install Libreboot, commerce can alleviate such difficulties by either:
- Selling computers with Libreboot pre-installed
- Flashing an existing computer that you send them
Several companies do either or both:
The Free Software Foundation (FSF) also maintains a list of hardware products that respect's people's freedom. This list contains laptop compatible with Libreboot as well as the vendors where you can find them.
The Libreboot project also has a list of vendors
SDIO VS Mass storage
- SDIO has a lower level access and thanks to that it can:
- Gather more data on the SD card being inserted, it can for instance get serial numbers, OEM ids, Hardware and firmwares revision, device name, etc.
- Be able to use SDIO peripherals (Peripherals like WiFi cards are very rare though).
- USB Mass storage is however automatically compatible with many OS, payloads, and boot software. Booting on it doesn't require extensive software support. This can be neat as you can boot on a tiny microSD if you use a microSD<->SD adapter.
Processor architectures (WIP)
x86 32bit
- Xen stopped the support for 32bit x86 in xen 4.3
- A 64bit system is required to build Android since Android 2.3
- Tails will stop 32bit support in Tails 3.0
x86 64bit (TODO)
ARM
Distribution or software | ARM support | FSF Approved | Audience |
---|---|---|---|
Parabola | Yes | Yes | GNU/Linux distribution for technical users with good command line knowledge |
Trisquel | No | Yes | Easy to use general purpose GNU/Linux distribution |
Fingerprint Reader
The fingerprint reader can be used to check fingerprints with fprint under GNU/Linux, but at the time of writing, while the hardware supports it, fprint cannot be used to use it as a very high resolution scanner. If the fingerprint sensor is unused, the cable that goes from the mainboard to it can be removed. Since that cable has 4 pins, and that the fingerprint sensor is connected trough USB, the cable might be able to be used as an internal usb port with some soldering. This can be handy to add extra USB peripherals like GPS or other devices.
Firewire (TODO)
Firewire is a bus very similar to USB, and supports the same kind of peripherals (Hard drives, Ethernet cards, etc).
It is widely used on DV cameras, and can be used to retrieve the videos, but, at it is and was way less common than USB, it has mostly disappeared.
Firewire is also infamously known to have allowed read/write access to the computer's memory by peripherals or other computers, however this is probably fixed by now:
# modinfo firewire_ohci [...] remote_dma:Enable unfiltered remote DMA (default = N) (bool)
It also allows a computer to emulate any firewire peripheral such as hard disks, ethernet card and so on.
Webcam (TODO)
Freedom, Privacy, Security reviews
Modems
Certain laptops have optional 3G/4G modems, which can also be added separately. They are (most of the time?) available in a mini-PCIe form factor, however they are not connected trough mini-PCIe but trough USB: the mini-PCIe connector also export USB signals on it.
Tests
With an Ericsson F3507g modem and a Lenovo Thinkpad X200 running Coreboot and GRUB as payload, the modem is already starting up when the computer is in GRUB. This has been observed by running simtrace when the computer boots.
Since non-free software or free and non-free software is running in such modems, such software can be abused by a malicious attacker to make the computer running coreboot see the modem as an USB keyboard, which can in turn start a terminal emulator and type commands.
If this security risk is relevant for the user, it is a good practice to:
- Make sure that only the internal keyboard is used, this can be done by:
- Making GRUB not load the USB keyboard module
- Disabling USB keyboard support in SeaBIOS
- Using the USB authorization framework in GNU/Linux, for instance by using software like USBGuard
More general issues also apply:
- See the "Mobile telephony operators and privacy" section in the Replicant documentation
- Since the modem runs non-free software and is started at boot, it might be interesting to understand if it connects to the operator network at boot. If not, an attacker might still be able to force it to do so. This has serious privacy implications as, if it is the case, it would allow the network operator to keep track of the computer's location when it is on.
- It might also be very interesting to understand in what conditions the computer running coreboot powers up the modem, for instance if the computer is off, is the modem still powered? Is it still powered in standby? etc
- The modem does allows the operator, trough the SIM card to do things like redirecting calls and so on. This is covered by standards and is documented by the terminal-profile project. In the case of the Ericsson F3507g modem, the data is available here
Tests TODO
- Test what happens with:
nvramtool -w wwan=Disable