Group: Hardware/Computers/Laptops/Freeable laptops/Libreboot Laptops comparison

From LibrePlanet
< Group:Hardware‎ | Computers‎ | Laptops‎ | Freeable laptops
Revision as of 19:11, 19 June 2018 by GNUtoo2 (talk | contribs) (Flash descriptor (TODO))
Jump to: navigation, search

Warning

This is a work in progress and is or might be incomplete

Introduction

Given that several computers are compatible with Libreboot, this try to document the differences relevant to a person wanting to get such a device.

The focus of this article is laptops (As many users uses laptops) that are also supported by Libreboot or that could easily be supported by it.

Specifications

Comparison table

Device Form factor CPU Max RAM CPU upgradable? Max screen resolution Card Reader Fingerprint Reader TPM Light IRDA Dock Extension cards ATA/SATA ports/slots Ethernet Internal mini-pcie slots Internal microphones SIM card slot for modems Bluetooth Input devices Firewire Webcam Free software EC NIC firmware Management engine Flash chip Flash chip physical access Intel Flash descriptor Device
Lenovo Thinkpad T60 Big laptop x86, i686 or x86_64 (depending on the CPU) Less than 4G, DDR2 Yes 1600x1200 mate No Optional Yes, soldered standalone chip Yes Yes Yes, has LPC LDRQ# connected but DMA is disabled in software Yes, cardbus, not initialized until the OS loads the driver 1x internal 2.5" SATA HDD, ATA DVD reader. 1000 (e1000e) 1 or 2(populated/unpopulated) 1? 2? optional optional
  • Keyboard
  • Trackpoint
  • Touchpad
 Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module No No no, the chip is capable of it but is not configured for it, even with the default boot firmware. no soic-8 Medium ? Lenovo Thinkpad T60
Lenovo Thinkpad X60, X60s Small laptop x86, i686 or x86_64 (depending on the CPU) Less than 4G, DDR2 Soldered 1024x768 mate SDIO Optional Yes, soldered standalone chip Yes Yes Yes, has LPC LDRQ# connected but DMA is disabled in software Yes, cardbus, not initialized until the OS loads the driver 1x internal 2.5" SATA HDD, dock: ATA? 1000 (e1000e) 1 or 2(populated/unpopulated) 1? 2? optional optional
  • Keyboard
  • Trackpoint
 Yes, not initialized until the OS loads the driver, see also the remote_dma parameter in the corresponding firewire_ohci kernel module No No no, the chip is capable of it but is not configured for it, even with the default boot firmware. no soic-8 Medium ? Lenovo Thinkpad X60, X60s
Lenovo Thinkpad X200 Small laptop x86_64 8G DDR3 (Require specific DIMM) Soldered 1280x800, mate Mass storage, USB Optional Management engine application Yes No Yes, no DMA signals exported Yes, Express Card 1x internal 2.5" SATA HDD, dock: ? 1000 (e1000e) 1? 2? or 3 1? or 2? optional? optional?
  • Keyboard
  • Trackpoint
 No Optional No Disabled with coreboot and libreboot Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. soic-16 or soic-8 Easy Yes Lenovo Thinkpad X200
Lenovo Thinkpad T400 Big laptop x86_64 8G DDR3 (Require specific DIMM) Yes 1440x900 mate No Optional Management engine application Yes No Yes, TODO: Check DMA status Yes, Express Card 1x internal 2.5" SATA HDD, dock: ? 1000 (e1000e) 1? 2? or 3 1? or 2? Optional? Optional?
  • Keyboard
  • Trackpoint
  • Touchpad
 Yes Optional No Disabled with coreboot and libreboot Present with the default boot firmware, can be disabled with coreboot, is disabled with libreboot. soic-16 or soic-8 Hard Yes Lenovo Thinkpad T400
Device Form factor CPU Max RAM CPU upgradable? Max screen resolution Card Reader Fingerprint Reader TPM Light IRDA Dock Extension cards ATA/SATA ports/slots Ethernet Internal mini-pcie slots Internal microphones SIM card slot for modems Bluetooth Input devices Firewire Webcam Free software EC NIC firmware Management engine Flash chip Flash chip physical access Intel Flash descriptor Device

Second hand devices consideration

Shops and people (TODO)

Thermal paste (TODO)

I945 or GM45 ?

Performances

The GM45 is faster (Better GPU, CPU). The maximum amount of RAM on the I945 chipset is a bit less than 4G, and is around 8G on GM45.

Management Engine

The GM45 has a Management Engine: It is often said that the Management Engine can be disabled.

What "disabled" really means here is that the code and data that the Management Engine is supposed to load from the Management Engine partition on the boot flash has been removed, in a way that still makes the computer work.

However The Management Engine processor is undocumented, and code baked into it(bootrom) still runs at boot. What that code does is not known, but it is supposed to load (and check?) the code that resides on the Management Engine Partition on the boot flash, and possibly to initialize hardware.

TPM (TODO)

A TPM is a chip that typically offers several features:

Flash descriptor (TODO)

The flash descriptor is some data that resides at the beginning of the boot flash. If it is present, it will configure one or more partitions on the boot flash.

Partition Usage
Descriptor
  • This is where the flash descriptor resides
BIOS
  • This is where the BIOS or Libreboot resides
ME
  • This is the partition where the Management Engine code and data resides
  • On computers with a GM45 chipset, it can be totally removed.
GbE
  • Contains settings for the Intel Gigabit Ethernet Controller such as:
    • the default MAC address
    • The led configurations
Platform ?

Input devices

Trackpoint

  • When used to a mouse or a touchpad, adapting to a trackpoint can be quite long (it tooks several weeks for me).
  • Mices, touchpads and trackpoints's precision/speed and acceleration can be configured. The ratio between speed and precision can be less favorable on a trackpoint than a touchpad.
  • The trackpoint is in the middle of the keyboard, so when extensively using the keyboard, and using less the mouse, it is a huge advantage as the hands don't have to keep moving back and forth between the touchpad/mouse and the keyboard. Not only this can increase computer usage efficiency, but it also causes less wrist strain than a touchpad or a mouse
  • The trackpoint requires less effort to move.
  • The rubber cap is replaceable and wears out with years of usages. Having a weared out cap results in a way less favorable precision/speed ratio, so in that case it's advised to replace it.

Touchpad (TODO)

Keyboards (TODO)

Flash chip access and reflashing difficulties

Lenovo, at the time, didn't manufacture I945 or GM45 Thinkpads with coreboot/libreboot. So coreboot/libreboot need to somehow be installed on such laptops to run.

Depending on the hardware:

  • It might be possible to install coreboot/libreboot without having to open/disassemble the laptop, or not.
  • It might be easy or hard and time consuming to disassemble the laptop enough to access the flash chip.

Depending on you:

  • You might find it easy or hard to disassemble a laptop and might or might not be inclined to do everything your self.
  • You might be inclined to go buy the laptop second hand yourself, and the required parts, and have it flashed at a hackerspace that proposes to do it.
  • You might find it easier to just buy the laptop with libreboot preinstalled.

Installation trough software

Installation trough hardware

  • On GM45 thinkpads this is not the case, to do such installation, the laptop must be disassembled. Depending on the laptop this can take a lot of time, or be really easy. Easy or hard is relative to the time spent to disassemble the laptops. It takes way less time to disassemble a Thinkpad X200 than it is to disassemble a thinkpad T400.

Installation trough hackerspaces (TODO)

Installation trough commerce

When one lacks the skills to install Libreboot, commerce can alleviate such difficulties by either:

  • Selling computers with Libreboot pre-installed
  • Flashing an existing computer that you send them

Several companies do either or both:

The Free Software Foundation (FSF) also maintains a list of hardware products that respect's people's freedom. This list contains laptop compatible with Libreboot as well as the vendors where you can find them.

The Libreboot project also has a list of vendors

SDIO VS Mass storage

  • SDIO has a lower level access and thanks to that it can:
    • Gather more data on the SD card being inserted, it can for instance get serial numbers, OEM ids, Hardware and firmwares revision, device name, etc.
    • Be able to use SDIO peripherals (Peripherals like WiFi cards are very rare though).
  • USB Mass storage is however automatically compatible with many OS, payloads, and boot software. Booting on it doesn't require extensive software support. This can be neat as you can boot on a tiny microSD if you use a microSD<->SD adapter.

Processor architectures (WIP)

x86 32bit

x86 64bit (TODO)

ARM

Distribution or software ARM support FSF Approved Audience
Parabola Yes Yes GNU/Linux distribution for technical users with good command line knowledge
Trisquel No Yes Easy to use general purpose GNU/Linux distribution

Fingerprint Reader

The fingerprint reader can be used to check fingerprints with fprint under GNU/Linux, but at the time of writing, while the hardware supports it, fprint cannot be used to use it as a very high resolution scanner. If the fingerprint sensor is unused, the cable that goes from the mainboard to it can be removed. Since that cable has 4 pins, and that the fingerprint sensor is connected trough USB, the cable might be able to be used as an internal usb port with some soldering. This can be handy to add extra USB peripherals like GPS or other devices.

Firewire (TODO)

Firewire is a bus very similar to USB, and supports the same kind of peripherals (Hard drives, Ethernet cards, etc).

It is widely used on DV cameras, and can be used to retrieve the videos, but, at it is and was way less common than USB, it has mostly disappeared.


Firewire is also infamously known to have allowed read/write access to the computer's memory by peripherals or other computers, however this is probably fixed by now: 

# modinfo firewire_ohci
[...]
remote_dma:Enable unfiltered remote DMA (default = N) (bool)

It also allows a computer to emulate any firewire peripheral such as hard disks, ethernet card and so on.

Webcam (TODO)

Freedom, Privacy, Security reviews

Modems

Certain laptops have optional 3G/4G modems, which can also be added separately. They are (most of the time?) available in a mini-PCIe form factor, however they are not connected trough mini-PCIe but trough USB: the mini-PCIe connector also export USB signals on it.

Tests

With an Ericsson F3507g modem and a Lenovo Thinkpad X200 running Coreboot and GRUB as payload, the modem is already starting up when the computer is in GRUB. This has been observed by running simtrace when the computer boots.

Since non-free software or free and non-free software is running in such modems, such software can be abused by a malicious attacker to make the computer running coreboot see the modem as an USB keyboard, which can in turn start a terminal emulator and type commands.

If this security risk is relevant for the user, it is a good practice to:

  • Make sure that only the internal keyboard is used, this can be done by:
    • Making GRUB not load the USB keyboard module
    • Disabling USB keyboard support in SeaBIOS
    • Using the USB authorization framework in GNU/Linux, for instance by using software like USBGuard

More general issues also apply:

  • See the "Mobile telephony operators and privacy" section in the Replicant documentation
  • Since the modem runs non-free software and is started at boot, it might be interesting to understand if it connects to the operator network at boot. If not, an attacker might still be able to force it to do so. This has serious privacy implications as, if it is the case, it would allow the network operator to keep track of the computer's location when it is on.
  • It might also be very interesting to understand in what conditions the computer running coreboot powers up the modem, for instance if the computer is off, is the modem still powered? Is it still powered in standby? etc
  • The modem does allows the operator, trough the SIM card to do things like redirecting calls and so on. This is covered by standards and is documented by the terminal-profile project. In the case of the Ericsson F3507g modem, the data is available here

Tests TODO

  • Test what happens with:
nvramtool -w wwan=Disable
Retrieved from "https://libreplanet.org/wiki?title=Group:Hardware/Computers/Laptops/Freeable_laptops/Libreboot_Laptops_comparison&oldid=52578"