Search My Blog

Friday, January 4, 2013

Coreboot, formerly known as LinuxBIOS - The Solution to the Secure Boot Fiasco

TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco



by Rex Djere on December 29, 2012 · 3 comments
in TLWIR


Summary: Is it possible that the recent attempts to push secure boot onto computer users was a response to the growing hardware vendor support for coreboot back in 2011? This is only speculation on my part, but I suspect that this might be the case. Coreboot is a badly needed solution that can restore freedom to  PC users while updating the outdated PC BIOS technology.

What is CoreBoot?
Coreboot is a free software replacement for the BIOS currently found in most computers. It is also a better alternative than UEFI/secure boot because it gives the owner of a computer the freedom to do whatever they want. If you buy a Windows 8 PC with secure boot, AND you want to enable secure boot, you are met with certain restrictions. Secure boot uses public key cryptography to restrict what operating system(s) can boot on a PC with secure boot enabled. The concept behind secure boot is good from a security standpoint, but if you want to use it AND use GNU/Linux, you have to use a cryptographic key signed by Microsoft. Microsoft could revoke this key at any time, effectively giving them the ability to prevent you from using GNU/Linux and secure boot at the same time. NO ONE should be able to dictate to you, the PC owner, what you can or cannot do on your computer system, in my humble opinion. Coreboot offers the same security benefits as secure boot, and it maintains the user’s freedoms.

The “Reddit” Arguments
Read on the Site...
TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco

Why We Need Coreboot
UEF/secure boot supports the effective duopoly that currently exist in PC hardware. AMD and any other company, such as a motherboard manufacturer, who does not get on the UEFI train is effectively locked out. To me, it is pretty clear that UEFI/secure boot encourages those who make a certain set of decisions, and punishes those who make another set of decisions. I won’t spell out all of my conclusions here. However, I came to them by studying the history of EFI and UEFI paying close attention to Apple’s shift from open firmware to UEFI. I looked at who created EFI, who financed EFI, and who stands to gain financially if UEFI/secure boot are implemented on x86 PCs.
In 2011, AMD began to dive deeply into supporting coreboot. On February 28, 2011, they released technical details of source code that AMD released in support of the coreboot project [1]. On May 6, 2011, AMD pledged to support booting with coreboot in all of its future microprocessors [2]. This revolution would have given the average PC user a lot more freedom, and a lot more control, over their computer system. A few months after this revolution started, it was announced that Windows 8 would be released with a version of secure boot that would turn back the hands of time, and greatly restrict what a PC user was able to do. I suspect that AMD’s support of coreboot scared someone. I believe that pressure was applied to AMD to get them to join the UEFI Board of Directors. THe UEFI Board has no members from the Free Software Community [5]:
  • Intel
  • Lenovo
  • AMD
  • Insyde
  • American Megatrends
  • Apple
  • Dell
  • IBM
  • Microsoft
Let us review the various PC firmware systems in the context of Richard Stallman’s Four Essential Freedoms [3]:
Freedom
Firmware
coreboot secure boot bios
The freedom to run the program, for any purpose. Yes No Yes
The freedom to study how the program works, and change it so it does your computing as you wish. Yes No No
The freedom to redistribute copies. Yes No No
The freedom to distribute copies of your modified versions to others. Yes No No
*Based on outdated technology. No No Yes

Table 1: The PC Firmware Freedom Matrix   *Not one of the four essential freedoms.
Table 1 clearly shows that coreboot best protects the freedoms of the PC user. Now, let us revisit the question from earlier: Why in the world would anyone have thought that UEFI/secure boot was a better solution? If you look at Table 1, can anyone give me a rational reason why UEFI/secure boot would be a superior alternative to coreboot? Faster boot time? More secure? Better for the consumer? What was the MOST likely motive for picking secure boot? I would would love to hear any responses to these question in the comments.

What You Can Do
There are at last 2 petitions created to protect the freedoms of PC user, one by the Free Software Foundation, and the other one on WhiteHouse.gov. Signing them would send a powerful message to the PC and motherboard industries that coreboot is a better choice than secure boot.
Ronald G. Minnich, one of the co-authors of coreboot, has been a vocal opponent of secure boot, as has the Free Software Foundation. Minnich explains coreboot far better than I could in this 2008 video.

Thank you for reading The Linux Week in Review 51!

References
[1]. AMD Guest Blogger. (2011, February 28). Technical details on amd’s coreboot source code release. Retrieved from http://goo.gl/Qd0FE
[2]. Jones, Marc. (2011, may 6). Amd commits to coreboot. Retrieved from http://goo.gl/hOYyP
[3]. Stallman, Richard. (no date). The free software definition. Retrieved from http://goo.gl/8BDDQ
[4]. Linuxbsdos. (2012, November, 21). German govt comes out against Trusted Computing and Secure Boot. Retrieved from http://goo.gl/X12fl
[5]. UEFI. (no date). Uefi – board of directors. Retrieved from http://goo.gl/TD5Ws

Tagged as: bios, coreboot, freedom, secureboot, uefi
Comments
Go there...
http://beginlinux.com/blog/2012/12/tlwir-51-coreboot-the-solution-to-the-secure-boot-fiasco/

coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.
With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly from firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot currently supports over 230 different mainboards. Check the Support page to see if your system is supported.
coreboot was formerly known as LinuxBIOS

Read More...
http://www.coreboot.org/Welcome_to_coreboot 

Download coreboot

Jump to: navigation, search
Note: These snapshots are for people, who use Linux as operating system and are able to build software from the source code.
There is no easy to install package for people who want to quickly try out a new BIOS on their computer, yet. However, we provide some images for the QEMU emulator to test coreboot (and some payloads) on your Linux, Mac OS X, and Windows computers (without having to do any hardware changes). But please note that these images can not be used on any mainboard, they will only work in QEMU!

Snapshots

There is an archive of coreboot snapshots available at qa.coreboot.org. A new tar.bz2 file is created whenever the repository changes.

Git

coreboot has switched to using Git for version control. Please see the Git page for much useful information on how to work with Git and gerrit in coreboot.
Old subversion repository references that still apply will continue to be kept here.

Git clone 

Go there...
http://www.coreboot.org/Download_coreboot

QEMU

Jump to: navigation, search
You can easily try out coreboot using QEMU, without having to actually flash the BIOS chip on your real hardware.

Contents

Tutorials

Ready-made QEMU images

Below is a list of various downloadable QEMU images you can use to try out coreboot.
You need a patched version of vgabios-cirrus.zip for these images to work fine, the version in QEMU's CVS repository does not yet work. The image from Debian's QEMU package (/usr/share/qemu/vgabios-cirrus.bin) is already patched and works, too.

coreboot v2 + SeaBIOS


SeaBIOS payload.
SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements.
The QEMU image uses coreboot v2 (r4917) and SeaBIOS (9eebe66a9978165cfa91f2266c97fa5d0aa6ef2e, 2009-11-04) with the following changes to the default src/config.h:

Go there...
http://www.coreboot.org/QEMU

Build HOWTO

Jump to: navigation, search

make menuconfig in coreboot
This page describes how you can build a coreboot image for your specific mainboard.

Contents

Requirements

  • gcc / g++
  • make
  • ncurses-dev (for make menuconfig)
Optional:
  • doxygen (for generating/viewing documentation)
  • iasl (for targets with ACPI support)
  • gdb (for better debugging facilities on some targets)
  • flex and bison (for regenerating parsers)

Building a payload

First you need to download the source code for the payload of your choice and build it.
Instructions for building the various payloads are not covered on this page, please see Payloads and the wiki page for the respective payload for details.
The result of this step should be an ELF file (e.g. filo.elf, or coreinfo.elf) which you can use with coreboot (see below).

Building coreboot 

Read More...
http://www.coreboot.org/Build_HOWTO

I tried out a build for Qemu, to see how it would go. Everything went perfectly, in the Command Line. And my build was done rather quickly. I just followed the instructions, one by one. But, when I tried to run my resulting "coreboot.rom" file in Qemu. Nothing happened. It didn't boot up. But, I have had problems with allot of ISO and IMG files too, in Qemu lately. So, the problem is probably with my Qemu install. I'm running Fedora 14 and Qemu use to work just fine on many ISO's. But, it has not been working on very many lately. So, I don't know for sure, what's going on here. No errors, no nothing. Just nothing happening, when I click Start in Qemu. I don't have a new Motherboard that actually needs Coreboot. So, I guess I'll try it again later... 





 
Don
 
CoreBoot - Linux Boot for Windows 8 UEFI Secure Boot "BIOS"
TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco
coreboot (aka LinuxBIOS): The Free/Open-Source x86 Firmware - YouTube
Download coreboot - coreboot
QEMU - coreboot
Build HOWTO - coreboot
Download Coreboot - Google Search
status:open project:coreboot | review.coreboot Code Review
Build HOWTO - coreboot
flashrom
Payloads - coreboot
SeaBIOS - coreboot
Build HOWTO - coreboot
Downloads - flashrom
flashrom

Windows 8 UEFI Secure Boot "BIOS"
Microsoft: Don't blame us if Windows 8's secure boot requirement blocks Linux dual-boot | ZDNet
Stand up for your freedom to install free software — Free Software Foundation — working together for free software
Will your computer's "Secure Boot" turn out to be "Restricted Boot"? — Free Software Foundation — working together for free software
Linux Top 5: Microsoft's Secure Boot Gambit
Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux Risk
Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux Risk - InternetNews.
Red Hat engineer renews attack on Windows 8-certified secure boot • The Register
Linux Today - Windows 8 Secure Boot: Two Linux Distros Respond
Windows 8 Secure Boot: Two Linux Distros Respond | PCWorld Business Center
Worried About Win 8 Secure Boot? So Is the Free Software Foundation | PCWorld Business Center
Linux Foundation: Secure Boot Need Not Be a Problem | PCWorld Business Center
mjg59 | Implementing UEFI Secure Boot in Fedora
mjg59 | Ubuntu ODM UEFI requirements for secure boot
Linux Today - Canonical, the FSF and the Ongoing Secure Boot Saga
Linux News: Community: Canonical, the FSF and the Ongoing Secure Boot Saga
Linux Today - Fedora Linux Moves Forward with UEFI Secure Boot Plans
Fedora Linux Moves Forward with UEFI Secure Boot Plans | PCWorld Business Center
Microsoft confirms UEFI fears, locks down ARM devices
mjg59 | Handling UEFI Secure Boot in smaller distributions
ubuntu-bios-uefi-requirements.pdf (application/pdf Object)
Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage » OnlySoftwareBlog
PCH Search & Win: Unified Extensible Firmware Interface...
free software foundation urges oems to say no to mandatory windows 8 uefi cage - Google Search
Extensible Firmware Interface (EFI) and Unified EFI (UEFI)
Linux Today - Linux Foundation proposes to use UEFI to make PCs secure and free
R.I.P. BIOS: A UEFI Primer | PCWorld Business Center
Hardware neutrality: UEFI strikes again and again | TechRepublic
Red Hat Linux paying to get past UEFI restrictions on Windows 8 | TechRepublic
UEFI - Home
Free Software Foundation urges OEMs to say no to mandatory Windows 8 UEFI cage | ZDNet
Linux Foundation proposes to use UEFI to make PCs secure and free | ZDNet
Any comment on the Ubuntu UEFI ruckus?
Unified Extensible Firmware Interface - ArchWiki
Matthew Garrett provided an overview of his UEFI Secure Boot "shim" workaround - Google Search
Linux Today - Microsoft mum on reasons for secure boot
Microsoft mum on reasons for secure boot
Linux Today - Linux Foundation Steps Into Windows 8 Secure Boot Flap
Technology News: Community: Linux Foundation Steps Into Windows 8 Secure Boot Flap
Linux Today - Delays beset the Linux Foundation's Secure Boot workaround
Delays beset the Linux Foundation's Secure Boot workaround | PCWorld
Linux Today - ITwire: Secure Boot Microsoft Shows Up Linux
Secure boot: Microsoft shows up Linux
mjg59 | Secure Boot bootloader for distributions available now
Linux Today - Coreboot: the Solution to the Secure Boot Fiasco
TLWIR 51: Coreboot: the Solution to the Secure Boot Fiasco
Linux Today - Free Software Foundation vs Microsoft Windows 8 Secure Boot
Free Software Foundation vs Microsoft Windows 8 "Secure Boot" | The VAR Guy
Linux Today - Linux Foundation releases Windows Secure Boot fix
Linux Foundation releases Windows Secure Boot fix | ZDNet
 

No comments: