How Intel and PC makers prevent you from modifying your laptop's firmware

haswell e



Even if you’re rocking the most open of open-source operating systems, chances are your laptop isn't really that "free," betrayed by closed firmware binaries lurking deep within the hardware itself.
Modern UEFI firmware is a closed-source, proprietary blob of software baked into your PC’s hardware. This binary blob even includes remote management and monitoring features, which make it a potential security and privacy threat.
You might want to replace the UEFI firmware and get complete control over your PC’s hardware with Coreboot, a free software BIOS alternative—but you can’t in PCs with modern Intel processors, thanks to Intel’s Boot Guard and the “Verified Boot” mode PC manufacturers choose.

Why Coreboot won’t support your new laptop

Coreboot was originally known as LinuxBIOS. It’s a Free Software Foundation-endorsed project working on replacing the proprietary UEFI firmware and BIOS found in typical computers. Coreboot is designed to be lightweight and only provide the necessary functions so the computer can initialize its hardware and boot an operating system. This isn’t just some fringe free software project—all modern Chromebooks ship with Coreboot, and Google helps support it.
When someone recently asked whether Coreboot would support new Intel Broadwell ThinkPads on the mailing list, the response was informative:
“New thinkpad's can't be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won't be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge.
For more details take a look at Intel Boot Guard architecture. It could be also confirmed by Secunet AG and Google.”

Intel Boot Guard explained

Intel themselves have a quick little explanation of Boot Guard in this document about Haswell’s new platform features. In summary, Boot Guard is a hardware-based technology designed to prevent malware and other unauthorized software from replacing or tampering with the low-level UEFI firmware.
Boot Guard has two separate modes, according to Intel. Every single PC OEM we know of configures it to work in “Verified Boot” mode. The PC manufacturer fuses their public key into the hardware itself. If the UEFI firmware isn’t signed by the OEM—that is, created by the OEM—the computer will halt and refuse to boot. That’s why you can’t modify the UEFI firmware or change it to something else.
librem laptop opened front
Purism's freedom-obsessed Librem 15 laptop won't use the Verified Boot option.
There’s also a second option: “Measured Boot” mode, where the hardware securely stores information about the boot process in a trusted platform module (TPM) or Intel Platform Trust Technology (PTT). The operating system could then examine this information, and—if there was a problem—present an error to the user.
As Purism recently discovered, laptop makers can choose to have their hardware boot without looking for a digital firmware signature at all. The fusing of the processors can be set by the motherboard manufacturer to simply bypass the check. Purism's crowdfunded Librem 15 laptop will ship with a modern Intel CPU fused to run unsigned BIOS code.
In other words, Intel and Boot Guard don’t absolutely require hardware manufacturers to lock the computer to only using manufacturer-signed firmware, but every major PC maker does anyway.

It’s all a big conspiracy, right? Not exactly

It can be tempting to see this as a big conspiracy. These big corporations—Intel and hardware manufacturers—are preventing us from running the software we want to run on our own computers, as if we were using some underpowered, locked-down Surface RT instead of a powerful PC we’re supposed to have control of.
And sure, that’s true, but Boot Guard does help secure the UEFI firmware and protect against malware that infects the boot process. Intel and PC OEMs aren’t out to crush free software and prevent open hardware. The truth is more mundane—Intel and hardware manufacturers prioritize tighter security for the masses over the proprietary firmware concerns of a few. 
But, to their credit, Intel does allow PC manufacturers to configure the hardware in a different way. The real way to get that open hardware seems to be to build it from scratch and make the right decisions along the way, as Purism is trying to do. If you want this sort of open hardware, be prepared to vote with your wallet. Taking existing PC laptops and trying to bend them into open hardware—as Gluglug does with the Free Software Foundation-endorsed Libreboot—doesn’t seem to be an option anymore.

Comments

Post a Comment

Popular posts from this blog

Learn which startup programs are safe to remove

Image
The longer you run your computer, the more clutter it accumulates. This takes the form of programs you no longer need, bloatware you never wanted in the first place, and/or adware you didn't intend to install. The result: slow booting, slow operation, slow everything. To improve the situation, you can uninstall unwanted, unneeded programs. And if you're a little more tech-savvy, you can venture into msconfig to prevent system-dragging software from running at startup. Ah, but which programs are safe to uninstall and/or block? The last thing you want to do is remove some essential Windows element, which could do more harm than good. Should I Remove It? is a free utility that helps you answer exactly that question. The program analyzes everything installed on your computer, then helps you determine what's safe to remove. It does so by displaying both a rating for each program and a crowd-sourced removal percentage (i.e. how many "users and experts&
Read more

Second-gen Chromecast tipped with faster Wi-Fi, Spotify support, and more

Image
Two new Nexus phones aren’t the only items expected at Google’s press event on September 29. Google’s also gearing up to introduce a second-generation Chromecast, according to 9to5Google. The new streaming device is expected to come in a round shape loaded with improved Wi-Fi, a new feature called Fast Play, support for audio systems, and feed integration with the device’s main screen. That’s about where the details end, however, as specifics are in short supply. The current Chromecast uses 802.11 a/b/g/n Wi-Fi, so it sounds like the next version will support the newer 802.11 ac Wi-Fi, but that’s just speculation at this point. The Fast Play feature apparently means the next Chromecast will connect faster than the original version when you “cast” something from your mobile device. As for the feeds, there’s no word on what this is. 9to5Google figures it means you’ll be able to integrate social media feeds when the Chromecast flips to its idle backdrop mode. Backdrop
Read more

WhatsApp gets rid of annual subscription fee

Image
WhatsApp   has announced that it will axe its $1 annual subscription fee starting today. The Facebook-owned messaging service is nearing a billion users, and will start exploring alternate business models. WhatsApp failed to monetize in emerging markets due to low debit and credit card penetration, which led to the service being   offered for free. Today's announcement reflects a change of strategy that will see the platform acting as a facilitator between businesses and customers: Naturally, people might wonder how we plan to keep WhatsApp running without subscription fees and if today's announcement means we're introducing third-party ads. The answer is no. Starting this year, we will test tools that allow you to use WhatsApp to communicate with businesses and organizations that you want to hear from. That could mean communicating with your bank about whether a recent transaction was fraudulent, or with an airline about a delayed flight. We all get these messag
Read more