Originally posted by Adarion
View Post
Announcement
Collapse
No announcement yet.
Coreboot 4.13 Adds Intel TXT, Picks Up New Boards For AMD Pollock, Intel Alder Lake
Collapse
X
-
-
Originally posted by Adarion View PostI wish they'd support real-world boards. All you see is of course Chromebooks [...]
Originally posted by Adarion View PostBut just normal boards, like some ASRock/Asus, MSI, GB, Biostar, Jetway, Sapphire, whatev. or normal notebooks ... meh.
- Likes 1
Leave a comment:
-
Originally posted by GI_Jack View PostWhy did they add TXT?
There is no good reason for this technology which exists to remove peoples Freedoms.
Since I was involved with this I can tell you that the reason for doing it was to add a layer of security to servers and switches in a tightly controlled datacenter environment, not to "remove peoples Freedoms." Now people in the open source community who want remote attestation can use it in a libre-friendly manner.Last edited by davidhendricks; 24 November 2020, 12:07 AM.
Leave a comment:
-
Originally posted by Adarion View Postyou wonder how locked down therse Chromebooks might be if you really test it
The most comprehensive (but also the most risky[1]), of course, is to build your own coreboot image based on the public coreboot sources with your own payload, which will often be SeaBIOS, Tianocore or GRUB, with your own EC firmware (also open source) and flash it.
After that, the only Google-ish thing on the device left is the Cr50 firmware. As Cr50 is our root of trust, that firmware (while open source) can't be replaced without our secret keys (a replacement could fake to be Google-issued firmware and then do something else entirely, which is undesirable). But: That chip is a passive component in the security scheme, like all TPMs, so if you don't want to use it, it's as if it isn't there - and if you want to use it for your own security scheme, you can install your own keys (but you'll have to trust our firmware, just like you'd have to trust the firmware of any other TPM manufacturer).
[0] On company/school-issues devices the user often isn't the owner and the admin can lock things down considerably. That was a specific request by school boards because students have way too much time on their hands and wrote elaborate documentation on how to open up and repurpose their school devices. In our team we admired those efforts (lots of open source hackers at heart), but we also recognize that the owner of a device should have the final say about what happens to it.
[1] All other options provide a way to recover the system, "worst" case by going back to an official Chrome OS install. Replacing your firmware entirely means that no simple recovery mechanism is left. You will probably have to deal with a bad flash or two, but on recent Chromebooks you don't even have to open your device anymore to recover from that. Details at https://wiki.mrchromebox.tech/Firmware_Write_Protect
- Likes 1
Leave a comment:
-
I appreciate AMD reminding me of all these tasty fish during the Nativity Fast.
Leave a comment:
-
I wish they'd support real-world boards. All you see is of course Chromebooks cause google data-kraken pays for it (well, at least they spend some money for a good thing), though you wonder how locked down therse Chromebooks might be if you really test ist, and then, there are some server boards and a few older ones - but often those are hard to come by these days. And developer boards. Which is okay if mainboard vendors would use those to get (a libre) Coreboot running on their own boards.
But just normal boards, like some ASRock/Asus, MSI, GB, Biostar, Jetway, Sapphire, whatev. or normal notebooks ... meh. You hardly see anything. Thus is remains a nice dream and kind of an academic toy.
- Likes 1
Leave a comment:
-
Originally posted by GI_Jack View PostWhy did they add TXT?
There is no good reason for this technology which exists to remove peoples Freedoms.
- Likes 1
Leave a comment:
-
I wish I could replace UEFI on my systems with coreboot. It is sad that almost all vendors still invest in the legacy UEFI only. Desktops often need more that 50% of the boot time just for UEFI.
Did linuxboot progress as an alternative to UEFI?
Leave a comment:
-
Why did they add TXT?
There is no good reason for this technology which exists to remove peoples Freedoms.
- Likes 2
Leave a comment:
-
Any idea if this new support is open support or just adding in closed source blobs to make it work ?
Leave a comment:
Leave a comment: