The girl who runs minifree has had many financial troubles while trying to keep it.
I strongly recommend people buying products from people who are willing to make sacrifices to offer a product that respects your freedom.
If we do not support people like her, we assume the future risk of having zero costumer really owned devices.
Whenever you plan to buy a device and care about not being spied and having control over your owned device, please consider supporting vendors listed here: https://ryf.fsf.org/
My finances are really good these days. I had temporary difficulties in early 2020, as did many people at the start of the covid pandemic, but those are long behind me now. The company has existed since 2014.
The company is doing extremely well these days. I'm very grateful for everyone's support!
PS:
New Libreboot release soon.
The current Libreboot 20210522 testing release (from May 2021) is more or less complete, and the most major issue (the reset bug) is now fixed in libreboot Git.
I'm polishing the current Git and aiming for a new stable release.
I think the RockPro64 [1] as well as the rockpi4 can be run without any binary blobs. Why I don't see any vendor considering ryf-certifiying devices based on them?
The FSF must decide whether to endorse a product, and it must be requested by the supplier. So if a product could be endorsed, but isn't, it's either being reviewed or has not been submitted by the vendor.
In fact, I'm interested in their product commercially for Minifree, and also interested in terms of Libreboot. You can replace the default uboot firmware with coreboot, which offers many more features and there's where my company could really offer some nice custom services.
I acquired a Rockpi4 in the hope to use it blob-free. But I'd love to see vendors trying to ryf-certify it. Do you (or any other vendor) have plans to sell or certify it?
Looking forward to it. Getting an rk3399 device ryf-certified would be great. They have accelerated 3d graphics and video codecs that are (AFAIK) fully supported by fully free software. It would be, although not very powerful, the most modern affordable ryf-certified device available. I really hope you do it.
Also in your list of tasks you list ROCKPro64. Although I really like pine64 steps, I think the best rk3399 device for such a task is the Rock Pi 4 Model A Plus, it's got a faster processor, no wifi and the usb-c port is used for power only: no need to care about blobs for eDP! So, if you are thinking about a board to support, I'd suggest you to think about the Rock Pi 4 Model A Plus.
> The current Libreboot 20210522 testing release (from May 2021) is more or less complete, and the most major issue (the reset bug) is now fixed in libreboot Git.
That's really exciting news! Is there any documentation on how to upgrade libreboot?
How does buying used laptops and installing software on them to then sell to yet another party stop manufacturers preventing this in the future? Why can't people just buy the used laptop made by the big manufacturer and install it themselves? Why trust more third-parties than you absolutely have to?
Well, the founder is also the Libreboot founder and lead. The Libreboot releases are signed with her GPG key, she isn't exactly a third party.
So, as a sibling comment points out, buying from her helps ensure Libreboot's continued existence.
Additionally, in the past (I'm not sure what the financial situation is today), buying from her has also also gone to actually hiring developers to work on Libreboot and port it to more hardware.
> Why can't people just buy the used laptop made by the big manufacturer and install it themselves?
They can. The founder actually encourages this! At conferences she's run workshops to help people install it themselves.
This should be pointed out left, right and center. Does she have a monthly subscription like a Patreon to support her work? If not, there needs to be one. The work is ultimately more important than the computers sold, and I'm sure plenty who installed it themselves would directly fund her.
"Technically, Intel ME is still operational on this laptop. However, malicious features such as Intel AMT are removed using me_cleaner. For all intents and purposes, this laptop is very similar freedom-wise to a Libreboot laptop, but it is absolutely true that a Libreboot system is superior in terms of software freedom. However, if you’re willing to slightly compromise (neutered Intel ME, after running me_cleaner, is fairly benign and does barely anything), these laptops offer a huge performance improvement over Libreboot thinkpads.
Minifree runs me_cleaner which modifies the Intel ME up to the point where it is only active during the boot process, but otherwise disabled during normal operation. Only basic hardware initialization is still performed, but otherwise the Intel ME becomes benign from a security perspective, providing only basic power management. Coreboot is handling the vast majority of the hardware initialization and is 100% Free Software on this laptop.
Proprietary features such as AMT are no longer present or accessible after me_cleaner is used. The me_cleaner program removes all networking from the Intel ME, thus removing any security risks associated with Intel ME."
This is about Libre X230 laptop, whereas, e.g., their Libreboot T400 does not have any ME at all and is endorsed by the FSF as "Respects Your Freedom".
Yeah, there's something a bit ironic about a store with the tagline "GNU+Linux laptops with Libreboot preinstalled." putting a laptop without libreboot at the front. I understand why, but at the same time, it feels ever so slightly disingenuous, since you can install coreboot/run me_cleaner on a pretty wide range of computers (e.g. Purism's laptops), while libreboot can only run on a handful of late 2000s laptops.
Unless new progress has been made that I'm not aware of, you need at least another blob beside the ME firmware (me.bin) to build a full coreboot image on the X230: there's the "Intel flash descriptor" (ifd.bin). I'm not sure if that contains executable code or it can be generated similarly to the gbe.bin (ethernet controlled config).
yeah but that's not software. It's configuration data, in a binary format that's well-documented. There is also a tool for managing it in coreboot, called ifdtool.
There is also the GbE NVM (non-volatile memory) region, which configures the onboard ethernet chipset.
These configure the hardware, and the format is fully documented by datasheets.
Thanks for the explanation. Do you know if it would be possible to fully create an ifd.bin knowing the specs of the mainboard? Basically the opposite of `ifdtool --dump`. I'm surprised because it seems to contain some pretty secretive options like the HAP bit.
Yeah it's possible to know the format by reading the Intel datasheets (sandybridge/ivybridge ones). Certain parts are "reserved" but have been reverse engineered like you see in ifdtool.
In Libreboot there is a tool that I wrote called ich9gen, which can entirely generate ich9 ifd+gbe from scratch. This does not exist yet for sandy/ivy i think, but yes there is that --dump option in ifdtool.
By the way:
bincfg is a nice tool in coreboot, and you can write a spec file for that, based on intel datasheet, to generate gbe/ifd images. I actually have this on my todo list, as I've been studying it. The datasheets are very confusing especially for the Gbe NVM region, making it look like it's not even documented, but it is, poorly.
> I actually have this on my todo list, as I've been studying it. The datasheets are very confusing especially for the Gbe NVM region, making it look like it's not even documented, but it is, poorly.
That's very good news. I thank you for all the work you've done on this.
It's not false advertising, there are no lies or outright deception. However, it feels disingenuous to me because there are lots of laptops out there that can either have coreboot flashed or you can run me_cleaner on, possibly laptops that people already own.
The store's branding overall and presentation leans hard on being 100% totally free, and once you deviate from that "absolutely totally free of proprietary" status your market options open up dramatically.
This is still a valuable service to some people. I didn't mean to come off so negative, but I also feel people who read the page wouldn't realize they have other market options that are "just as free" as the X230. The benefit of buying from this storefront is supporting Libreboot development and Leah Rowe.
However, those other companies that advertise neutered ME are shipping newer Intel platforms where actual x86 hardware initialization is handled by binary blobs (e.g. Intel FSP).
Sandybridge and Ivybridge platforms (e.g. X220/X230) in coreboot are all free software for the x86 part, and that's the majority of it. It's only the ME that isn't. With me_cleaner used, it's very close to Libreboot.
X230 used to be worse in coreboot; for instance, it previously had non-free raminit. Nowadays, it's all GPL code.
I'm hopeful that open processors like RISC will be a big step in solving this. But, then there will still be all that other blob-y, closed hardware like SSDs, network cards, radios. In my humble opinion, there's something wrong with everyone having to use hardware (and software to a slightly lesser extent) that's not auditable and not patchable (by you). There should be a legislative framework for consumer protection.
There will never be such a legislation as long NSA, FBI, CIA, <insert any intelligence agency here> have an interest for a back-door which they will ever have.
A computer in malicious hands is a weapon as much as movable types and the photo-copier are/were.
I wasn't aware of this "Ministry of Freedom" before today (despite knowing about Libreboot). But "Ministry of Freedom" works because these older laptops have been reverse engineered to the point where we can be confident in how their firmware works... and replace it with something open-source.
There are companies who continue to strive to build open-source hardware: such as the Talos II workstation, the System76 laptops, and Pinephone.
Of these: the Talos II stuff with POWER9 CPUs seems the "most open source" out of all solutions. Its a bit of a subjective measure for sure. However, Talos II is rather expensive.
I think these older Thinkpad Txxx laptops with libreboot definitely work as a more entry-level introduction to fully free software from the boot-process up. Its clearly a cheaper methodology than Talos II (or System76). So that's probably a good thing that they serve different market niches.
> other blob-y, closed hardware like SSDs, network cards, radios.
Actually the ryf certification allows this kind of firmware if they are written in ROM; in such cases, they are considered part of the hardware. I understand the complaints about this stance but I know no other similar certification and I think that having non-replaceable firmware forces the vendors to include the minimum of logic inside it and be more careful, so I'm not entirely against it.
Ideally the source code of the firmware should be available. I try to vote with my wallet for that and encourage people to do the same.
In this read-only case the manufacturer no longer has write access, just like you don't have write access, so there is more equality between you and the manufacturer. Thats the logic, but I agree it is a bad idea because it incentivises placing firmware into ROM, which cannot be replaced after reverse engineering it.
I’ve never seen a big problem with things like SSDs or sensors and likewise parts having their own blobs. Sure, it’d be nice if you can poke around in them, but they don’t have DMA and they have no way to communicate with the outside world.
It’s as if you put a untrustworthy guy on a really far away island and occasionally go to him and ask him what the temperature is. He has no way to observe what is happening on the mainland, and even if he did he has no way to talk to anyone about it.
Hmm, I’m not sure I agree. Malicious firmware blobs in your disk controller could do all sorts of damage, like silently replacing parts of executable files with whatever they like. Someone made a proof of concept of this a few years ago - where they managed to replace some of the controller firmware in a hard disk. Their modified drive would then silently replace a certain executable with something else. And on that drive, the attack was persistent.
And are modern NVMe drives isolated? Is your system secure if you have a malicious PCIe device attached? (Even if disk controllers are isolated, are graphics cards? Couldn’t my NVMe drive just claim to be a GPU and DMA all it likes?)
> Hmm, I’m not sure I agree. Malicious firmware blobs in your disk controller could do all sorts of damage, like silently replacing parts of executable files with whatever they like. Someone made a proof of concept of this a few years ago - where they managed to replace some of the controller firmware in a hard disk. Their modified drive would then silently replace a certain executable with something else. And on that drive, the attack was persistent.
See Spritesmods.com [1] for a PoC from 2013 (!!). Guy managed to run Linux on the firmware.
This is pretty nifty, but I have to imagine that it is also detectable if you look for it. The drive can't differentiate between being read for execution and being read for analysis. So if an executable has been modified from the expected value, presumably a bit-by-bit or checksum comparison would reveal the change.
Such a program could be injected into the firmware of the machine, so it will never be read from disk, and it is unlikely need updating. One could also produce a second, clean room, program which does the same thing. This could serve as a back up in case a buffer overflow or similar exploit is found and leveraged in the first validation program.
Additionally, without the ability to self-update its signature database, version updates would render this hack ineffective.
> So if an executable has been modified from the expected value, presumably a bit-by-bit or checksum comparison would reveal the change.
The drive could do things like serve up a malicious version of a system DLL on boot (within the first 20 seconds of being powered on). Then deliver unmodified copies of the file on subsequent read requests. An attack like that would be difficult to detect even if you plugged the drive into another computer.
And as for self updating, the payload could make internet requests, and fetch updated versions of itself online. The controller could then look out for any write which contains a well known sequence of (seemingly random) bytes. And then flash itself with subsequent bytes written to disk. The system component just needs to write the update to a temporary file, flush to disk, then immediately deletes it again afterwards.
I agree with some other sibling posters that the best protection against this is probably full disk encryption. Is that enabled by default yet on windows or macos?
Could a rogue SSD move things around in your filesystem? If so, couldn't it install a rootkit?
Either way, it's not just about backdoors. A blob is like a car that you cannot perform maintenance on. You want to be able to fix bugs, and also inspect it to check if there aren't any. Maybe customize it.
> Did you know that most modern Intel and AMD computers come with backdoors implanted by the NSA and other agencies? You do now, and it isn’t pretty.
The mere possibility that this is true should be enough for us to seek alternatives, but is there any evidence that it is actually the case? My impression was that the Intel Management Engine was a stupid idea but not intended to undermine security.
At 47:10, they mention that they haven't found anything evil. Ofc, this isn't hard proof, but if I trust anyone's answer, then it's theirs. (Btw, watch the whole talk, it's nothing short of incredible.)
These prices seem quite reasonable for sourcing a good vintage ThinkPad model (and spec variant) and flashing with Libreboot successfully.
If people want to source and flash on their own, it's definitely doable, but IME (as primarily a software person) the difficulty ranges from mild headache to a major one, based on which ThinkPad model and phase of moon. :) https://www.neilvandyke.org/coreboot/
I've been using an X200 with Trisquel and Guix package manager on it for a while now. While I have another non-free machine, which is quite powerful, everytime I code on my X200 it is a joy to work with. Very satisfied with it, but I think it is a matter of expectation management. You will not be able to play modern games or display some 4K videos on it (I guess). I do not need those, when I want to be productive and not get distracted from coding.
We won't ever be free until we can compete with chipmakers ourselves. We can make free software at home but making computer hardware requires billions. Maybe one day it will be possible to manufacture chips at home.
I understand your position. If enough people think different from you, we will still be able to buy devices with "real freedom". If too many people agree with you, we run the risk of having zero devices that respects our freedom.
Right now, if you want a ryf-certified device, you have to choose a very old device (x86) or pay a lot of money for a very powerful one (POWER9). If enough people join the cause, we may, in the future, get affordable freedom respecting devices.
Moore's law has pretty much flattened out since around the early 2010s. Most new laptops for sale these days are Core i5 ~2.5 GHz with 4-8 GB RAM and 'HD' integrated graphics just like they were 10 years ago.
Intel has flattened out is probably more accurate.
Processor speed improvements have indeed not kept pace in desktop / high TDP offerings.
A lot has however happened in the lower power chips used in laptops/mobiles in the last 10 years.
Apple silicon or most ARM type SoC chips of today are so much much better than anything from late 2010s in performance at that power draw.
This has also coincided with decreasing desktop demand as more people use phones or laptops as their primary or only device.
I don't have enough know-how to state with certainty that it is the just the market movement with more R&D money in lower power processors or if there are hard tech limits but certainly is a factor
My $600 laptop's cpu performance is about double that of the x200. I'm not sure about transistor number, but the performance increase is huge. I upgraded from a Thinkpad T410 this year, using a T60 until 2019. I can't go back.
I wish I knew what the intel ME and AMD's PSP actually did for 'normal' users. The only time I've ever encountered IME has been in the context of out-of-band server management where it "makes sense" and I totally get it. But I don't get it on consumer computers. It's got to cost something at some level -- there must be a reason why it's worth the chip space. What is it?
Intel's quote saying that they do not do that, nor do they have access, could be true. However their statements allow for the possibility that someone else designs backdoors, puts them in, and can use them.
> "Intel does not and will not design backdoors for access into its products."
> "Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user."
It would be much easier to say, "there are no backdoors", but they don't.
They do basic bring up and power management. They're the part of the chip that deals with properly bootstrapping the "main" cores, tweaking voltages and spinning up the fans when the computer gets hot. All of these things are really best done with the kind of micro-controller like logic that's part of IME, the main CPU is way too complex to deal with this stuff on its own.
It might not actually provide any benefit at all - it's entirely possible that ME/PSP are simply included because it's slightly easier/cheaper for Intel/AMD to design and ship a single unit than two separate units, or a single software configuration on that silicon instead of two different configurations - just like how they'll fab a single piece of silicon and then selectively disable pieces of some chips and sell those as lower-performance parts.
Obviously, that doesn't make any sense to a consumer - but that's the logic that the manufactures might be following.
This is interesting, but I'd love more details. How is proprietary firmware stripped from the SSDs, for instance? How's the firmware vetted for wifi interfaces?
We really need more options for free and open hardware.
The SSD firmware is not stripped, but it also does not have any access to the Internet or RAM. AFAIK they use WiFi adapters that use free firmware and drivers.
Is there a typo here or am I misunderstanding something:
> Do you know have rights? Most computers nowadays will never spy on you and restrict your activities, but not ours! You have 100% control over your Libreboot system, free from surveillance.
I'm tempted to pick one up just because I already use Colemak.
I'd be really tempted to try to change the keyboard firmware to behave more like my Pok3r keyboard (particularly replacing capslock with a function key and making fn+IJKL act as arrow keys).
If they are going to invoke 1984, it seems like Minifree would be a Windows laptop with WSL installed or something else that has the appearance of freedom while being completely the opposite.
I'll be the guy to recommend/shill Lenovo's Thinkpad range, I've been using my T480s for three years now, struggle with a reason to change to anything else.
The trackpad isn't as good, goes without saying as Apple have a faustian deal on their trackpad tech, but apparently some folks have replaced the T480's trackpad with the glass one from the the X1 [1] with great results - something I'm thinking of once my T480s goes out of warranty.
I am a person who did that swap on my T480s with the glass trackpad. It is glorious. Easy to do and cannot recommend enough. Also very much satisfied with the T480s and I am a notorious laptop hopper. Although the System76's with Coreboot are starting to creep into my mind, but I know the quality will not be near that of the Lenovo.
IMO, post like 2016, Apple had no such monopoly on ‘premium’ laptops in any capacity. There were better trackpads and keyboards in some, better screens in others, more compute in some, more ability to expand and repair in some, options for touchscreens, etc. …and most laptops were cheaper with flagships from any brand checking a majority of those boxes. Some laptops are even more expensive going well beyond MacBook capabilities if you needed the most color-accurate screens or the most CPU cores or the biggest GPU.
Pick any major brand and they probably have something great.
The only things you really don't get in alternatives is a) the Mac OS and software software & b) better resale value because Apple sells lifestyle products.
Agree. They are working hard to kill all the good stuff in macOS and if they have a way to close it, as iOS and replace it with iPadOS with some xcode implementation, it is over.
Better to invest in multi-platform software and run VMs.
Luckily for me I have seen the writings on the wall and switched this year.
On a harware level, instead of giving Apple ton of money I now run in the office custom pcs with water-cooling and laptops are Thinkpad X1 Carbons.
I guess I've always looked at weight & battery life first, trackpad / keyboard & general build quality second, and then actual specs/performance third. As far as I can tell, Macbooks have always been the best choice for that. Especially once retina displays came out. And even now with the crazy performance of M1 Macbooks, that's gonna be hard to beat.
You may have already bit too hard into the ecosystem when you use Apple marketing terms like "retina display" instead of hiDPI.
There are more than one better laptop across all of those metrics as a whole.
One thing Apple does do significantly differently is moving along tech (for better or worse) because the other OEMs can be timid in their experimentation until a generation after a big switch in Apple hardware.
I bought an ASUS Zenbook last year and I can thank Apple for setting trends for hiDPI, DCI-P3 displays, Thunderbolt, and big trackpads. But on the flipside, I can lament Apple for bad trends and it not having a 1/8" headphone jack and soldered RAM. And because it wasn't Apple I have a touchscreen+stylus and saved a lot of money.
The newest trend of using ARM (and RISC) processors in laptops (could care less about what Apple brands it as) is a good one though. There have been attempts at good ARM chips, like Samsung's flagship ultrabook, but too many applications didn't run on it to make it feasible. I had an old Chromebook I slapped Linux on and it was a mess because certain applications, namely anything leveraging Electron or just having a .deb file, wouldn't run. For better or worse, people have to cater to Apple making such switches. Now you have started to see projects actually release binaries outside of x86.
Indeed! They are selling like hotcakes. You can sign up for notifications for when a model comes back into stock. But this doesn't extend to individual specs (i.e. if the i5 spec is sold out on the Pangolin model)
https://system76.com/laptops/pang11/configure
I'm using an HP Elite x2 G4 (now G8) Tablet running Ubuntu and have been pretty happy with it - my goals were more about ergonomics (using on a stand detached with nuphy keyboard + apple trackpad.) Basically like having a Microsoft Surface but with a larger 13" screen and better repairability (ssd is removable, spare wwan slot if you go without LTE)
Biggest weird thing I had to do was tune the speakers with PulseEffects. Think only the fingerprint reader isn't supported.
I strongly recommend people buying products from people who are willing to make sacrifices to offer a product that respects your freedom.
If we do not support people like her, we assume the future risk of having zero costumer really owned devices.
Whenever you plan to buy a device and care about not being spied and having control over your owned device, please consider supporting vendors listed here: https://ryf.fsf.org/