Introducion to coreboot and firmware security

I have noticed that the topic of firmware security/freedom is not mentioned very often in Techlore’s community, so I thought that I would change that.

Should you even bother?

Assuming that your are somehow interested in information technology, information
security, software freedom etc. this might be the topic for you.

If you do not include any virulent threats in you threat model, you still might want to
know something about the topic, to be able to get around common restrictions
implemented by hardware manufacturers.

Hardware level restrictions

Essentially, its not a secret that many hardware vendors want to restrict what users are allowed to do on their devices. Despite that I am huge fan of lenovo devices, i despise their anti consumer practices, such as whitelisting various components (such as wifi cards, wwan cards, displays etc).

This means that any attemt to boot your device with unauthorized
component will fail. Such restrictions can be sometimes bypassed by patching your motherboard’s firmware (either UEFI or EC) which I will discuss later.

A few words about Coreboot

Coreboot is an open source replacement for proprietary firmware , mostly for x86 devices.

Coreboot itself only does hardware initialization and then passes on control to another piece of software, called payload. It can run a few different payloads on a supported devices, such as:

  • SeaBIOS (an open source reimplementation of legacy BIOS)
  • TianoCore (same as above but for UEFI)
  • GRUB (bootloader made by GNU project. Used mostly by libreboot)
  • Heads (a security-oriented payload used by purism devices)

Beside old Lenovo ThinkPads and a few minor devices, it is mostly supported by devices offered by System76, Purism and Starlabs.

Conspiracy theories vs real threats

There are many people who claim that various common, closed-source hardware components, such as Intel Management Engine or AMD Platform Security Processor
are spyware. This is nonsesne . There are no proofs that those microcontrollers are used to intentionally spy on hardware users. This would be very expensive and tedious to implement. If corporations would really want to surveil us, they would simply use hardware to lock us inside their ecosystems and then use their software to spy on users.

While it is true that those components had security issues in the past, a serious vulnerability discovered in something like ME will be very,very valuable, and therefore it would be very risky to attack normal people with it.
Some law enforcement authorities will rather drop charges against notorious offender than burn a hacking tool
it is not something that you should be concerned about, unless you have very specific threat model.

On the other hand, if you really think that some sophisticated attackers would go after you, it all gets abit tricky. There are various examples in which your device might be subjected to firmware/hardware based attacks ,such as:

The answers

If you are a free software enthusiast, who just wants more open device, consider
buying one from a vendor that shipps some or all of their devices with coreboot preinstalled, such as System76 or Star Labs

A honorable mention would be framework laptop which focuses
on repairability, with coreboot support planned in the future

if you include more sophisitcated threats in your threat model, I would advice you to get used to A resonably secure operating system first, and then consider getting a hardware recommended by its community

Some devices worth mentioning here would include purism librem mini or NitroPC if you prefer a mini pc over laptop.

I personally use lenovo x230, with coreboot that I installed myself.

As a side note, I would recommend you to avoid libreboted devices (and older
than those), unless you want to roleplay RMS. Those devices are sometimes praised as totally free devices, which is false . While I do respect the hard work of Leah Rowe and other amazing people behind the project, those old devices are slow for todays standards, have alot of confirmed and unfixable vulnerabilities in their processors and using them might expose you to unimaginable amount of copium

Can I install coreboot / uefi patches / whatever myself?

Yes and no. basically if you have a supported device, you can do it and it is not too hard to do that if you are somehow tech-savvy person. However if you do not have enough skills to do that and/or your device is not supported, do not do that. You will most likely brick your device.

Some people recommend doing it with ch341a or with software method (such as with 1vyrain), however I wouldn’t recommend using those. ch341a often has issues with voltage, which might destroy the chip, and if you will do something wrong with 1vyrain, you will need to do external flashing anyway. I would simply recommend using raspberry pi.

Keep in mind that you might encounter some issues after installing coreboot / uefi patch itself. For example, enabling secure boot on tianocore is abit tricky for now (I was not able to get it working myself, but it is totally doable, I will just need more time). After applying UEFI patches, you migh often loose access to build-in TPM. So you either have to not use this feature entirely or just carry your /boot partition on USB stick with yourself).

What about IME on a stock firmware?

There i a project called me_cleaner that you can use with or without coreboot. For Haswell CPU and above, you will most likely have to use hap bit method to disable ME. However, you might experience the same issues with TPM as above.

To sum things up

Dont get too crazy and stay safe. If you have any questions, feel free to ask!

5 Likes