I love my T440p, and as a Linux machine it's great. But full disclosure, it's not perfect, a few drawbacks to be aware of:
* Batteries can be hard to find, and they last 6 hours at most.
* No USB-C docking capabilities (but you can use the old dock that uses the weird port under the laptop). Weirdly enough you can mod it to charge with a USB-C PD cable instead of the thinkpad one.
* The iGPU is slow by today's standards.
* The keyboard is okay, but was a downgrade from the T420 (aka the old IBM layout).
* VS the T430, you don't have a way to connect a plugable PCI-e port.
* The default screen it's horrible (but can be upgraded to a nice IPS full hd panel for not that much).
If you're okay with that, despite its age it's a great machine, the CPU it's ok for most tasks, and gives you a chance to have an amazing control in your system from OS to BIOS (or well, as close as you can get without digging the full rabbit hole that are firmwares for other components).
I say if you only look for bang for the buck... this it's not a machine for you, but it's more if you want a OSS community backed laptop, this it's the one for you in case you don't like the framework laptops.
In the article they (you?) say
T480 and explicitly not T470. I own a T470 and have been using it only with Linux since new and would still highly recommend it. Some of the upgrades they did I had ordered from Lenovo upon order (screen, battery, RAM). Mine has a i7-7600U however, which is maybe where the differential they're referring to lies. The newer i5 has double the cores/threads to 4/8 vs 2/4 in the i7 of the T470.
Regardless, the T470 is still my daily driver as my personal laptop and everything works as good as the day I bought it. It's still jarring typing on my M1 MBP 16 after spending any time on the T470. Apple still has garbage for keyboards. Have they gotten better? Sure. They're still horrible though.
Would agree with that. Great Linux machine with that extra kilometer of freedom. With an upgraded CPU still powerful enough for 2023 and probably a few years to come. Probably one of the most powerful systems you can get with (nearly) free firmware and while not the best bang for the buck, probably the best bang for the buck for freedom that's available. I think all other systems with libre firmware are either way more expensive or less powerful …
Would add to your points:
* Rather heavy for a laptop (at least for my taste).
* Very upgradeable, much cool!
* You probably want to upgrade the touchpad to get separate trackpoint buttons.
* To flash the firmware yourself you need to get access to both BIOS chips. To get to the second BIOS chip you need to nearly completely disassemble the machine. While not necessarily difficult to do, their is a good chance you have PTSD from breaking plastic clips afterwards …
> Weirdly enough you can mod it to charge with a USB-C PD cable instead of the thinkpad one.
Not weird at all, you just need a 20V decoy board, those can be bought for about a dollar a piece on ali. They obviously won't transfer data. It just so happens that the barrel charger module is in a nice separated large block of plastic that can be hollowed out to fit the usb c socket inside.
I think I have close to this, it’s effectively capped at 8gb of ram (I think 16gb sticks exist, but are very expensive), aside from that it’s perfect for a throw around machine.
I buy them off eBay, and toss them to people (family, friends, employees), they’re brilliant all-in-one with cheap access to new power supplies, etc.
Out of interest, since you and another commenter have both observed it’s not the best bang-for-buck, could you give an example of something that is? Or, at least, comes close?
I can't give a specific example sadly. In my opinion it is not the best bang-for-buck because you need to luck for that specific model and the needed parts. I think you can find better deals if you are open e.g. for other Thinkpad models that are currently sold at a better price in your country but can't run Libre/Coreboot. I think T440ps are already out of the "companies are dumping them on the used market"-window so their are probably better deals with a bit younger models …
They buy this LibreBoot (blob-free CoreBoot, for the uninspired) …and then they go ahead and install Ubuntu on it?!
No, no, actually they run IBM RHEL or its “free” variants!
It’s all about unknown blobs (binary large objects) embedded in the dynamic processor microcode, firmware —even the chips themselves, even the FPGAs, even the sealed SoCs and processors …or is it?
Maybe the LibreBoot Boys will actually load some obscure distro being maintained by some ethically challenged college-aged non-college students sharing an apartment and using a lot of mind altering substances? A few lines of obfuscated code here, a digital signature there and they have a backdoor “because they can.” Maybe they grow up, move on and another, more innocent, maintainer takes over and the backdoored project is incorporated into many more projects. SabreDAV? Arch? <DrEvil Voice> ReiserFS?
So maybe the LibreBoot Boys are “smart” and run barebones Debian, but then…they start downloading containers because “everyone is doing it” Even if the container images are clean and competent (a big IF), the underlying network/firewall tech in their chosen container orchestration system is at a level of complexity many orders of magnitude above most admin competency —and some of those orchestration apps are also one-man bands, running out of a coffee shop by “some guy”, who probably is late on his rent open to a big bag of cash involving container signatures …or maybe they are just so financially distracted, the complex orchestration software that others are running critical infrastructure on is totally being ignored.
How about infected blobs AND containers? Yes, many Chinese network routers/SANs now come this way. They even run forks of mainstream distros (like ImmortalWRT disguised as OpenWRT or some re-adulterated version of Ubuntu, neither of which anyone seems to be able to recreate with a matching binary signature, or even get to boot from the “open source” bits on Github). Some of these devices are then customized by American “brands” and resold to an unsuspecting Western public.
..and the commenters on here talking about wireless cards are spot on, it’s been known for 40 years —-not to mention that here in 2023, the wireless SoCs and network cards in general have reprogrammable firmware, in some cases, remotely reprogrammable firmware. Take a look at ESP32-C6…purpose built to give your devices a mind of their own. Nobody really knows what’s in the firmware. Some have assumptions based on “everyone is doing it” but that’s like eating hotdogs without thinking about how they are made —at least until one day you bite into one and find an eyeball.
What to do? Start eating kosher hotdogs for a start and then use computer hardware and software that has passed similar kinds of checks. Oh, that’s right, there is almost nobody performing such checks on computers like there are on the kosher dogs (though Apple is trying).
The fact is that we are already under attack like the ancient city of Troy (where a massive wooden horse was left outside the gates before being pulled inside as an accepted peace offering when out popped trojans wielding swords who let the rest of the army in). AT THIS HOUR the CCP military surrounds Taiwan using kinetic munitions during “exercises.” We have physical deterrents, they know it, and yet they keep preparing their military, probably because they can imagine “throwing the switch” and injecting (or triggering) viruses in firmware blobs, containers, “rock” chips, etc. throughout the West. As has repeatedly happened in certain US municipalities, someday our Western leaders could receive the “mother of all Chinese ransomware notes” and have to stand down and watch the world be conquered out of fear of another Great Depression triggered by Chinese computer viruses.
Hopefully this saved someone a ticket to RSA (and who wants to get stabbed to death on the streets around Moscone anyway https://www.sfgate.com/bayarea/article/911-audio-released-bo... ). Some good vendors are System 76 (pop_OS!), Apple, DELL and Cisco. Make your companies, industry regulators and local governments aware of these issues and maybe someday…
correcting myself: the warriors in the horse were the Achaeans, the Trojans were the ones who opened the gates to wheel the horse (they symbol of Troy) into their city.
my solution to this conflict would be formation of a compulsory membership trade group that governs all shipments in and out of the West, with full authority to audit the pallets of computers down to the chip level, the firmware blobs and to expel members for any aggression against other members. Congress would then require that all international trade not governed by the group is an illegal act of treason and a threat to US National Security. this kind of approach won't work if it's not implemented before China can cultivate alternate high population trade partners (like Africa and Russia) enabling them to give us a cold shoulder.
S76 machines don't come with Windows drivers. They also require custom firmware packages on every distro except POP OS. Coreboot BIOS has almost no options available to the users via UI.
NVIDIA is still broken on Linux and even moreso with S76 + Coreboot. Sleep does not work. S76 firmware required to change to hybrid, compute, or integrated mode for graphics card.
- without the branding in such large font? (I understand it's an important form of advertising for small companies).
- with a touchpad that has actual physical buttons?
Same questions for framework laptops if anyone knows.
Tuxedo gives you the option to order their laptops with either the Tuxedo logo, a custom logo, or no logo.
I ordered the InfinityBook Pro 14 Gen7 without any logo and it looks really clean.
NovaCustom also sells some of the same laptops with coreboot (there are a few differences in the configurations, but it's close), and you can choose a custom logo or no branding at all. Unfortunately, there's no option for a touchpad with physical buttons.
Since I am daily driving Thinkpad E540 I can say I wouldn't buy a 10 year old device at this point.
I maxed out mine, using i7 4702mq, 16GB of RAM and 256GB SSD, AC wifi and fullHD display. The machine doesn't feel slow for regular day to day tasks. However, the memory is getting close to being full (my AVG is 13GBs used) and the lack of USB-C is starting to really hurt my productivity. Using a docking station or a meeting room without pulling all the cables apart is getting quite annoying. Also the trackpad is really subpar. So at this point I am looking for an upgrade to Framework 16.
E540 has a shitty case in my opinion, totally without metal. Keyboard is vulnerable to liquids and original one is also hard to find. Touchpad is a batshit.
Totally agree about the case, I replaced it once because it started cracking on various places. On the current one, the fan grill is broken yet again, but so far that's the only thing.
The keyboard was not hard to find though, took me couple minutes on ebay two years ago, when I started to have issues with stuck keys.
Replacement keyboard is really easy to find for this model but pressing keys in this one is not as smooth as in original one. Fan grill made of plastic is doomed in any laptop.
Meanwhile my x220 works perfectly despite of really careless using because of metal case and keyboard which can survive a liquid and does not let it to spill on motherboard. I mean that statement about 10 y.o. laptop is not true especially if talking about good old thinkpads. But E540 does not share any good qualities except of name of that beautiful laptop family.
I don't really understand the argument here. I did point out some flaws with running old laptops, regardless of the model or manufacturer. Touchpads were not great at the time in general (neither screens for that matter), and usb-c is just missing. The specs are also getting to the point where it starts to feel slow, especially with current horribly overbloated webapps.
I am not sure about what you mean by "not as smooth" keyboard. What matters to me is the accuracy and speed I perform at. And since I can hit 110wpm with great accuracy, just like on my mechanical keyboard, I don't see any real issue with it.
Also for the record - I dropped my laptop twice back in the university where they had those tables tilted and it slipped. It did survive both drops, the cracks started appearing over time. I never spilled anything at or close to the laptop though. I keep my beverages on the left side of the table so I can't accidentally bump them.
I was looking at porting a mobo to coreboot (Dell) and learned about Intel boot guard. That kind of thing should fall under right to repair and be illegal. My device, my choice on how I flash it.
And how does the device know that it is the owner of the device trying to flash it and not an attacker wanting to bypass secure boot? It's safer to have it assume that everyone flashing it is an attacker.
I don't think making secure devices should be made illegal. People who want to buy insecure devices are an outlier which means there isn't much demand for a purposefully insecure device. Using the legal system to force manufactures to purposefully make insecure things doesn't seem right to me.
>It's safer to have it assume that everyone flashing it is an attacker
In other words: "let's put everyone in jail because someone might be a thief", I find this way of thinking to be moronic. I wonder how an attacker could get physical access to a machine, disassemble it and flash without getting detected. Plus, if I already have physical access to the machine and plenty of time to execute such an attack, why not just grab the drive?
I hate this trend of forcing users to run nonsense programs in order to use their devices, like Windows 11 forcing you to have a Microsoft account during the installation process.
>let's put everyone in jail because someone might be a thief
No, it's more like devices should consider security holistically and only offer an API that is secure. Hacker News doesn't allow any users to edit any other's comment. Is that putting all users in jail because we don't have a capability which is technically possible?
>I wonder how an attacker could get physical access to a machine, disassemble it and flash without getting detected.
Just because an attack may be niche it doesn't mean that the vulnerability should be ignored. Some customers like businesses can be extra paranoid of attacks like these and have concerns about these attacks.
>it's more like devices should consider security holistically and only offer an API that is secure
I am not against this, this would be ideal.
>Hacker News doesn't allow any users to edit any other's comment
Those comments are not yours, so this is a false analogy. I am talking about something that is technically possible and within your own device.
>Just because an attack may be niche it doesn't mean that the vulnerability should be ignored
True, but I also believe that preventing the users from fully using their devices is not good, providing an API like you said would be the perfect solution.
>Because the drive should be encrypted
The average user doesn't know about drive enryption.
> The average user doesn't know about drive enryption.
Nor should they. Good news though, it’s on by default in any recent Windows which supports it. So a great many millions of users are using it without needing to know or care.
Bullshit. The User should be able to get at every implementation detail. These things should be discoverable. A tech that cannot be learned except by some esoteric priesthood is a failed tech.
>Those comments are not yours, so this is a false analogy
It was an example of showing a capability exposed to users designed with security in mind. Mods being able to edit posts on forums despite not "owning" them is a normal feature. A better example for this site specifically would be submission titles.
>The average user doesn't know about drive enryption.
All major consumer operating systems Windows, macOS, iOS, and Android use drive encryption by default. Users don't need to know about it to be protected by it.
IMO, as long as a human is using the device, there's always the rubber hose. Thus, Benjamin Frank's sacrificing liberty for security quote is quite applicable, especially since the threat here is very unlikely for most consumers.
If you'd like to run a Coreboot/Libreboot laptop, which hardware you use, and whether you have someone do it for you, is probably influenced by how it needs to be flashed.
Best case: The particular hardware supports software flashing from the start, with some easily-accessible enable switch or Vulcan nerve pinch boot mode.
Medium case: You undo a few screws, and can get easy access with a SOIC test clip, and your ad hoc RasPi programming setup can do a good read or write within a few tries.
Worst case: You not only have to desolder SMT, or use a flaky SPI programmer while the flash chip is in-circuit, but you have to pretty completely disassemble and reassemble a laptop. https://www.neilvandyke.org/coreboot/
All cases might be trivial for an EE technician who does this frequently, but, for software person me, the fun quickly turned to headache. Knowing that, Minifree's prices might look very good.
Note: After the initial flash, subsequent flashes (such as for updates, or your own experimenting) could be done purely by software, unless and until that's disabled. This might be less secure, but it could otherwise be very practical. But, even if you have easy subsequent flashes, if one of the flashes breaks the device, you might have to go back to an initial painful flash to fix it.
guys i'm curious... about security: some say intel has a backdoor, but there is this guy Nicola who says it's not true... if it's not true, why is the driver closed source, and why is it impossible to disable ME?
Intel CSME (formerly ME) and AMT ST (formerly PSP) have many properties that are / would be desireable for someone who is/was building a backdoor (DMA, TCP/IP stack that can use onboard ethernet without the host OS being aware, closed source, unremovable, etc).
Keep in mind that even if there has not been a backdoor deliberately added, there absolutely have been serious exploits in ME and PSP, and even for those who are not worried about the government, these security coprocessors still pose grave risk to data privacy and security, potentially handing "ring -3" access to non-government hackers.
While I personally share your belief that these are probable backdoors, it is important to remind skeptics that they pose a grave security and privacy threat even outside the context of a government backdoor conspiracy.
There's a great talk on the risks posed by the capabilities of these security coprocessors by an extremely well-versed individual at Google who was (leading? involved at a high level?) working on Google's efforts to neutralize these dangerous subsystems at Embedded Linux Con in 2017: https://youtu.be/iffTJ1vPCSo
>DMA, TCP/IP stack that can use onboard ethernet without the host OS being aware, closed source, unremovable, etc
You do know a wifi card has the same capabilities, right? There are many processors in your computer that can talk to the rest of the system in a privileged way.
>there absolutely have been serious exploits in ME and PSP,
Such as? I wouldn't call any of the found vulnerabilities serious.
>that they pose a grave security and privacy threat even outside the context of a government backdoor conspiracy.
Okay, but you need to balance those problems with the very real security benefits this allows Intel to offer.
Exactly. Even if we assumed for the sake of argument that wifi cards have complete access to the system, that in and of itself does not excuse CPU vendors to broaden the attack surface and prevent owners from narrowing it back down.
I can't wait for riscv systems to take off. Hopefully we'll get more than the two horrible choices we have now and, hopefully, they won't be able to abuse the market in the same way.
Screw both intel and amd for deliberately putting us all at risk.
>Screw both intel and amd for deliberately putting us all at risk.
Keep in mind, if these are government backdoors, it's likely Intel and AMD were compelled to put them in, there's a gag order on the existence of the program, and there's a gag order on the first gag order. It could be a situation where Intel and AMD really had their hands tied, so to speak.
That's why I'm rooting for riskv processors, so that we can get the equivalent of reproducible openSSL binaries. US chips that are found to be irreproducable can be rightfully ignored.
What's special about RISC-V? How does companies not having to pay for using an ISA in a processor having anything to do with whether they implement other processors inside of their processor?
It's not that RISC-V guarantees truly transparent firmware and microcode; as you correctly point out, it does not.
What RISC-V offers is the possibility of truly transparent firmware and microcode. This comes as a refreshing alternative to x86, which guarantees that firmware and microcode, including those of security coprocessors (e.g. Intel CSME & AMD ST, formerly ME and PSP) will not be transparent.
I am not as well-versed in the specifics of ARM's TrustZone as I am with Intel CSME and AMD ST, but I understand many of the people uncomfortable with the latter two are uncomfortable with the former as well. I do not believe it comes with the same capabilities as CSME or ST (PSP), but I do know that earlier versions of PSP were implemented using an ARM TrustZone core. That said, I need to do a lot more reading and research on it before forming more substantial positions on it.
None of those have any benefit for me. I have secure boot on my machine with my own keys and Librem Key hardware token: https://news.ycombinator.com/item?id=35436908. Can I disable the ME on “my” machine?
What is secure about those video and audio?
This is why I said usually. Creating a VM specifically for a wifi card is not done by >99.9% of ME users.
>I have secure boot on my machine
It's my understanding that the ME chip is involved with the secure boot process.
>Can I disable the ME on “my” machine?
No, it's a part of your CPU and the designers of the CPU rely on its existence.
>What is secure about those video and audio?
The security is about preventing other programs from being able to capture the video and audio. Sometimes programs want the ability to output something to the user, but don't want other programs to to be able to save it or analyze it.
>The security is about preventing other programs from being able to capture the video and audio. Sometimes programs want the ability to output something to the user, but don't want other programs to to be able to save it or analyze it.
The big gripe of a lot of people is that what this actually means is DRM, and that functionality is not there to offer security to the end user, rather to offer security from the end user.
At a philosophical level, when the end user purchases computing hardware, this traditionally has meant that the hardware became the end user's property, and it becomes the owner's intrinsic right to use it how they want, even to misuse it -- You wouldn't buy a car that was incapable of going 16 mph in a 15 mph zone, or making a turn without the turn signal being activated, would you?
Frankly, I even get the desire for piracy. Piracy is not theft, it does not strip another person of their property. You may argue that it strips the original content creator of their royalty (plus the parasitic organization publishing the content of their 95%+ "fee"), but I'd counter by suggesting that even of the pirates who could afford to pay for such content, ~99% would not otherwise pay for that content if they weren't pirating it, so that's really a false argument - if they even would pay for it, then they'd have just paid for it, wouldn't they? Not to mention that piracy democratizes access to diverse forms of art, making it available to the poor, who have just as much a human right to appreciate art as the rest of humanity. Further, the piracy ecosystem preserves otherwise lost forms of art. I wanted to watch a 1998 German movie called "23" a couple weeks ago. Couldn't find a legitimate copy available to purchase or stream anywhere in my country, neither physical media nor digital, but TPB had multiple copies with English subs.
Besides, it's not like these security coprocessors (including Microsoft Pluton, the private-sector newcomer to the probable public-sector "security coprocessor" club) actually prevent competent folks from capturing media. They're a nuisance that raises the cost of computing hardware, ostensibly a public good in the information age, while doing effectively nothing to prevent piracy.
If even a single argument for the legitimacy of the existence of Intel CSME and AMD ST is DRM, a.k.a. "to prevent poor people from appreciating art, ensuring that countless artistic creations are lost forever, and needlessly raising the cost of a utility that borders on a public good", I can only hope that I've demonstrated the downsides of this argument.
I simply think that a an explicit backdoor in Intel ME would be quite a risky move, but I do not have access to non-public information, so who knows?
Also, the ME plays a fundamental part in the initialization of the Intel silicon (especially from Skylake/ME11 it appears), so it makes sense that it can not be disabled freely. It is close source because it is the way it works in the silicon world, as having an open firmware exposes information which may be bring advantage to the competition.
Well I did it on my t440p and I didn't find it entirely trivial including the risk that you may brick the motherboard and that the Laptops sold over their are additionally refurbished if I understood correctly … So £130 is not too much in my opinion. Obviously it is on the high side because low volume and support for free software ·
If you have nothing else to do. Then your own time is worthless and I would agree with you. If you have family and ir a job, your time is the most valuable asset. 130 pounds seems reasonable for not having to do this one off flash procedure.
* Batteries can be hard to find, and they last 6 hours at most.
* No USB-C docking capabilities (but you can use the old dock that uses the weird port under the laptop). Weirdly enough you can mod it to charge with a USB-C PD cable instead of the thinkpad one.
* The iGPU is slow by today's standards.
* The keyboard is okay, but was a downgrade from the T420 (aka the old IBM layout).
* VS the T430, you don't have a way to connect a plugable PCI-e port.
* The default screen it's horrible (but can be upgraded to a nice IPS full hd panel for not that much).
If you're okay with that, despite its age it's a great machine, the CPU it's ok for most tasks, and gives you a chance to have an amazing control in your system from OS to BIOS (or well, as close as you can get without digging the full rabbit hole that are firmwares for other components).
I say if you only look for bang for the buck... this it's not a machine for you, but it's more if you want a OSS community backed laptop, this it's the one for you in case you don't like the framework laptops.