Hacker News new | past | comments | ask | show | jobs | submit login

Some practical details on a Thinkpad X60 (http://www.coreboot.org/Board:lenovo/x60/Installation, check for yourself how it works on on https://www.youtube.com/watch?v=HKdLhbmjrDI)

coreboot time (as per cbtime) : 1.5s, followed by kernel and system boot in (as per systemd-analyze) : Startup finished in 2.244s (kernel) + 611ms (userspace) = 2.856s

I'm using grub2 as a payload, and that's what I call a fast boot for a debian Wheezy (details on http://www.coreboot.org/pipermail/coreboot/2014-July/078215....)

But you can use other payloads too - even chainloading them from grub!

"stealing the VGA bios" in column 4 is not mandatory if your hardware supports native video init, and today I just succeeded in replicating the video support using SeaBIOS (cf http://www.coreboot.org/SeaBIOS and http://www.coreboot.org/pipermail/coreboot/2014-February/077...), which means that I can now load a standard grub and maybe other operating systems should I want to use them on the X60, without any blackbox blob - who knows what may be hidden in these blobs.

Why is that interesting? Because in the default bios (cracked open with bios-extract, Phoenix BIOS "Phoenix FirstBIOS(tm) Notebook Pro Version 2.0 for ThinkPad") there is Computrace backdoor as option rom 2E (cf http://securelist.com/analysis/publications/58278/absolute-c...).

If I ever need to do things on a windows machine, I don't want bios rootkits - and coreboot makes that possible, thank you :-)

If you like playing with operating systems, boot, etc. coreboot is very cool.

Is coreboot ready for practical usage for someone paranoid about security, but needing to use real-world operating system with production-grade stability and performance on more-or-less modern hardware (something like X60 is kinda ok; maybe just a little bit newer?)

It's all the caveats you mention. So in a word, yes, but to get a decent system with coreboot your first stop should be a look at Google Chromebooks, not because they _should_ be the first stop but because they're above the curve in terms of being pretty modern, reasonably priced, and coreboot-supported.

The X60 is a good option, too.

I'm actually interested whether X200s is supported, as that's what I use now and what I'm ok with. I can see myself using this or X220. I had X60s, but it would feel limiting already: among other things, it only supports 3GB RAM. I looked into hardware support list http://www.coreboot.org/Supported_Motherboards#Laptops and only see X201 and X230 mentioned, but X230 board is not supported by flashrom. Does that mean that flash chip has to be replaced (a new one soldered in the place of old one) to use this board? Should X200(s) and X220 be supported?

Looks like the hardware support situation haven't improve a single bit since the last time I looked into coreboot. That's a pity.

How well does the computer work, when it is supported? Are there stability issues? Is performance the same? Do all of the same devices work, as with proprietary BIOS?

Getting everything on a laptop supported is definitely hard, so any help you can give is appreciated.

When it is supported, there are different outcomes. The individual board pages on the wiki can offer more details. The X60 is especially well supported because of a combination of factors:

1. Lenovo was actually pretty helpful

2. Lots of coreboot hackers have worked on the machine for years

3. Lots of other linux hackers have also worked on various parts (which improves the support for all the devices)

So without doing any research, my understanding is that the X200s and to a lesser degree the X230 cannot achieve that level of support, mostly because it would take the coincidence of all that work coming together. But it's not all bad: the Chromebooks are getting that work done by a group of paid engineers, and there is a recent addition to the supported laptops (not fully open, but close; not amazing hardware, but decent) - the HP m6-1035dx.

I got an HP m6-1035dx on ebay, and my experience is that everything works fine. I suggest throwing away the mini PCIe wireless card it comes with and putting in a better one, but I haven't brought it up on the coreboot mailing lists because it's not really coreboot's fault. HP just built a cheap laptop and so it has a junk wifi card.

Hopefully that helps? Cheers!

The X60 doesn't have Computrace in its original BIOS; that appeared starting with the X61. If it's there it got in through an update or someone deliberately installed it...

Either way it's not so hard to remove that option ROM and reflash the BIOS. ;)

I beg to disagree. On all of the motherboards I have, it was present in every single one of them - but on some it "didn't show", ie there was no warning message when entering the bios, so it I believe it was not activated or something. But the option rom was present on the X60 tablet. You may want to check yours.

Also, which tool would you use to remove this option rom? CBMROM does not works on phoenix firstbios, and the phoenix editor tools don't work on the 2 Mb image.

I'd be delighted to know, just because I have that it's still there on my "reference" motherboard (used to test whether issues are due to coreboot or not)

I just checked the first version of BIOS update for the X60 available from Lenovo's site and... damnit, it has the option ROM! My X60 is not with me at the moment but I know I never updated the BIOS since I bought it so it should have the very first version that was released, and it's possible that Lenovo silently modified their previous versions to incorporate Computrace. No signs of it being activated (yet).

phdecomp + phnxdeco worked to unpack the BIOS into its modules; it shouldn't be difficult to reassemble it without the Computrace module and fix up the checksum, then reflash. But on the other hand, since the C&C server can be modified, maybe it might be more fun to activate it after pointing it to a server I own, and then I get a free backdoor that I can use...

I did exactly that many years ago, also with a X60T. The redirection works perfectly. It's documented it here: http://corelabs.coresecurity.com/index.php?module=Wiki&actio...

Also, in Blackhat 2014 Anibal (one of the original core researchers) will present a complete reversing of the computrace protocol.

told you so :-/ If you run bios-extract on a dump of your x60t, you'll see Computrace is in 2E_0.rom.

I have no idea on how to reassemble the pieces into a working bios. It's not just a checksum, that's for people doing SLIC ie replacing or adding stuff at the bottom. A missing table in the middle might cause problems. Isn't there an index too?

Anyway, the alternative hack you suggest would be quite a cool one :-) I didn't know it was possible to change the address of the c&c in the option rom (IIRC, it's like packed in an EFI header, then again - I just don't know which tools to use), but if it's, I'd be quite interested - even more if the computrace protocol has ben reverse engineered ;-)

Feel free to contact me by email!

I don't think Computrace is that bad.

It's not bad per se. But it's badly designed (no digital signatures whatsoever in binary or protocol), and it has complete control of your machine.

A very dangerous piece of propietary software preinstalled in all corporate laptops that you cannot deactivate, uninstall or even patch. It may not be a rootkit, but surely can be used as one.

It's not bad, but it is a rootkit. Some people don't want that functionality to exist regardless of who is handed the keys.

does coreboot for the thinkpad x60 have the same SATA hack that the closed source midleton third party bios has?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact